Major sports venues may be as vulnerable to cyber attacks as targets such as financial institutions and power plants.

Cybersecurity experts at the U.S. Department of Energy’s (DOE) Argonne National Laboratory are launching an online survey as an assessment tool for team and stadium owners to find and fix cyber vulnerabilities.

Lincoln Financial Field. Source: Brookings InstitutionLincoln Financial Field. Source: Brookings InstitutionThe survey also is intended to help owners obtain credentials for the Department of Homeland Security’s Safety Act program. Stadiums that complete the program can avoid legal liability if an incident occurs.

“Hackers no longer use cyberattacks to cause cyber damage,” said Nate Evans, a cybersecurity expert at Argonne. Instead, ​“they are using these attacks to cause physical damage or put people in locations to maximize physical damage.”

The Argonne researchers advise professional sports leagues, including the National Football League, Major League Baseball, National Basketball Association, Major League Soccer, National Collegiate Athletic Association and others on cyber issues.

Vulnerable systems?

In many stadiums, fire alarms and ventilation systems are connected digitally, giving operators more control. While this setup is convenient, it also puts fans at risk if criminals hack into the system and potentially lure crowds to danger.

Argonne’s survey asks about a stadium’s physical security: Who can access certain areas? How are security forces and staff trained? What are the emergency response plans?

Evans said that sports teams and stadium owners can counter cyber threats in several ways.

The first step is to physically isolate the controls for each system, including power, lighting, fire safety, ventilation, plumbing, security and surveillance. Evans said that simply relying on separate digital accounts that share the same servers is a mistake.

Second, operators need to know which systems are dependent on others. Fire alarms, for example, depend on electricity, but does that power, in turn, depend on other infrastructure that is also vulnerable to disruption?

In addition, team and stadium owners should talk directly with all third-party vendors — information technology, concessions, security and so on — that typically help run stadiums. The idea is to have clear chain of command and communications channels established in case of an attack that requires a fast response.

The survey is expected to be available to owners of sports stadiums and concert arenas in the near future.