Digital Factory: What are you interested in? clear ? What is the scope of your duties during the Paris Olympics?
Benoit Delpierre: I am the CTO of Eviden Cyber France, DeptAthos Which combines activities Cyber security and cyber services, even if we have parallel product development activities. I take care of the cyber services part. during Olympic GamesI was responsible for the Eviden operational teams within the Security Operations Center (SOC) for Paris 2024. We were in the “Le Pulse” building in Saint-Denis, where the Technology Operations Center (TOC) was located, which brings together all IT and business activities that enable the delivery of… Tests. Any initiation or configuration of an event or analysis had to pass through us to manage cyber activities between different people.
When did Atos cooperate with the Olympic Games?
Atos has been a sponsor of the Olympic Games for about 35 years. We, at Eviden, were, for the first time, sponsors of cybersecurity. This is the first time we find ourselves in this situation where we have to manage the entire cybersecurity for the Olympic Games, because in Tokyo, there were different suppliers.
How can we secure such an event in advance? What tests were performed?
When I arrived three years ago at Paris 2024, at the Organizing Committee of the Olympic and Paralympic Games (COJOP), the cybersecurity team was made up of three people. We defined the strategy together, and chose which cybersecurity solutions to implement, before integrating them. After integrating them, we entered into an operating model. Because the operations on the cybersecurity side were not only about protecting the Games period, but they were also about protecting the Paris 2024 organization, which is a company in itself that has different systems of operation.
Then we did some tests. This is the most important stage from a cyber point of view. There are different types of tests. We tested apps Paris 2024 with bug bounty programs, managed programs. It is important that we have managed bug bounty programs as this allows us to foster a community of carefully selected, highly effective “ethical hackers” who provide the correct information. At the same time, we conducted penetration tests on the applications. The strategy is not to put applications into a bug bounty program without performing penetration tests before, which runs the risk of having too many vulnerabilities to manage.
For more than a year, up until the day before the Games, we held training exercises with Red Team teams and external providers to test our technologies. These teams were there to test if there was a fault, or a potential entry at a certain location, on the exposed surface. They have issued audit reports so we can take the identified vulnerabilities into account.
For the last test, there were two stages, organized by the technology teams at Paris 2024, and we were in the Olympic Games Center with members of the operational teams, as if it were the Games. People came to act out scenarios, whether imaginary or real. The goal was to put yourself in a situation under pressure. We tested humans, their experience and reaction under pressure, to see if we were applying the procedures correctly and if there were things to improve. In the second phase, which was implemented in May, 1,800 scenarios were tested.
Can you give an example of a scenario?
Anyone can come in the morning and say: “You have 95% of your information system coded with software.” Ransomware‘. We then try to piece together our full response to see how we should deal with it. After half an hour, the person can return with a new scenario. Half an hour later, there might be a computer theft, a phishing email received, etc. This continues for eight hours, for an entire week.
Before the Games, what types of attacks were you most afraid of? What was the situation like during the event?
There are always the classics Denial of service attacks (DDOS), because these are simple attacks for ordinary people, regardless of their cyber credentials. It is a technique widely used for mature people, as it increases the complexity of attacks. Big players can get hit even though they are protected. This type of attack also allows reconnaissance. We have encountered instances of DDOS at various times, with an increase in such attacks during the opening ceremony. Anti-DDOS technologies played their role: we were able to contain them, were unaffected, and did not create too much noise for our teams.
And then, there are always the classic phishing attacks. Paris 2024 has made a significant effort to train and raise awareness of phishing campaigns among its teams. There’s also the whole counterfeit ticket scam. Our threat teams searched for emerging ticketing sites using keywords.
Finally, we were very satisfied cloudswith SaaS spaces, are very application oriented. If there’s one thing to pay attention to, it’s identities. We’ve done a lot of work on protecting identity. If our threat teams find a leak of potential accounts on the deep or dark web, and link this to our partners or our domain, we immediately consider what actions we should take on the accounts.
Have you noticed any incidents other than these attacks?
We saw everything we expected happen. There were also missing workstations. We sensed things were happening, when a Paris municipal employee had his bag stolen on the train. In the end, it had nothing to do with our environment. But we realized it could have an impact. We expected it, and it happened to us, even if sometimes with false positives. We had a synchronized workflow that allowed us to respond to stolen desktops, because that remains a significant source of threats. Regarding phishing campaigns, we noticed an increase during the gaming period, especially in the detection of malicious payloads on various exchanges.
Can you explain to us how incidents and attempted attacks were counted during the games? Many different numbers have come up…
At the end of last July, Gabriel Attal announced that 68 electronic attacks had been discovered and thwarted. Next, ANSI announced that more than 140 proven cybersecurity events had been reported. What you have to see is that we all had an ocean. when The Grand Palace’s IT systems were attackedThis falls within this type of number, but it is not the IT system that was used to deliver the gaming events, so it is not within our scope.
As for your domain, do you have a number to give us?
During the Tokyo Olympics, 4 billion events were detected. These are actually events, not accidents. Behind the events there are records, 4 billion records obtained from their technology. During the Games, we had over $50 billion. But we must put this in relationship with the number of IT and cyber technologies integrated. If we have 50 applications with 50 types of DDOS, there will be many more events than two applications with two DDOS solutions.
Then, according to ITSM (IT Service Management Solution, editor’s note), we received 850 incident tickets during the Games period, on which we had to perform analytics. Accordingly, there are measures to be taken regarding 850 suspicions. In the end, we had no electronic operational impact on the games.
Among these 850 tickets, there are low, medium and high importance levels. Common sense would say: “What I care about is the highs.” However, from experience, what we have observed with cyber and threat intelligence, is that attacks arrive via a weak signal. This happens through something quite classic, the kind of event that happens 10 times a day. Then in the middle of these 10 times, the attacker can succeed in getting in. Therefore, we set out to perform the same type of analyzes at the high level of importance, as at the intermediate level, as at the low level, and especially at the low level.
At the next Games, Atos will no longer be responsible for IT and will be replaced by Deloitte. Do you have plans to provide security for other large events?
Atos remains an IT partnerEuropean Football Association. Now that we will no longer organize the Olympic Games, it is difficult to do the same given that it is the number one sporting event in the world. However, there is a double deadline for us. We want to leave a legacy for the cyber community in France. Therefore we are working to obtain feedback regarding technology, collaboration methods and experience. There is also what we want to leave for our future colleagues in Los Angeles 2028. We do not have the spirit of saying that we work for this or that company, the goal is to leave something for future versions.