Securing the casino floor from cybersecurity threats

securitymagazine.com
 
Securing the casino floor from cybersecurity threats
Super Slots
Logical Security

Cyber Tactics

Advances in technology and the digitalization of casino games should have casino operators looking at slot machines and table games as tech assets managed by the information technology (IT) team, rather than appliances on the casino floor. The upgraded technology and innovations have also required an evolution of the role of security teams within the casino-entertainment industry. The result of including this “new” IT infrastructure is a heightened need for increased cybersecurity within gaming.

Cybersecurity Ventures predicts cybercrime costs to reach $10.5 trillion annually by 2025. At Light & Wonder, a cross-platform gaming and gambling company, we have started to strengthen the relationships with our partner casinos to assist in the transformation of casino security.

The historical lack of understanding and communication between casino operators, IT teams and regulatory boards increases the risk of casinos falling victim to a cyberattack, which would result in property closures, loss of revenue and damaged credibility in an industry where dollars and cents are paramount. In recent years, my position has uniquely evolved to that of a liaison between all stakeholder parties, including the aforementioned casino operators, IT teams and regulatory boards. The important involvement of information security has extended to players and customers as we determine ways to keep casinos safe from problems such as hacks, breaches and ransomware.

Gone are the days of inserting a coin, pulling a lever and watching the mechanical wheels of a slot machine spin. Most modern-day slot machines and table games are operated by PCs, meaning that regular maintenance of a slot machine should be under the purview of information technology professionals. Bridging the gap in communication between casinos and IT at many casinos is critical to sound and safe operations.

Without a clear path and practices for communicating, much of the gaming industry is dependent on out-of-date technology, which can make games — and entire casino floors — more susceptible to cyberattacks. In my industry experience, the technology on casino floors gets patched perhaps once a year, if at all. The need for more frequent fixing, updating and improving is crucial. If an operator is not regularly applying patches and experiences an attack on its system, the entire casino floor could risk shutting down as a result of malware or ransomware.

Regular patches, while needed, create an additional set of complex challenges. For example, every time technology gets patched, it may have to be approved by government regulators, and in a highly regulated industry, this is no easy feat. If casinos were to apply a patch every month to every one of their slot machines or other casino floor devices, the process would become expensive and time-consuming. As chief information security officers, we aim to navigate this huge challenge of ensuring operator safety while meeting or exceeding the expectations of government regulators.

By keeping the lines of communication open between the casino operators, IT and the various regulatory bodies, we can demonstrate the significance of detaching underlying operating systems (such as Windows or Linux) from the game code — that software that makes the graphics, logic and math that you see on the casino floor. With game code generally unimpacted by regular operating system patching updates, it is the responsibility of the gaming industry to educate regulators that regular updates of operating systems are vital to the health of the gaming industry in mitigating ransomware and malware. Writing better and stronger code will also strengthen the security of operating systems.

It is to the benefit of both regulators and casino floor operators to want to further increase security measures to uphold the reputation and credibility of the gaming industry. Without this in the U.S., if ransomware were to take over a casino floor, that operator may be prevented from paying the ransom if the money was going to a prohibited place or organization. The U.S. federal government has also proposed legislation making it illegal to pay a ransom under any circumstances. The problem is that ransomware can and will swiftly spread across a vulnerable environment such as a casino floor. It may then be extremely hard to recover and eradicate the infection. Even if a ransom is paid, we have seen that there is no guarantee of “honor among thieves” — sometimes the victim is left severly compromised, and they’re out the sum they paid.

As casino cybersecurity leaders, it is our responsibility to protect our internal systems and those of our customers. As we continue to move toward a digital gaming landscape, it is imperative to improve communication and cooperation on cybersecurity matters between operators, suppliers and regulators to ultimately benefit the safety and security of players.

Guest columnist Kevin Kealy is Chief Information Security Officer (CISO) at Light & Wonder, a cross-platform gaming and gambling company headquartered in Las Vegas, Nevada.