The open door: Cybersecurity risks in football stadiums

Home 禄 Insights 禄 The open door: Cybersecurity risks in football stadiums

Football stadiums are complex ecosystems of interconnected systems spanning operational technology (OT), energy management, ticketing and fan experiences reliant on a delicate balance of hardware, software and human oversight. Yet, much like leaving the front door of a house ajar, a single oversight in cybersecurity can expose these massive infrastructures to significant risks. Among the most pressing threats are those tied to OT systems, particularly when compounded by poorly managed software updates and vulnerabilities in supply chain management. A hypothetical breach in a stadium鈥檚 programmable logic controller (PLC) managing energy systems offers a stark illustration of how these elements can converge into a perfect storm underscoring the need to embed cybersecurity across the stadium鈥檚 enterprise and highlighting a glaring gap: the lack of regulatory control.

The vulnerable heart of stadium operations

At the core of a modern football stadium lies its operational technology systems like PLCs that control critical functions such as lighting, HVAC, scoreboard displays and energy distribution. Unlike traditional ICT systems, OT is designed for reliability and longevity, often running on legacy hardware with limited security features. This makes it a prime target for cybercriminals seeking to disrupt operations or extort operators. Imagine a Saturday night match: 70,000 fans packed into the stands, the atmosphere electric with anticipation. Suddenly, the lights flicker and die, the scoreboards go dark, and the ventilation systems grind to a halt all because a PLC managing energy systems has been compromised. This scenario isn鈥檛 far-fetched. It鈥檚 a reminder that in the rush to embrace smart technology, basic cybersecurity hygiene can sometimes be left wide open.

In February 2025, Wembley Stadium experienced a blackout during a game. While the exact cause of the issue remains unconfirmed, the sudden loss of power led to a temporary halt in the match. The stadium’s lights went out, plunging the field and stands into darkness, much to the surprise and frustration of players and fans alike. Efforts to restore power were swift, but the incident raised questions about the reliability of the stadium’s electrical systems and prompted an investigation to prevent future occurrences.

The threat of a poorly managed software update

Consider a plausible entry point: a software update for the stadium鈥檚 energy management PLC. These updates are routine and intended to patch vulnerabilities or improve functionality. But what happens when the process is poorly managed? In 2021, the Kaseya ransomware attack demonstrated how a compromised software update from a trusted vendor unleashed chaos across hundreds of organisations. In our stadium scenario, a similar lapse could occur. Perhaps the update isn鈥檛 properly vetted, or the vendor鈥檚 supply chain is infiltrated, embedding malicious code. Once installed, this code could give attackers remote access to the PLC, allowing them to manipulate energy systems at will cutting power during a critical play, overheating the stands, or triggering cascading failures across the grid.

The threat isn鈥檛 hypothetical. In 2015, Ukraine鈥檚 power grid was hacked, with attackers leveraging compromised credentials and malware to disrupt electricity for thousands. Stadiums, with their high visibility and dense crowds, are even juicier targets. A successful attack could sow panic, endanger lives and tarnish the venue鈥檚 reputation not to mention the financial fallout from lawsuits and lost revenue.

Supply chain weakness

Compounding the risk is poor supply chain management. Stadium operators often rely on third-party vendors for hardware, software and maintenance. Each link in this chain from the PLC manufacturer to the software developer to the update distributor represents a potential point of failure. A 2020 report by the Cybersecurity and Infrastructure Security Agency highlighted how supply chain attacks have surged, with adversaries targeting less-secure vendors to infiltrate larger systems. If a stadium鈥檚 energy management PLC comes from a supplier with lax security practices, or if the update process lacks rigorous authentication, the 鈥渇ront door鈥� isn鈥檛 just open it鈥檚 non-existent.

Why cybersecurity must be embedded across the enterprise

The stakes demand more than patchwork fixes. Cybersecurity must be woven into the fabric of the stadium鈥檚 enterprise from the boardroom to the pitch. This starts with a governance framework, establishing clear policies, roles and accountability for security across all departments. Without this top-down commitment, efforts remain siloed, leaving gaps for attackers to exploit. Continuous risk management is equally critical stadiums aren鈥檛 static; they evolve with new technologies, vendors and threats. Regular threat assessments identify vulnerabilities before they鈥檙e exploited, whether in OT systems or fan-facing apps.

Supply chain risk management is non-negotiable. Operators must map their vendor ecosystem, assess each partner鈥檚 security posture and enforce strict standards think contractual mandates for timely patching or third-party audits. Education ties it all together. Staff, from technicians to executives, need ongoing training to spot phishing attempts, verify updates, or escalate anomalies. A culture of vigilance turns human error from a liability into a first line of defence.

The regulatory blind spot

Yet, for all these proactive measures, a critical weakness persists there鈥檚 no regulatory control over stadium cybersecurity. Unlike Critical National Infrastructure (CNI) sectors such as energy or transport stadiums operate in a regulatory grey zone, despite their potential to impact tens of thousands of people. A cyberattack on a packed venue could rival the disruption of a power plant or airport, triggering mass panic, physical harm, or economic damage. This lack of oversight is a glaring gap. Stadiums should align with frameworks like the Network and Information Systems (NIS) Directive, which mandate security standards and incident reporting for essential services in the UK. Even a tailored version of CNI guidelines adapted for large-scale public venues would force operators to prioritise cybersecurity, much as they do fire safety or structural integrity. Without this, the onus falls entirely on private entities, many of whom may lack the resources or incentive to act until it鈥檚 too late.

The consequences of an open door

A compromised PLC doesn鈥檛 just disrupt a match; it could create a domino effect. Power outages could disable security cameras, leaving gaps for physical intrusions. Emergency systems like fire alarms or exits might fail, amplifying risks in a panicked crowd. Financially, the damage could run into millions of lost ticket sales, refunds and repairs while the intangible cost of eroded trust could take years to rebuild. In an era of nation-state hackers and ransomware gangs, the motives could range from profit to geopolitical posturing, with a high-profile stadium attack serving as a loud statement.

Mitigation strategies

So how does a stadium shore up its defences?

Embed cybersecurity holistically: audit and segment critical systems, ensuring a breach in one area like a ticketing server can鈥檛 spill into energy management.
Tighten supply chain oversight: vet vendors, demand transparency, and verify updates with cryptographic signatures.
Conduct continuous risk management through TTX (Table-Top) exercises to simulate attacks and expose weak spots.
Implement a governance framework to align security with business goals and invest in education to empower staff.
Advocate for regulatory alignment with CNI or NIS mandates to ensure accountability industry wide.

Football stadiums are temples of modern spectacle, but their reliance on interconnected OT systems makes them vulnerable to cyber threats. A poorly managed software update on a PLC, exacerbated by sloppy supply chain practices, could turn a match day into a nightmare. Embedding cybersecurity across the enterprise through governance, continuous risk management, threat assessments, supply chain diligence and education isn鈥檛 optional; it鈥檚 essential. Yet without regulatory muscle akin to CNI or NIS, the industry risks leaving its doors wide open. The next big play might not come from the pitch but from a hacker exploiting an unguarded gap.

In technology and sport, the lesson is the same: secure the foundation or risk the collapse.

Written by

Stef Garczynski

Date published

8/04/25

海角视频

Advisory

Sustainability and energy transition

Digital advisory

ESG advisory

Security and risk advisory

Strategy and operating model design

Asset optimisation and commercial advisory

Urban and regional development

Programme advisory

Climate change adaptation and resilience

Energy consulting

Net zero carbon buildings

Building retrofit

Sustainability

Bridge engineering and civil structures

Digital twins

Economics

Environmental input to masterplans

Infrastructure

Stranded assets

Strategic planning

Resilient infrastructure, built assets and natural environments

Transport and mobility

Water

Waste management consulting

Urban analytics

Building services engineering (MEP)

Facade engineering

Fire engineering

Ground engineering

Coastal engineering

Structural engineering

Tall buildings

Tensile structures

Timber engineering

Acoustic consultancy

Asset consultancy

Fire engineering

Health, wellbeing and productivity

Heritage buildings

Inclusive environments

Information and communication technology (ICT)

Laboratory consultancy

Lighting design

Security and public safety consulting

Social impact consulting

Vertical transportation

Analytics

Audio visual consulting

Building information management (BIM)

Building management systems

Building performance diagnostics

Computational engineering as a service

Digital twins

Information and communication technology (ICT)

Information management

Smart building consultancy

Strategic digital real estate consulting

Visualisation