The gaming industry has seen a rapid growth over the past five years, starting with the expansion of sports betting in the state of New Jersey and online and mobile gaming options also becoming available in other states. A few states have also launched iGaming along with sports betting.
The introduction to new gaming technology requires operators to complete various forms of security testing. Security testing is crucial to ensuring the integrity and security of gaming systems. It is a process of evaluating the security of a system or application by identifying vulnerabilities, assessing the risks, and testing the system’s response to potential attacks.
What are the common security tests performed in the gaming industry?
Penetration Testing: This involves simulating real-world attacks on the system to identify vulnerabilities and assess the system’s ability to detect and respond to those attacks.
Vulnerability Scanning: This involves the use of automated tools to identify potential vulnerabilities in the system, such as weaknesses in the software or configuration errors.
Compliance Testing: This involves testing the system to ensure that it complies with relevant laws, regulations, and industry standards, such as the GLI-33 or GLI-19 standards for electronic gaming devices.
Operational Testing: This involves testing the system in a live environment, simulating real-world scenarios, such as heavy traffic, to ensure that the system can handle the load and maintain its security.
Risk Assessment: This involves evaluating the potential risks to the system and identifying countermeasures to mitigate those risks.
Many gaming regulations enforce security testing; however, they are not uniform on the requirements and tests needed and not all states require it. For example, Mississippi does not require security testing for sports wagering; in West Virginia the security requirements only apply for sports betting and iGaming, not land-based casinos; and in Colorado only technical security testing is specified—no compliance assessment to evaluate operational and managerial security controls are needed.
These are just a few of the differences; almost every state takes a slightly different approach. Testing details also vary state by state, in some cases simply stating that a “security and integrity assessment” needs to be performed, whereas others provide specific requirements (e.g., penetration testing, firewall rule review, GLI-33B).
Because there are various security testing requirements across different jurisdictions, it can be challenging for gaming operators to keep up with the latest standards and best practices, while demonstrating compliance in a cost-effective manner—while simultaneously providing regulators with test results needed to ensure that the integrity of gaming is intact.
What is Working Well in Security Testing for the Gaming Sector: Standard Testing Frameworks
One of the key success factors is the use of industry-standard testing frameworks such as the GLI standards (GLI 19B, 27 currently being updated, and 33B), Payment Card Industry Data Security Standard (PCI DSS), and the National Institute of Standards and Technology (NIST) Cybersecurity Framework.
These frameworks provide a comprehensive set of guidelines and best practices for protecting sensitive customer data and ensuring the integrity of gaming systems. Gaming operators that adhere to these standards and undergo regular security assessments have been able to effectively identify and remediate vulnerabilities in their systems.
Penetration Testing and Vulnerability Scanning
These techniques allow gaming operators to simulate real-world attacks and identify vulnerabilities in their systems before attackers can exploit them. Our testing experts at Bulletproof can identify vulnerabilities that could pose risks to both the operators and their players. The results of these tests allow the vulnerabilities to be fixed prior to exploitation.
While I am not a fan of compliance just for the sake of compliance, there is no argument that having these requirements forces operators and suppliers to perform basic security assessments. While a certain number of operators would perform these even if they were not obligated, there is a decent percentage that would not.
Having security testing in the regulations at least ensures these independent security assessments are performed regularly. However, as I always like to say, “compliance does not equal security, but if you are secure, you will be compliant.” Too often, organizations approach compliance-oriented security assessments as a check-box approach, rather than making sure they are really taking steps to increase their security posture.
What is Not Working Well in Security Testing for the Gaming Sector: Moving Targets
One of the biggest challenges is keeping up with the ever-changing threat landscape. New vulnerabilities and attack methods are constantly emerging, and it can be difficult for gaming operators to stay up to date with the latest threats and vulnerabilities. This has led to a lack of preparedness in some cases, with breaches occurring.
Also, just because a gaming operator conducts a security assessment does not indicate that they are immune from attacks. In some cases, the current requirements do not include tests/reviews that would identify risks in emerging attacks. Recent reports of operators such as DraftKings and BetMGM experiencing data breaches or takeover attacks have made headlines. In every case, the operators were up to date with the required security tests.
Third-Party Vendor Management
Many gaming operators rely on third-party vendors for a variety of services, such as payment processing and customer data storage. However, not all vendors have the same level of security in place, and this can create vulnerabilities in the gaming operator’s systems. It’s essential for gaming operators to conduct thorough security assessments of their third-party vendors and ensure that they have adequate security measures.
Lack of Standardization Across Jurisdictions
Different countries and states have different security testing requirements, and it can be difficult for gaming operators to keep up with the various regulations and standards. This lack of standardization can lead to confusion and inconsistencies in security testing, making it harder for operators to ensure the safety and integrity of their systems.
What Can Be Done?
While all of these above areas are important, I believe the most pressing issue facing the industry related to security testing is the lack of standardization and the state-by-state approach. Not to say that the security testing requirements do not need to be updated to assess current risks facing the industry; they do, and that is something GLI and Bulletproof are working on with our update to GLI-27, the standard on network security. We hope this will be a modular and practical approach covering all aspects of security testing in the gaming sector from online to land-based, cloud, lottery, cashless, and many more.
Same with third-party vendor management, another critical area and extremely important in gaming with the reliance of multiple vendors to bring systems to market. We have to look no further than the Target breach where the entry point was a vendor that Target used. We have also seen similar breaches in the gaming sector where the initial weakness that allowed the attacker to obtain a foothold was in a third party’s system.
However, if we do not address the larger issues of lack of standardization and consistency, we will still face the same challenges. This is a significant hurdle to overcome as I do not see an approach where these requirements are centralized at the federal level as they are for, say, the SEC or FTC. State regulators must work together to solve this problem with input from gaming operators and independent testing labs.
We are starting to make progress, although slowly. Last year, Dan Hartman, director of the Colorado Division of Gaming, organized a security and integrity working group to discuss these challenges and possible solutions. The goal was to agree on standard terminology, approach, requirements, and reporting. Progress has been made, and it’s a step toward the right direction; however, there’s still room for improvement and opportunity.
Counting on Continuous Compliance
The answer is in continuous compliance. Rather than static annual assessments, the goal should be to always be compliant and meet security controls. We saw last year the Pennsylvania Gaming Control Board (PGCB) under Paul Resch update their security testing rules to require not only annual assessments for iGaming and sports betting, but to also mandate quarterly vulnerability scans conducted by the operators and suppliers and require remediation plans to be submitted to the PGCB so the regulator is more informed and updated on current security risks.
One of the first states that pops into our mind when we think gambling is Nevada. For the longest time, Nevada did not have any specific requirement around security testing. We saw that change late last year when the Nevada Gaming Commission updated its security requirements. The new regulation requires covered entities to perform an initial risk assessment and determine what best practices are necessary to mitigate the risk of a cyberattack.
It states, “At least annually, have its internal auditor or other independent entity with expertise in the field of cybersecurity perform and document observations, examinations and inquiries of employees to verify the covered entity is following the cybersecurity best practices and procedures.” This applies to all gaming operators, not just online but also land-based. Again, progress is happening, just slowly and not consistently.
I do not have all the answers. However, I do believe the current process is not scalable and sustainable as gaming continues to expand. Operators such as BetMGM, Caesars Digital and FanDuel that are in every legal jurisdiction should not have to report separately state by state, and on different time frames, when the majority of their security controls are similar. This is where the concept of continuous compliance comes into play.
With continuous compliance, gaming operators could proactively identify and address security issues in their systems, rather than waiting for a regulatory audit or incident to occur. This approach allows gaming operators to maintain a state of ongoing compliance with relevant regulations and standards, and to address security issues as they arise.
Bulletproof is currently developing a framework that would allow operators to track and show compliance with these security requirements more easily. Obviously, this would be smoother if the regulations were standardized. However, even if we cannot get to that point yet, GLI and Bulletproof are committed to designing solutions that allow us to meet the requirements that the regulations specify and, at the same time, have less friction for operators so they can focus on their core business.
In conclusion, security testing in the gaming sector is a critical component of ensuring the safety and integrity of gaming systems and the protection of sensitive customer data. While there are several areas that are working well, such as the use of industry-standard testing frameworks, penetration testing, and the requirement to have the basic level of testing performed, there are also several challenges that need to be addressed, such as keeping up with the ever-changing threat landscape, managing third-party vendors, and standardizing security testing requirements across different jurisdictions.
Gaming operators must stay vigilant and adapt their security testing strategies to address these challenges and ensure the safety of their customers’ data. The same applies to regulators and independent testing labs.