Texas Tribal Casinos Taught Ways To Protect Themselves From A Cyberattack

Written By TJ McBride on September 22, 2023
Photo of a cyberattack on a computer for story on casino security.

Word of the cyberattack on casinos in Las Vegas have swept through the nation. It’s prompted other casinos – including Texas tribal casinos – to re-evaluate their defenses.

The National Indian Gaming Commission recently sent out a tech alert to tribal casinos outlining ways to protect themselves from hackers. That came in tandem with security experts providing their insights at a recent tribal technology conference.

There is a clear focus on improved security for tribal casinos in light of the struggles of MGM and Caesars after hackers gained control of their systems.

Casino companies were target of hackers

Texas has no commercial casinos and there are no Texas online casinos. There are three tribal-run casinos in the state, but just one, Kickapoo Lucky Eagle, offers more than just slots-like bingo games.

Both MGM Resorts and Caesars Entertainment were exposed to a cyberattack in the last few months that affected different aspects of their operations.

MGM was stopped in its tracks for 10 days due to a complete computer shutdown as a countermeasure against a cyberattack. The shutdown affected hotel reservations, credit card processing, dining, pools and spas, entertainment options, and other necessary functions to operate its casinos.

According to the Associated Press, the shutdown could cost the company up to $80 million.

Caesars also said it was the target of a cyberattack, but its casino functions were not altered. Regrettably, Caesars could not confirm if the personal information of its guests and players was protected. Caesars reportedly paid $15 million to hackers to regain full control of its computer system.

The cyberattack on two of the biggest casino companies showed there are still flaws that can be exploited. Because of that, all casinos, including tribal casinos in Texas, are looking into ways to better protect their operations.

NIGC encourages tribal casinos to employ a ‘castle approach’

The tech alert sent to tribal casinos in Texas and beyond focused on what is called Defense in Depth. It is also known as a “castle approach” to defense from cyberattacks. What it means is developing a multi-layered defensive scheme full of redundancies.

The alert focused on three “critical control layers.”

  • Physical controls
  • Technical controls
  • Administrative controls

Physical controls are defenses such as CCTV cameras, reinforced fences and security guards.

Technical controls are software and hardware used to protect players’ personal information and the company’s information. Technical controls are more about the data than the system itself. This includes antivirus software, hardware firewalls, encryptions of servers, authentication controls and more.

Administrative controls are security policy and procedures in place. This layer of defense includes data handling procedures, digital codes of conduct, confidentiality policies, and other security requirements set by administrators.

While bolstering security around those three main pillars is a big help, it is not an automatic fix. As the world becomes more reliant on technology, there will be problems that arise with it. This Defense in Depth approach is billed as a starting point as opposed to an endpoint.

Cyber experts encourage Texas tribal casinos to add AI tools

Cyber experts spoke at a tribal technology conference about the benefits of adding in artificial intelligence defense systems to combat AI-powered cyberattacks.

Scott Melnick leads security researching and development for Bulletproof, a security company owned by GLI. He is known as a white-hat hacker. which is a hacker who uses their skills to help protect companies by showing them the weak points in their defenses.

Melnick spoke on how AI could have been used to limit the damage done by the cyberattack on Caesars and MGM.

“This could be a social-engineering attack with somebody calling up tech support and getting a password reset. One of the things we do (in hacking scenarios) is research the person. I can go on the social media of someone in tech support at MGM and call and wait to get that person who I collected data about on Facebook, including everyone they work with. I call tech support (and act like I know them and cite personal information). I say I can’t get in the system and my password is locked off. It’s a plausible story. I can use AI to find the database and social engineer the person like we’ve known each other forever. The defense against that is to verify, verify, verify – no matter who it is.”

Steve Boesel, a customer engineer for Google Cloud, agreed, expanding on how detection AI could feel futuristic but is needed now.

“It’s going to be harder and harder to validate who somebody is based on what you’re just seeing with your eyes and ears. You’re going to have to rely on technology, looking for the small mistakes. That’s something we’re focused on very deeply at Google – detecting very minor fluctuations in voice and manipulation of that and video. That’s a futuristic problem, but it’s not all that far off.”

According to Melnick, smaller casinos have an advantage in keeping themselves safe because there are simply less holes to exploit in smaller establishments. This rings true for tribal casinos in Texas. While being smaller is safer, precautions still need to be taken to keep systems safe.

“A lot of smaller organizations have an advantage. You’re not dealing with 500 people on tech support that you have to worry about. I’ve worked with a lot of tribes for a long time and I understand budget concerns. But you have to think about it like insurance. Everyone I’ve worked with in tribal nations on ransomware has ended up paying 10 more times than it would have to train and test their people. Cybersecurity spending is a hard pill to swallow because you can’t say this is how many attacks we avoided. It’s hard to prove a negative. It’s like a vaccine. The idea is to keep doing it every year for that year’s flu strain and test your employees over and over again.”

Even as technology advances and more methods of springing cyberattacks become available, the best process is consistency, according to Manjit Singh, CEO of DruvStar.

“The main thing is to have a comprehensive program and do this every day. It’s like brushing your teeth. It’s not like going to the dentist twice a year is going to solve it. You have to understand your risk and how you’re improving your risk profile.”

Photo by Shutterstock / Illustration by PlayTexas
TJ McBride Avatar
Written by
TJ McBride

T.J. McBride is a writer and reporter based in Denver, Colorado who covers the Denver Nuggets as a beat writer and the current gaming landscape in Texas. His byline can be found across many websites such as ESPN, FiveThirtyEight, Bleacher Report, and others.

View all posts by TJ McBride