• United States




Haas F1 team leans on service providers as security force multipliers

May 21, 20197 mins
Network SecuritySecurity

Formula One racing is expensive and comes with significant security concerns. An outsource-first policy lets a small security team effectively deal with threats at multiple locations.

CSO > Formula One- / Formula 1- / F1-style modeled wireframe race cars with abstract circuit overlay
Credit: mevans / mustafahacalaki / Getty Images

If today’s cars are smartphones on wheels, then race cars are supercomputers with engines attached. As the fastest racing sport in the world, Formula One cars come laden with over 100 sensors measuring every aspect of a car’s internal status and track performance that together generate hundreds of gigabytes of data over the course of a race weekend.

Away from the track, aerodynamic testing, race prediction simulations, and video analytics for pit stops generate even more information, all of which is highly prized, sensitive and in need of protection. To keep costs low yet compete against teams with much larger budgets, the Haas F1 team constantly looks to outsourced services while finding new ways to improve its security posture.

F1 a data sport that needs securing

Numerous technology vendors are proud to show off F1 teams as customers, but usually these use cases are around how the sport creates terabytes of data in any given week and then uses that information to gain tenths of a second in lap times. While you’ll often hear F1 described as a “data sport,” rarely is cybersecurity mentioned.

“Formula One has woken up in the last five to seven years in saying technology and IT is what’s going to make the difference between us and our competitors” says Haas F1 Team CIO Gary Foote. “Cybersecurity might be a subject that’s not talked about quite as much, but it’s taken very seriously. If cybersecurity is ignored or put down the pecking order in terms of technology stack, the effect could be catastrophic.”

“We’re all representing a brand, and we have a duty to protect our brand,” Foote adds. “If cybersecurity or lack of was to ever put a black mark either on the sport in general or on Haas specifically, we could damage a brand and them no longer partnering with us could affect the race team and thus affect results.”

Security in the background

The Rich Energy Haas F1 Team has been part of F1 since 2016. The team operates across locations in the U.S., the UK and in Italy, as well as the moving operations for the race team. Foote has been in motorsport IT for over a decade, including stints at Honda, Brawn and Mercedes-Benz. He became Haas’s CIO in January 2017 and is responsible for managing the team’s IT function, including security and business continuity, as well as digital and technology strategy for the business.

As well as the usual business data that companies need to operate — employee data, financial data etc. – the company’s main assets are its intellectual property (IP) around the car and race strategy models. Compared to many teams that have just one location they operate from, Foote has to contend with securing data travelling freely among sites.

“I have computational fluid dynamics folk in the U.S. running on an HPC [high-performance computing] cluster based in the UK and providing up data to aerodynamicists based in Italy,” says Foote. “So, I’ve got this really complex data movement strategy and so cybersecurity becomes even more important because instead of moving data around on-prem where you obviously have much tighter control, I’m now moving it across oceans.”

While technology is now a cornerstone of the spot, Foote is keen to keep security operating quietly in the background and keep barriers to a minimum, as every second counts, especially in the midst of a race weekend environment. “Even seconds of downtime at single end user stations can have huge effects for somebody working on a particular qualifying strategy,” he says.

“What we’re trying to do is be behind the scenes and protect people from themselves. We want a race engineer to be able to engineer a race car really well, we don’t want him to pop in a USB drive and things pop up saying that you can’t do this,” says Foote. “A lot of the technology we’re trying to put in place is to protect ourselves in the background and almost be invisible while allowing people to just get on with their jobs. We protect ourselves from that USB key whilst also allowing him to get on with his job.”

F1 security still siloed

Team owner Gene Haas also owns the Stewart-Haas Racing NASCAR team and machine tool manufacturer Haas Automation. Foote says that his team has a close working relationship with the technical function at the NASCAR team and there are occasional meetings with the IT teams at Haas’s other companies.

While the two Haas racing teams might collaborate regularly, Foote says sharing isn’t really a part of the F1 scene. “There’s not a great deal of collaboration, and I think that’s a shame. We’re in a competitive world, so we have to be a little bit siloed. Maybe a forum could exist in such a way, but it doesn’t really at the moment.”

This may change in the future. F1 was recently bought by Liberty Media, and the broadcaster is looking to reduce the costs of the sport through initiatives such as budget caps and standardizing parts on cars. Foote says, “it’s only a matter of time” before these standardization efforts begin touching the technology stack.

Haas races toward cloud and outsourcing security services

In a sport that can cost well over $100 a million to take part in, F1’s history is littered with smaller teams – including Caterham, HRT and Manor in the last decade alone – that have been forced out of business due to the high cost of participation. Haas’s approach to F1 differs from other teams in that it relies instead on outsourcing where possible.

For example, rather than developing the cars from scratch, the team uses engines, transmissions, suspension, hydraulics and electronics supplied by F1 powerhouse Ferrari. The chassis come from Dallara, an Italian manufacturer. Aerodynamics and other aspects of R&D around the car is done in-house.

This lean strategy translates to people and technology, too. At fewer than 200 people, Haas is the smallest team in F1, and the company relies on technology service providers as much as possible. “Guenther Steiner, the team principle, wants to keep the team small and lean and efficient, and that feeds into the into the IT function as well,” says Foote.

“I have a small team across all the sites; a couple of people in each location, and a couple of people that travel around with the race team, and they’re my boots on the ground,” says Foote. “I have one senior manager that reports into me that manages the deployment of the security strategy, and another that does the same for risk.”

“If we can find a partner that does something better than we can do internally, we use that partner. If we can put services into the cloud and run software as a service or platform as a service, I favor that model purely because it means I don’t have to get specialists and experts on chairs in the office. If I need to go and ask for headcount, I need to have exhausted every other avenue.”

One of those service providers is Nominet. Best known as the domain name registry for the UK and managing the DNS infrastructure around the .uk TLDs, the company recently moved into the cybersecurity space. Haas deployed Nominet’s recently released NTXsecure tool, which provides DNS analytics and a managed DNS resolver to automatically categorize and apply policy to queries. This helps eliminate malware, phishing and data theft from the network. 

“DNS is such a trusted transport mechanism,” says Foote. “We’ve got multiple layers of security in place that we’ve built up over time, but DNS is one of these areas of weakness and primarily all these exploits use DNS under the skin.”

Rather than replacing a previous technology, Haas’s NTXsecure deployment was an additional layer of security. Largely managed by Nominet, the Haas team has regular meetings with the vendor where findings are presented and anything potentially suspicious can be flagged.

“It’s taking care of the grunt work and enabling us to work much smarter. If we tried to do some deep dive analysis in house, I just would never have the human capacity to do it.”