Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.
Haas Formula 1 CIO Builds Security at 230 Miles per Hour
As the CIO for both Formula 1 and NASCAR racing teams, Gary Foote is tackling the same security issues as other manufacturing CIOs — with a huge dash of motorized mayhem thrown in.
August 22, 2019
When most CIOs talk about the speed of IT, they're referring to release candidates under DevOps or a rapid hardware refresh cycle. When Gary Foote talks about the speed of IT, he's often speaking in terms of the IoT at 350 kilometers per hour.
Foote, CIO of the Haas Formula 1 racing team, is responsible for the computers and networks that allow the young team, which first fielded a car in 2016, to be competitive in the 21 races that make up a season for the world's most widely watched — and most expensive — auto racing series.
When you sit down with Foote at Black Hat USA, conversation naturally turns to the most visible part of the operation: the cars.
"In Formula One, the technology is really kind of in your face," Foote said earlier this month. The technology serves an amazingly complex machine. According to McLaren Applied Technologies, sole supplier of electronic control units (ECUs) to F1 teams, "The chassis is made up of around 11,000 components, the engine 6,000 parts, and the electronics another 8,500. That's over 25,000 separate bits which are at risk of failing during a grand prix."
The health and performance of those 25,000-odd separate bits are monitored by more than 300 sensors that report back to the pit area in real time via a wireless network.
"[The data] comes from the car to the garage. Obviously we distribute around the garage on a network, but then we also distribute that back to the UK base and to the US base," Foote said. "So we have our race support functions in the UK and the US, and that's all done in real time."
How much does Foote worry about the security of those network communications?
"In terms of data, there's very heavy governance — much more than a 'gentlemen's agreement," Foote said. In F1, each team provides its own data network, separate from the other teams, and Foote said that these links are protected by solid authentication and encryption protocols. Still, there are concerns about data security.
"I'm more concerned about people who aren't the other teams using it as some kind of leverage or catalyst for their own gain, really," said Foote. The attacker, he said, could be a teenage hacker who just wants to get the information and put it on online forums or organizations that would like to use what is essentially a global platform to leverage their message.
Basic Manufacturing Cybersecurity
Away from race day at the track, Foote has the sort of security concerns common to many smaller high-tech manufacturing companies, made perhaps more challenging because of the nature of the employees. "We're a manufacturing team. At the end of the day, an awful lot of time goes into polishing the products, but we're still a manufacturing organization," Foote said. He said that the engineering, manufacturing, and HR data generated by the company had to be protected through the same technologies and procedures that would apply at any high-tech firm.
Haas F1 is a manufacturing organization heavy with engineers and scientists, and those highly technical employees can make the IT staff's job more difficult. "We try heavily to allow engineering staff to work as efficiently as they can, because the only thing that they're limited by is their time," Foote said. And because Haas is a small F1 team, minimizing those limitations can be the difference between a solid race result and one the team would rather forget.
Foote and his IT team try to keep security in the background, he said, enabling as much as possible while being invisible when they can be. If not, he explained, "These are guys who do doctorates and PhDs for fun. So they're super clever. But that strength is also their weakness when it comes to technology because they'll try and boost their own efficiency by circumventing obstacles."
The manufacturing process is still filled with intellectual property, from CAD drawings to partnership agreements. And those partnerships are numerous for Haas because they are a smaller team. "We have a lot of conversations with companies that are, say, supplying fasteners and they might be five people. You know, we're really good at making fasteners, but they don't really know about IT and IT security."
These smaller partners look to Haas, Foote said, to help guide them in making sure that the transit of data between sites is secure, that any kind of data protections that Haas insists on are built into the procurement process, and that regulations are followed.
In particular, Foote said that security was a key consideration in a recently deployed product life cycle management (PLM) the company installed, which he described as a database for CAD data.
The regulations, like GDPR, are critical, because even as the CIO of a small team, Foote has to oversee the protection of data flowing between Haas facilities in England, the US, Italy (two sites), and wherever the race is taking place.
A Second Racing Team
For Foote it's more complicated because, while employed by the Haas Formula 1 team, he is also CIO of the Stewart-Haas Racing NASCAR team. "There's quite a bit of tech behind the scenes in NASCAR. They kind of hide it a little bit, but it's there," he explained.
Ultimately, Foote said, it's often most important to try to step away from the glamour of professional racing and look at the portions of the business that are common to any other manufacturing organization.
"Data are moving between all those sites, between peripherals, machines, laptops, and to engineers working on BYOD devices," Foote said. "All of those people introduce risk. All of those areas introduce risk. And so the idea is just to remove the glamour of the sport and break it down to its fundamentals. That's how we try and keep on top of security."
Related Content:
About the Author
You May Also Like
DevSecOps/AWS
Oct 17, 2024Social Engineering: New Tricks, New Threats, New Defenses
Oct 23, 202410 Emerging Vulnerabilities Every Enterprise Should Know
Oct 30, 2024Simplify Data Security with Automation
Oct 31, 2024