This is how Formula 1 teams fight off cyberattacks
The Mercedes-AMG Petronas Formula One team is one of the most dominant F1 teams of all time and has won seven Constructor’s World Championships in a row since 2014, with seven-time World Champion Lewis Hamilton, who many consider to be the greatest ever Formula 1 driver, winning the F1 Drivers’ Championship on six of those occasions.
Mercedes face challenges from nine other teams on the track during race weekends, but these are far from the only adversaries that the team has to worry about. The high-profile, high-tech nature of Formula 1 makes it a tempting target for cyber criminals and sophisticated hackers of all kinds.
“The profile of this organisation, the popularity of the sport and the fact that we’ve been pretty successful over the last few years actually acts as a little bit of a target for this type of activity,” explains Michael Taylor, IT director at Mercedes-AMG Petronas Formula One.
SEE: A winning strategy for cybersecurity (ZDNet special report)
Most of the cyber threats an F1 team faces will be familiar to organisations around the world, such as the phishing attacks attempting to steal usernames, passwords and other sensitive information, or the constant threat of ransomware. But then in F1, you also have to factor in the challenge of securing a remote workforce that can be in three countries in as many weeks because of the busy schedule across a hectic 22-race season.
And then, add on top the threat that comes from the most sophisticated online attackers who might be interested in the secrets of a high-performance racing team.
“In this hybrid world, a lot of the technology comes out of Formula One and then trickles down into the cars that we drive, so there’s a tremendous amount of technology that’s on the cutting edge that obviously needs to be protected and certainly could be a target for nation-state actors,” says George Kurtz, CEO of CrowdStrike, the cybersecurity partner of Mercedes, which provides the team with technology to help secure its networks, as well as information on the evolving nature of cyber threats.
This includes a dossier ahead of every race weekend, where CrowdStrike security analysts detail the potential cyber threats that members of the team could face in the country where the race circuit is located, and how to stay safe from these threats.
“That’s always an eye opener that always helps raise some inconvenient truths and some questions,” says Taylor.
Ensuring that the cybersecurity of a Formula 1 team is strong enough to protect against all these threats starts with securing the endpoints – the laptops, tablets and other devices that members of staff use on a daily basis.
“Endpoints for us are our biggest area of risk because they have a human at the other end of them and most of the risk is inherently carried by humans doing something they probably shouldn’t do or didn’t intentionally mean to do,” Taylor explains.
“The endpoint is an area where we do have control over, but not full control and that’s really the biggest focus for us in terms of reducing the risk opportunity there.”
Mercedes could completely lock down machines with strict controls on what actions users can perform; but restricting user activity like that in Formula 1, where time is of the essence and the split-second strategy decisions and the data that informs them can make or break a race weekend, could put a team at a massive disadvantage.
“We’re very creative in terms of problem solving and design, and historical security controls would inhibit innovation or could potentially limit innovation,” says Taylor.
That means heavily restricting access to data or making it cumbersome for engineers in the pit lane to collaborate with analysts at the factory isn’t the answer. Instead, a balance is needed between ensuring security and also ensuring that staff can efficiently do their jobs in a way that isn’t detrimental to Lewis Hamilton or his teammate Valtteri Bottas during race weekends.
“It’s always a balance of risk versus reward and it’s trying to be able to provide that flexible platform enabling collaboration, but understanding the potential risks and then addressing them,” says Taylor.
Cybersecurity applications like firewalls, network segmentation, providing access to data on a need-to-know basis, and multi-factor authentication play a role in helping to keep the team secure, but the globe-trotting nature of Formula 1 means that staff – and computer networks – don’t stay in the same place for long before being packed up and whisked away to another circuit on the calendar.
That’s why many of the applications that help manage security procedures are cloud-based, allowing Mercedes to ensure endpoints are protected against the latest threats, no matter where they are in the world.
“Whether in the factory in what we class our protective environment or out in Australia, it’s still the same consistent endpoint protection that we have in place; the fact it’s calling home to a cloud location somewhere in the world massively simplifies the complexity and the challenge for us organisationally,” Taylor explains.
All ten Formula 1 teams face similar challenges around protecting their networks from data breaches and cyberattacks, no matter where they are in the world, while also attempting to work as efficiently as possible in a high-paced environment.
Cyber criminals have long-exploited the hectic nature of businesses, and the sheer number of emails that get sent in a day as an entry point for cyberattacks – and that’s no different for Formula 1.
For example, in November last year, Formula 1 was at Imola for the Emilia Romagna Grand Prix, the 13th race in the 2020 Formula One World Championship Season. It was late in the year for an F1 race, after the start of the season was delayed from March to July because of the impact of, and the races came thick and fast during the truncated calendar; just days before, the teams had been in Portugal for the previous Grand Prix.
It was at this point that some hackers went straight for a big prize, attempting to target Zak Brown, CEO of racing team McLaren Formula 1.
They’d created a sophisticated phishing email designed to look like business-related emails that Brown would expect to receive. But Brown never saw it, because the cybersecurity protections McLaren applies to the inboxes of all its staff meant it went straight to junk mail and the ability to click the link was disabled – despite the continued efforts of the attackers.
“In terms of volume of attacks, they’ve definitely got smarter. They’re targeting individuals with phishing and spear-phishing attacks – it’s very targeted, very clever,” says Chris Hicks, group CIO at McLaren Group. “It is a cat and mouse game; the attackers will react to your changes, then we react in turn – but I feel like we’re always one step ahead”.
McLaren fended off this particular attack by using technology supplied by Darktrace, the team’s official cybersecurity partner – its logo featuring prominently on the liveries of the cars driven by Lando Norris and Daniel Ricciardo.
The nature of Formula 1, where team members could be in be in different parts of the world in consecutive weeks, means that blocking access to emails just because they’re being sent from an IP in an unfamiliar space wouldn’t work.
But McLaren’s email security software analyses information about previous activity and uses this to determine if the action is legitimate, meaning that important messages being delivered from unfamiliar time zones or locations don’t get blocked. Meanwhile, messages like the one cyber criminals attempted to send McLaren’s CEO get filtered out as they’re recognised as unusual or malicious.
“Darktrace understands that actually the rest of the team is here, these are files you normally access, this is the normal chain so it’s okay. It works really well because we have to be seamless, we can’t be taking our staff offline,” Hicks explains.
“That real-time accessibility to data and real-time collaboration wherever you are in the world is absolutely critical – anyone in Formula 1 will tell you every millisecond counts,” he adds.
The sheer amount of data transferred over a race weekend is huge with potentially hundreds of thousands of emails being sent within McLaren as well as between McLaren and its partners.
“On a race weekend, it’s measurable how many more attacks come into the business when Formula One’s on the TV,” says Dave Palmer, chief product officer at Darktrace.
“There could be 250,000 emails over a race week and during a race weekend the number of malicious ones jumps up to about 3.5%, which is a lot – 3.5% of your inbound email has got something wrong with it, that needs to be acted on by the machine.”
If just one malicious phishing email wasn’t identified and got through, that could be devastating – not only could it affect race plans, but there’s also the potential for a phishing email to be used as a gateway to a wider attack on the network.
“That’s something we’ve always been challenged with because in many areas intellectual property won’t be secret for very long – in six months or so it’s public knowledge, just due to the nature of Formula 1. But in in real time, we want to keep it close to our chest and often it’s for financial gain or various reasons why attackers might try and compromise us, so it’s imperative that we keep that IP secure,” says McLaren’s Hicks.
McLaren doesn’t just rely on technology to keep staff secure – a key element of keeping the network protected from cyberattacks involves regular cybersecurity training for staff, including executives.
“The awareness campaigns that we do are absolutely critical and it’s normally from the top down. It’s normally the CEOs you get targeted first or their PA; people right up the top”, says Hicks.
SEE: Cybersecurity: Let’s get tactical (ZDNet special feature)
Williams Racing is one of the most historically successful teams on the Formula 1 grid and it too has found itself being targeted by cyberattacks attempting to launch phishing attacks against the boardroom.
The high-profile nature of Formula 1 means it’s easy to find out who runs teams – they’re often right there on TV – and cyber criminals will attempt to exploit this for social engineering.
“We know we are constantly a target, there are even some spear phishing attacks where they go after the CEO or CFO,” says Graeme Hackland, CIO of Williams Racing F1.
“They don’t lock you out of your account, they just sit in your account and watch. We received a reply to an email from a supplier saying ‘we’ve changed our bank account, please can you update your records’ – and that reply was sent from the hacker not from the supplier,” Hackland explains.
Attackers have also registered false Williams email addresses in efforts to commit attacks against the team – for example, they’ll try to register a URL where the lower case l’s are replaced with a capital L, something that unless somebody is really examining the email address, would look authentic.
“It looks just like our email address, and so I don’t blame any of our staff who got caught by those things because it was very, very sophisticated – there’s a lot more social engineering going into the phishing emails now. They learn a huge amount of information,” says Hackland.
Williams was sold to new owners, American private investment company Dorilton Capital, during 2020 – and with new executives, and new staff around them, it was vital these people were aware of the potential security threats they’d face as high-profile staff of a Formula 1 team.
“We got a new CEO, so we did an education campaign with his personal assistant to remind her she’s going to be a target and we have actually seen an increase in spam emails going to her,” Hackland explains. All Williams employees go through phishing training to understand how cyber criminals could try to breach the network via email.
But the sheer number of cyberattacks means that it hasn’t always been possible to protect the network from attacks – and Williams found itself the victim of a ransomware attack a few years back.
The attack in 2014 started on a Friday morning and was quickly spotted by the cybersecurity team. Much of the network was protected from falling victim to the attack. But if the attack had started a few hours later, it’s likely that nobody would have noticed until the following week.
“If this had happened at 6pm, it could have spent all weekend encrypting all of our data and when we come in on Monday, we would have been in massive trouble. It was lucky, it was a Friday morning and we noticed that behavior fairly early in the process,” Hackland explains.
The ransomware attack got into the network after a member of staff unintentionally visited a compromised website.
“They had downloaded a tech spec sheet for their washing machine. They did nothing wrong. They went to a trusted website downloaded a file and had no idea that this ransomware was running in the background,” says Hackland.
At the time of the incident in 2014, cybersecurity procedures weren’t as mature as they were today – and in this case, the affected files couldn’t be recovered. But it served as a wake-up call for ensuring that networks and employees were as protected against cyberattacks as possible.
Now, Williams Racing has benefited from a partnership with cybersecurity company Acronis for a number of years, helping to keep endpoints and staff – and drivers George Russell and Nicolas Latifi – secure, whether they’re at the headquarters in Grove, Oxfordshire, or at racing circuits around the world.
The partnership means Williams use Acronis for endpoint protection as well as backups for keeping data secure, no matter where the user is, be they working remotely, at the factory or at a race circuit.
“Motorsport teams, even at the top of the industry, are facing major challenges dealing with ever-expanding amounts of data – managing, archiving, sharing, and protecting it from cyberattacks,” says Ronan McCurtin, VP for Europe, Turkey and Israel at Acronis.
With more races than ever before, Formula 1 teams are being pushed to the limit both on the track and off it. The high-profile nature of the sport and the cutting-edge technology behind it means all Formula 1 teams are tempting targets for cyber criminals and hackers.
Unfortunately, just like the Formula 1 teams they are chasing, malicious hackers are always looking for ways to improve. But unlike an F1 race, there’s no finish line in the cyber-arms race.