Technology / How Williams F1 keeps its crucial engineering data safe from hackers

How Williams F1 keeps its crucial engineering data safe from hackers

Data can make all the difference in Formula 1. Teams shave vital hundredths of seconds off their lap times through careful analysis of racing telemetry, and it is on such details that races are won and lost. If that data is stolen, they could lose that competitive edge.

It is the job of Graeme Hackland, IT director at Williams F1, to ensure this does not happen. He is in charge of protecting the vast amounts of valuable data generated both by the Formula 1 team and other areas of the business working on engineering projects for clients.

"Williams is primarily obviously a Formula 1 team, and there is a fair amount of design, aerodynamics, manufacturing and race engineering data that we need to protect," he says. "During the season, it's obviously the current year's car, maybe last year's car and importantly always the following year's car that you're trying to protect...

"Williams also has an advanced engineering division, and that's where we have a lot of intellectual property that either we own, or we're holding customers' intellectual property and confidential data. That data's extremely important to us, to know where it is, to be able to prove to the customer that we've protected their projects."

With clients including firms in the automotive and motorsport industries as well as defence, it is vital that Williams keeps this information secure. A breach involving confidential customer information could mean a big hit to its reputation.

“The advanced engineering business is based largely on Williams’ reputation, and I think the reputational damage could seriously affect our business, our ability to win projects,” Hackland says. “I think people’s confidence in us would be affected.

“From an F1 perspective, obviously it affects your ability to win, to take on your competitors in the following seasons. That, I think, is our main challenge.”

Securing the F1 mobile data centre

But while most businesses have a static data centre to secure, Formula 1 teams – and their data – travel everywhere from Melbourne to Montreal over the course of each year.

“One of the main differences I would say for F1 is that we have this mobile data centre that we take to 21 countries across the globe,” Hackland says. “That’s a different challenge. Our advanced engineering data, we tend to know where it is…

“From an F1 perspective, we are creating networks and this mobile data centre all over the world so that feels like a slightly different challenge, but otherwise it’s very similar principles, and very similar to a lot of the CIOs I talk to from other industries, whether it’s financial or other industries who are creating intellectual property.”

This presents a different twist on the cyber security conundrum for Jon Geater, CTO at Thales e-Security, which recently entered a technical partnership with Williams.

“If you take a simple view of IT security, everything’s kind of the same,” he says. “You’ve got some computers, you’ve got some data and you want to look after it in some way. So a lot of the building blocks and the basic approaches are extremely similar.”

But he says the most effective cyber security revolves around strategies and protections that take into account organisations’ specific needs – in this case, staying secure in the midst of the glamorous, globetrotting spectacle that is Formula 1.

“The mobile data centre, for example, is a really interesting case because when you think of the trust insider in a static building, we have all sorts of other controls around it that contribute to cyber, such as the guy on the front door, and your access badge, and the fact that people are going in and out every day into the same physical building…

“Being able to take these building blocks we’ve learned there but critically change them around a little bit, so then you understand that the trusted insider is a little bit different and the way you manage them is a little bit different when the thing is mobile from when the thing is static, that’s where the actual cyber protection comes from.”

He adds that thinking around security in a standard data centre is normally digitally-focused, but a mobile data centre is vulnerable to more physical threats.

“There’s a lot to do with the storage of data and the length of time things are exposed, the times at which things come out,” Geater says. “In a data centre you might have backups or storage that go back ten years, but they don’t tend to be physically exposed very often…

“With the mobile data centre you turn a lot of those things on their heads, and actually there’s a constant threat of things like physical theft, where people can just run off with hardware, run off with discs, and then analyse them, steal the data to their hearts’ content.”

He says although Williams’ mobile data centre is “very secure and well-designed”, it presents a completely different challenge to the regular business setup.


Understanding risk and designing defences

For Hackland, it is important to understand where exactly threats are coming from – and despite Formula 1’s competitive nature, they are more distant than Williams’ pit lane rivals.

“We give some thought to where our risks are coming from, who’s going to create those risks,” he explains. “People always say, ‘It’s going to be your competitors because they’re in the garage next to you,’ but actually the penalties for any team that is found to be accessing another team’s data or trying to bring their systems down would be so severe that we don’t think that that’s where our risk is.

“Our risk is more in someone wanting to see if they can get onto the car or if they can get onto the network. The data we take around the world and travel with is not hugely valuable just on its own – you need the analysis data and why we made the decisions we made, and that’s when it starts to become useful. If you can combine that then it becomes hugely valuable.”

On top of this, the connected nature of the mobile data centre means it needs to be secured against attacks that could potentially lead hackers back to the team’s factory in Oxfordshire.

“The data’s valuable and important, but [the mobile data centre] is an attack vector to get onto our network and eventually get onto the network back here, because we have links between the tracks and the factory, so that’s what I worry more about than someone getting onto the data at the trackside,” Hackland says.

“We either have activists who want to attack Formula 1 for whatever political reason, or the intellectual property person, or the person who wants to just bring you down just to see if they can, do some sort of denial-of-service. We’re spending some time looking at where our challenges are coming from and that’ll help us understand where to protect ourselves first.”

Building threat-focused defences

Geater says prioritising threats in this way is crucial to all businesses, because it is simply impossible to stay ahead of cyber criminals and protect against every possible threat.

“Threats are always evolving – new things come up all the time,” he says. “But actually, you can never defend against everything, and if you’re just taking a general approach… you’ll never keep up and you’ll never be protected.

“Actually, the right thing to do is to walk back a couple of steps, look at why your stuff is interesting and then think about why somebody might want to disrupt it. Taking this proactive, threat-based approach is absolutely essential.

“The reason you tend to see so many data breaches from so many notable companies all the time is invariably that they’ve taken a bit too much of a general approach and they’re concentrating on the computer and they’re forgetting that first and foremost you actually had a business problem to solve there.”

The same holds true for Williams, which Hackland says has to prioritise its security spending to protect against the most likely – and potentially most damaging – attacks.

“I can’t protect myself against everything,” he explains. “Williams are an SMB and they have a finite budget in terms of what they can spend on risk. Sometimes we live with risk and accept risks that for other companies would not be acceptable.

“But we do it because we try to understand where we’re potentially vulnerable and what’s going to harm our main business success criteria of growing our advanced engineering business and winning in Formula 1 and focusing on those things.”

Top photo © crazylenny2 (CC BY-SA 2.0). Cropped.



Get our latest features in your inbox

Join our community of business leaders