Formula 1, Cyber Vendors and Selling Fences

This weekend's Formula 1 Grand Prix has an unlikely parallel to the cyber security industry. You see, Formula 1 is a precisely engineered environment, where suspension load is modelled across the 300 or so corners of the calendar and components designed to only experience 40% of their rated strength.

The cyber security industry sometimes strays from this mantra of built fit-for-purpose, which is analogous to the design of the circuits and their safety measures.

Debris fences are 3.5m in height, designed to prevent cars travelling at upwards of 300km/h, having crashed and breaking apart, from showering spectators and track marshals alike with disintegrated pieces including wheels and other potentially fatal projectiles. Indeed, it was in 2001 where Jacques Villeneuve’s BAR Honda launched into the air and along the debris fence. Slots are provided in the fencing for photographers to point their long lenses through to take the spectacular photos of drivers on the limit, but the slots are slightly smaller than the Formula 1 wheels to stop them from penetrating the fence.

In this particular case, the position, angle and force of the impact meant that the slot was bent slightly, allowing the wheel to be pushed through the slot, fatally injuring a volunteer marshal standing nearby, who would have had barely enough time to see, let alone react to the incoming wheel. Like many tragedies, lessons were learnt, and improvements made to prevent a repeat.

If you take a look at current photographer slots, there are a couple of different designs.

Here we have a slot on a straight before a corner, where the likelihood of an incident and modelling of the angle of impact mean that the risk of an airborne car resulting in a similar compromise of the reinforced and narrower slot is minimal.

Here we have a slot on a straight, where the likelihood of an incident and modelling of the angle of impact mean that the risk of an airborne car resulting in a similar compromise of the reinforced and narrower slot is minimal.

In other parts of the circuit, the risk is significantly higher, particularly on this section along the outside of a very fast sweeping curve. Any contact or spin would result in significant force exerted on the debris fencing. You can see below the double layer design (did someone say defence in depth?) where the secondary concrete carrier and fencing is designed to catch any potential projectiles that make their way through the photographer slot, taking into account the direction of travel to catch and stop debris using the second layer.

Having observed the assembly of the fencing over a number of years, the components are the same regardless of where they are placed and how likely a slot protrusion is. Fence; pole; concrete barrier; fence with slot – they are the products. Now, if you were the Federation Internationale de l'Automobile (FIA), the governing body of motor sport that spends millions of euro analysing, simulating and testing crash safety with the aim of engineering preventative solutions, would you rely on the fence manufacturer to recommend a solution blindly?

Obviously the answer is no. The specific context of the corner, the characteristics of the cars and other risk factors would drive what solution is implemented. A single concrete barrier and 3.5m fence is sufficient in many places, yet others call for the double layer debris-catching structure. Asking the fence manufacturer for the answer is either going to result in inadequate protection, or a grossly over-specified solution. At the end of the day, the fence vendor is there to sell fences.

In much the same way, relying on a cyber security product vendors to engineer an appropriate solution given your specific circumstances, context, threat profile, business requirements and risk appetite is like asking the fence vendor how many fences do I need. The answer, unsurprisingly, is always going to be “lots”. It gets more challenging when you ask the fence vendor if you need concrete barriers as well and fences. The vested interests of product vendors mean that fences turn into the equivalent of nails to someone who is wielding a hammer.

So firstly, enjoy the 20 most talented drivers in the world challenged this weekend by the picturesque street track that is Albert Park. After that, consider who is best placed to perform the equivalent role of the FIA, engineering an appropriate risk-based approach to achieve and maintain business objectives through cyber security, without littering the place with the analogous fence panels. Or more specifically, the latest and greatest product, with blinking lights, HTML5 “single-pane-of-glass”, false piece of mind and no real impact on real world risk exposure. Just ask us how many breaches we’ve been asked to triage where “sophisticated” (expensive) AI-based products have been in place, happily blinking their lights until you have to start writing to the Information Commissioner.