Cybersecurity in NASCAR – Why It Matters!

310762187_10160607832897884_4784007327092917399_n

NASCAR is one of the most popular and exciting sports in the world. The adrenaline-pumping races, the speed, and the technical mastery of the drivers and their teams have captivated fans for decades. However, with the increasing reliance on technology in NASCAR, cybersecurity has become a crucial aspect of the sport.

As technology continues to advance, NASCAR has become increasingly reliant on electronic systems in many aspects, including electronic gauges, fuel management, monitoring car performance, track telemetry, and efforts to improve race performance and fan interaction. These systems provide crucial information to the teams, including real-time telemetry, engine performance metrics, fuel efficiency, tire pressures, and the G-forces experienced by the driver.

However, this reliance on technology comes with risks, and cyber-attacks can pose significant threats to the sport. In recent years, NASCAR has experienced cyber-attacks ranging from website defacement to the theft of confidential data. For example, in 2020, a NASCAR team was hacked, and ransomware was deployed bringing the teams efforts to a halt. Additionally, team sponsor organizations have been the victim of ransomware and extortion. These attacks caused a loss of revenue, legal fees, and resources for the organizations were impacted.

Cybersecurity is important in NASCAR for several reasons, including:

Protecting Sensitive Data
NASCAR teams collect, and store sensitive data related to their cars, drivers, and race strategies. This information is highly valuable and can provide a competitive advantage to other teams or be used for malicious purposes. Therefore, it is crucial to protect this data from cyber-attacks. Hackers can steal this data and use it for illegal activities, sabotage, or ransom. By securing this information, NASCAR teams can maintain their competitive edge and protect their interests.

In 2016, Circle Sport-Leavine Family Racing was hit with ransomware, just prior to the race in Texas. Multiple team computers were infected with the TeslaCrypt virus and in moments, the team’s entire collection of track data was gone. Additionally, personnel information and other testing data was impacted. At the time, it was estimated that over 1,500 man-hours worth of work was lost. The attackers left the note, “Pay us in 48 hours, or the data is gone”.

The team paid the ransom.

Crew Chief, Dale Winston, shared the following:

“First you don’t want to believe it, but every file I tried to open had the same thing, you know in this sport, the computers have so much information on them, whether it’s track data or wind-tunnel data, engine data, personnel issues, parts issues – all sorts of information.”

For a racing team, data is life. Every second of extra speed comes as a result of thousands of hours of testing-if you’ve ever seen the pits at a professional racing series, you’ve unlikely seen as many engineers hunched in front of computer screens as there are working on the car itself.

Maintaining the Integrity of the Sport
Cybersecurity is essential to ensure the fairness and integrity of NASCAR as a sport. The reputation of the sport is at stake when a breach occurs and diminishes the security posture of the organization. For example, in 2008, a Toyota Racing Team faced allegations of stealing technical information and parts from a rival team, Roush Racing. The allegations threatened the integrity of the sport and the reputation of the teams involved. Therefore, NASCAR must ensure that the sport is protected from cyber threats to maintain its reputation.

Loss of Intellectual Property
In the wake of Dale Earnhardt, Sr's death, Dale Earnhardt Incorporated (DEI) launched a program called, "Club E", "DEInsider". That program provided exclusive access to the in-shop web cameras of DEI. However, they were improperly configured and directly accessible from the Internet. The AXIS cameras were configured in such a way that "unpublished" camera feeds were accessible. This provided attackers the ability to view the direct camera feeds of the engine shop, the boardroom, lobby, and shop cameras for the #1, #8, and the #15 team. At the time, most of the cameras could be moved, zoomed in, and audio provided to the viewer.

During the height of their dominance at Superspeedways, it was unbeknownst to them that significant intellectual property was available directly to the Internet, simply by changing an IP address in a web browser.

Today, most of the teams are communicating over poorly secured wireless networks during on-track events. Many of the networks observed use very weak passwords and encryption, or no password or encryption, at all. This provides an opportunity for competing teams to harvest performance-impacting data in real-time.

Financial Loss
A cyber-attack on a NASCAR team or the sport's infrastructure can lead to direct and significant financial losses. For example, a NASCAR team had their social media accounts compromised in 2022, preventing them from interacting with their fans and lost revenue from sponsor engagement. These losses can result from legal fees, reparations, fines, and other expenses associated with a cyber-attack. Cyber-attacks can also lead to a loss of sponsorship deals, which could affect the financial stability of NASCAR and their teams.

Public Safety
A successful cyber-attack on NASCAR could lead to a safety risk to the public, including drivers, teams, and spectators, both on and off the racetrack. For instance, unauthorized modification using breached credentials or direct system access, could permit modification of the VIP and attendee lists which could provide an opportunity for unauthorized individual to gain access to controlled areas, leading to safety risks. This would threaten the safety of the driver, team, and spectators.

Therefore, it is essential that NASCAR and their teams invest in cybersecurity measures to prevent and mitigate the risks of cyber-attacks. This can include implementing firewalls, data encryption, and other security protocols to protect sensitive data, as well as monitoring and patching the vulnerabilities in their systems. Additionally, NASCAR and their teams can work with cybersecurity experts, like Critical Path Security, to identify and address potential threats before they become significant issues.