Another frantic call at 3 a.m.: the Oracle Red Bull Racing Formula One team discovered an issue in the wind tunnel testing its cars. It’s up to Ian Brunton, head of software engineering for aerodynamics, to troubleshoot the problem. Even when he’s already shaken off the early-morning haze, the investigation could easily take an hour. But when it comes to racing, every second counts.
Many security-related considerations go into managing an F1 team. The tools, methods, and the infrastructure engineers use to design the cars require heavy investments and the team needs to secure information from leaking to competitors. And as they’re moving fast on and off the racetrack, teams also need to ensure they don’t wind up with breaches, malware, or other various threats. System credentials and identities must be protected.
“Cyber is critical in F1,” Matt Cadieux, chief information officer at Red Bull Racing, tells Dark Reading. “It’s an engineering competition as well as a driver’s competition. There’s a lot of investment and we need to protect our secrets and business continuity where we face the same threats that other companies do.”
Maintaining speed and efficiency securely while managing 2,000 people and thousands of servers and clusters – some on premises and some in the cloud – presents challenges. A broad set of applications and services, well over 100 service accounts, compounds the complexity.
Over the past year, Oracle Red Bull Racing implemented 1Password tools for automation, credential access, governed access, and software-as-a-service (SaaS) management with two goals in mind: Enhance speed and security. While there were some learning curves, Cadieux and Brunton agree the added automation accelerated processes that spilled over to car improvements as well.
Satisfying 100 Perfectionists
F1 is all about speed, but it’s not restricted to amping up the car; it’s the speed of business activities too. Users need to be productive and spend their brain power on how to make a faster car, instead of dealing with inefficient tools or downtime, says Cadieux.
“Rather than people being frustrated, saying IT is rubbish, which people occasionally do, we’re trying to minimize that and pull all their brain power and energy into thinking about the car and underlying infrastructure issues,” he says.
While it’s easy to cut corners and deploy a system without authentication, it will “bite you” every single time, warns Brunton. Strong authentication allows users to design a car versus having to report a problem. “It affects people in my team too,” he says. “It becomes a cycle of a problem.”
People in the company grow impatient and will be very vocal if they see something that is less than optimal, something that is unreliable, or something that is too manual, says Cadieux. People don’t hold back, he adds.
“It’s good to work at a place with a few hundred perfectionists or demanding users where tolerance for mediocrity is not very high,” Cadieux says.
The 1Password partnership kicked off in Feb. 2025 in a phased rollout that came with some implementation challenges. While the system is officially in use, the team is still evolving prototypes and engaging in continuous improvements, says Cadieux.
Understanding the API was the biggest hurdle from the engineering-aerodynamics side and required experimentation. They learned reconciliation – changing secrets within the system – and how long that takes to go through and update, Brunton says.
The service desk, infrastructure, and high-performance computing side also uses 1Password as a central repository. The biggest implementation challenge was that 1Password had to gain a business understanding before they learned to configure and use the tools so it could work for an F1 company. Cadieux worked with the consultant team who provided support and structure.
Fewer 3 a.m. Wake-Up Calls
New automation and centralized credential access allows the teams to work faster, and the new tools helped modernize the early design stage for cars, explains Brunton.
Cadieux and his team try to allow people to have some freedom in cloud-based services, but not free rein that could potentially introduce more risks. That’s where the SaaS manager came in handy, to monitor and understand user behavior regarding passwords and access controls, providing a visibility that they didn’t previously have, adds Cadieux.
Improving password hygiene is one area where the team saw benefits, enforcing positive behavior. Password managers help users efficiently avoid shortcuts that would compromise security, such as storing passwords in plain text, that could allow attackers to steal credentials.
“It sounds simple but it’s actually really important when you have a few thousand people and when you’re doing a lot of diverse things,” Cadieux says.
Credential access is the main area where Brunton and his team interact with 1Password. Implementing a central place to store credentials is crucial because they have more than 100 entries in just one vault for one sub team. Again, it’s all about speed and one central place means they can access details quickly.
“We can control who sees which vault, which is quite useful,” Brunton says. He adds that they work on the principle of least privilege, so no user is granted too much access.
The team also strives to save as much time as they can when it comes to the wind tunnels, which are highly regulated; they are allotted 500 hours annually to run tests. The time constraint introduces quite a lot of pressure, because they must use that budget carefully and any system downtime becomes a massive problem very quickly, explains Brunton. Investigations mean scanning 20 services, 15 or 16 that are spread over two or three sites, as well as different Kubernetes clusters.
Wind tunnel recovery time reduced from one hour to two minutes under the new partnership. Having credentials in one place to log into different systems or connect to APIs quickly is a big benefit when trying to investigate a problem that is not clearly identified, Brunton says.
“We were able to automate a reset of the system,” he says. A single-click reset button tears down and reestablishes the entire workflow, he explains. They can recover quicker, and that means Brunton receives far fewer calls at 3 a.m.
Don’t miss the latest Dark Reading Confidential podcast, NSA Chief During Snowden Affair Shares Regrets, Reflections 13 Years Later, for a candid conversation with Chris Inglis, head civilian in charge of the NSA during the Edward Snowden affair. Inglis reflects what the NSA should have done better, what he wants CISOs to know about protecting against their own insider threats, and what his reaction would be if Snowden received a pardon. Listen now!
