top of page
Search

Data Integrity is the New Horsepower

  • Writer: Tim Harmon
    Tim Harmon
  • Nov 10
  • 5 min read

Quantifying the F1 Threat


McLaren F1 MCL39 Livery for 2025
McLaren F1 MCL39 Livery for 2025


This article is an executive summary of a strategic framework for Formula 1. You can download the full, C-suite-ready PDF briefing here.

For decades, Formula 1 has been a two-pillar war: horsepower and aerodynamics. The 2026 regulations, with their new power units and active aero, double down on this. But they also introduce a third, invisible battlefield: the cyber-physical domain.


While teams battle in the wind tunnel for the last point of downforce, the next championship will be decided by who masters this new domain first.


The risk is no longer just IP theft; it’s on-track performance degradation.


The New Attack Surface: F1’s 2026 Cyber-Physical Battlefield


In modern Formula 1, the car operates like a data center, generating over 1.5TB of information from more than 300 sensors every race weekend. This data is essential for the team. It drives the strategy models, supports the simulations, and guides every decision made on the pit wall. 


The 2026 regulations will further integrate this technology. New power units and active aerodynamics mean that key performance components are not just mechanical; they are cyber-physical systems controlled by data. 


This creates a new and serious attack surface. The biggest strategic threat is no longer a rival stealing your blueprints in a “Spygate” event. Now, it is a rival corrupting your data.


The “Invisible Deceleration”: A +0115s Threat


This new threat is not a brute-force hack. It is a surgical, next-generation attack known as Data Poisoning.


Imagine this: a threat actor, invisible to traditional firewalls, subtly “poisons” the training data for a critical machine-learning model. They don’t block your data; they skew it by a fraction of a percent.


This falsified data is fed into your most critical systems, including the tire degradation models, the fuel-flow sensors, and the Energy Recovery System (ERS) deployment algorithms. The ML models on the pit wall will still function, but they will be operating on a corrupted reality. They will be confidently and consistently wrong.


This is not a theoretical vulnerability. My analysis, which utilizes a functional prototype to model this exact attack, quantifies its impact.


A subtle data poisoning attack on the ERS control algorithms results in a consistent, undetectable performance degradation of +0.115 seconds per lap.


Quantified Risk: Single Data Poisoning Attack
Quantified Risk: Single Data Poisoning Attack

To a layman, this number is microscopic. To a Team Principal like Andrea Stella, it is a catastrophe.


Over a 60-lap race, the deficit is 6.9 seconds. Over a 24-race season, this “invisible deceleration” is the difference between winning the Constructors’ Championship and finishing third. It is a tens of millions of dollars problem, hidden in plain sight.


The Solution: Project Apex


You cannot defend against a threat you do not measure. And in Formula 1, the only unit of measurement that matters is lap time.


Traditional cybersecurity metrics—such as “alerts blocked” or “patches applied”—are useless to the pit wall. This is why I designed Project Apex. The solution is not another firewall; it is a new methodology that reframes security as a performance multiplier. 


At its core is a security-focused “digital twin” —a high-fidelity replica of the team’s entire data-to-decision pipeline. This is not a new concept for a team like McLaren, which already leverages simulation and digital twins to master performance and “close the loop” between virtual development and real-world testing. 


Project Apex applies this proven methodology to a new, unexploited domain.


The framework ingests live and historical telemetry, models the complex interplay between all 300+ sensors, and runs adversarial simulations (like the +0.115s attack) against the strategy models. It translates abstract risk into the only C-suite-level metric that matters: Championship Points at Risk.


The Project Apex Framework: From Risk to Lap Time
The Project Apex Framework: From Risk to Lap Time


The 2026 Arms Race Has Already Begun

As the 2025 season races to its high-stakes conclusion in Abu Dhabi, the battle for 2026 is not waiting for the checkered flag. It is being fought now, in the critical strategic window that coincides with the final Grand Prix.


While rivals are preoccupied with the known quantities of engines and aero, the new, asymmetric advantage lies in this invisible domain.


Mastering data integrity is the new “invisible front wing”—a decisive performance gain that is entirely legal and, for now, completely overlooked. The arms race has already begun.


About the Author

Timothy D. Harmon is an executive-level performance security strategist, CISSP, and data scientist with a Master’s from UC San Diego. He is a 360-degree motorsport professional, holding completed certifications from the University of Oxford Saïd Business School (Leadership Development), McLaren Racing (“Unleashing High-Performance Culture”), and Motorsport UK (“Registered Marshal”).


Connect with Timothy Harmon on LinkedIn to discuss the future of cyber-physical resilience in motorsport.


References

1. On F1 Data Volume and Car Complexity (1.5TB / 300+ Sensors):

  • Alteryx. (2024). McLaren Racing Fast-Tracks Data Analytics. Customer Story.

  • AWS. (2024). How does AWS fuel Formula 1?. AWS Sports.

  • Dell Technologies. (2024). The Competitive Edge with the McLaren Formula 1 Team.  

  • FormulaNerds. (2024). The Sensors That Tell F1 Engineers Everything They Need to Know.


2. On the 2026 Technical Regulations (Cyber-Physical Systems):

  • Fédération Internationale de l’Automobile (FIA). (2024). FIA unveils Formula 1 regulations for 2026 and beyond.

  • Fédération Internationale de l’Automobile (FIA). (2024). 2026 Formula 1 Technical Regulations.

  • Formula 1. (2024). EXPLAINED: 2026 aerodynamics regulations. Formula1.com.


3. On the Threat (Data Poisoning of Machine Learning Models):

  • National Institute of Standards and Technology (NIST). (2024). NIST Identifies Types of Cyberattacks that Manipulate Behavior of AI Systems.  

  • National Institute of Standards and Technology (NIST). (2023). AI Risk Management Framework (AI 100-1).

  • Poisoning Attacks and Defenses on Artificial Intelligence: A Survey. (2022). arXiv:2202.10276.  

  • A Taxonomy of Poisoning Attacks in Deep Learning. (2025). arXiv:2503.22759v1.


4. On the Quantification (+0.115s per lap):

  • This figure is the output of the Project Apex prototype. It is derived from primary analysis modeling a data poisoning attack on ERS deployment algorithms, using historical telemetry data ingested via open-source Python libraries (FastF1 or OpenF1).


5. On the Threat (Data Poisoning of Machine Learning Models):

  • McLaren Automotive. (2024). McLaren Automotive’s virtual development capabilities enhanced by state-of-the-art Dynisma Motion Generator™ simulator. McLaren Press.

  • Google Cloud. (2024). How to build a digital twin to boost resilience.  

  • Sandia National Laboratories. (2024). Evaluation of Digital Twin Modeling and Simulation.  

  • Brandefense. (2024). Digital Twins in Cybersecurity.

6. On the 2025 F1 Season Timeline :

  • Formula 1. (2025). FIA and Formula 1 announce calendar for 2025. Formula1.com.

  • RacingNews365. (2025). 2025 F1 Calendar | Schedule & start times.


7. On Author’s Credentials:

  • Harmon, T. (2025). Unleashing High-Performance Culture with McLaren Racing - Certificate of Completion. Udemy.

  • Harmon, T. (2025). Motorsport UK Registered Marshal Accreditation Course - Certificate of Completion. Motorsport UK Learning Hub.

  • Harmon, T. (2025). Motorsport UK Introduction to the role of Event Secretary - Certificate of Completion. Motorsport UK Learning Hub.

  • Harmon, T. (2025). Leadership Development - Certificate of Completion. Saïd Business School, University of Oxford & edX.

Comments

bottom of page