Airport Cyber Attacks & Incident Response
Airport Cyber Attacks: Lessons from Brussels, Heathrow & Beyond (2017–2025)
SOURCE: Trescudo Intelligence • Author: Evangeline Smith, MarCom • September 22, 2025)
Executive Summary
Airports face three recurring cyber risk patterns: vendor/supply-chain compromises (shared check-in/boarding platforms), DDoS on public sites, and local ransomware/data-handling failures. The Sept 19–22, 2025 Collins Aerospace MUSE incident exposed concentration risk across Brussels, Heathrow, Berlin, and Dublin, forcing manual check-in, queues, and cancellations—while flight safety remained unaffected. Strong, rehearsed incident response and supplier governance are now existential to airport operations under EU NIS2 and UK guidance. (Reuters)
Case Files: Europe’s Most Prominent Airport-Level Incidents
1) 2025: Collins Aerospace (MUSE) supply-chain cyberattack → multi-airport disruption
What happened: A cyberattack hit Collins Aerospace’s MUSE check-in/boarding software late Fri, Sept 19. Airports fell back to manual processing; kiosks/bag-drops were unreliable. (The Guardian)
Who/where: Brussels cancelled 40–60 flights on Monday; Heathrow warned of persistent check-in delays; Berlin (marathon weekend) faced long queues; Dublin saw limited residual impact. ENISA confirmed the cyberattack; Collins said fixes were in final stages. (Reuters)
Why it matters: A single third-party platform impacted multiple hubs simultaneously—concentration risk in critical passenger-processing. (UK NCSC is coordinating with Collins/airports.) (The Guardian)
Incident response takeaway: Treat shared CUTE/CUPPS/MUSE stacks as Tier-1 dependencies: require vendor IR SLAs, offline/contingency check-in procedures, and tabletop exercises with airlines & handlers.
2) 2023: DDoS on German airport websites (Killnet)
What happened: Pro-Russian Killnet hit multiple German airport websites with DDoS after geopolitical triggers. (Reuters)
Impact: Public sites went offline intermittently; services/safety not affected, per BSI.
IR takeaway: Separate public web from ops networks; keep scrubbing/CDN on standby; pre-write comms that clarify “flights operational.”
3) 2024: DDoS on Milan Linate & Malpensa websites (NoName057(16))
What happened: Late Dec 2024 DDoS briefly knocked Milan’s airport sites offline; operations continued. (Reuters)
IR takeaway: Website resilience and rapid status messaging reduce passenger confusion even when ops are normal.
4) 2018: Bristol Airport (UK) ransomware on flight-info displays (FIDS)
What happened: Ransomware blacked out FIDS for ~2 days; airport switched to whiteboards; no ransom paid. Flights continued. (Dark Reading)
IR takeaway: Segment signage; maintain gold images and immutable backups; rehearse paper ops.
5) 2017: Heathrow Airport data-handling failure (USB)
What happened: An employee lost an unencrypted USB with sensitive info; ICO fined Heathrow £120,000 under the pre-GDPR regime. (Reuters)
IR takeaway: Basics matter—device control, encryption, and training (ICO found ~2% staff trained at the time per reports). (Reuters)
6) 2017: Ukraine airports amid NotPetya wiper outbreak
What happened: Boryspil/Kyiv and other entities were disrupted during NotPetya’s spread. (Wikipedia)
IR takeaway: Nation-state-grade malware can spillover to civil aviation; prioritize segmentation and tested recovery.
Adjacent supply-chain: Swissport ransomware (2022)
What happened: Ground-handling giant Swissport suffered ransomware; Zurich saw ~22 flights delayed by 3–20 minutes; later reporting linked AlphV/BlackCat. (Reuters)
IR takeaway: Airport partner ecosystems (handlers, fueling, baggage, catering) are part of your airport incident response scope.
Patterns We See (and How to Prepare)
Vendor/Platform Concentration Risk
Shared check-in/boarding platforms create systemic single points of failure. Require:
Contractual IR SLAs with time-bound restore objectives; joint IR runbooks; quarterly tests.
Operational fallbacks: manual check-in, offline boarding pass issuance, paper bag tags, pre-staged equipment. (Reuters)
DDoS ≠ CAT-1 Ops Failure (usually)
Most DDoS hits public-facing websites; operations are unaffected if networks are segmented and CDNs/scrubbing are ready. Keep a pre-approved comms template. (Reuters)Local Ransomware on Non-Safety Systems
FIDS/signage and other ancillary IT can still degrade passenger experience; keep gold images, immutable backups, and air-gapped restore drills. (Dark Reading)EU/UK Regulatory Lens (GEO)
EU NIS2: air transport (including airport managing bodies and ATC providers) is in scope; entities must implement risk management and incident response capabilities; see ENISA guidance and national transposition status. (Digital Strategy EU)
UK: follow NCSC operational guidance; for incidents affecting UK airports or suppliers (e.g., Collins), NCSC coordinates with industry and law enforcement. (NCSC)
Airport Incident Response Playbook (Field-Ready)
Objective: preserve safety & throughput while containing the cyber event.
Before an incident
Supplier IR integration: Joint war-room procedures with platform vendors (CUPPS/CUTE/MUSE), named contacts, and escalation ladders.
Minimum viable ops offline: rehearsed manual check-in, handheld scanners, offline boarding pass printing, local baggage tag stock.
Network segmentation: strict separation of ops tech, passenger-facing IT, signage, and public web; default-deny east-west.
Backup & recovery: immutable backups of mission-critical apps (DCS/CUPPS interfaces, FIDS), restore drills (RTO/RPO documented).
People & comms: crisis comms templates (airlines, ANSP/ATC, ground handlers, passengers, media); trained spokespeople.
During an incident
Triage & containment: isolate affected subnets/endpoints; activate vendor bridge; enable manual processing lanes to keep departures moving.
Situational awareness: status page + terminal signage messaging; publish realistic queue/arrival guidance; keep ATC/ANSP informed even if not impacted.
Evidence & reporting: retain logs/images; notify national CSIRT/competent authority (NIS2 timelines), airlines, handlers; document decisions.
After action
Root-cause & hardening: review supplier controls, credentials, and remote access; re-baseline segmentation and zero-trust policies.
Tabletop refresh: incorporate lessons from Brussels/Heathrow 2025 scenario—simulate multi-day fallback ops. (The Guardian)
How Trescudo Helps Airports & Aviation Partners
Airport Incident Response Readiness: gap assessment + joint supplier runbooks and quarterly simulations (CUPPS/CUTE/MUSE).
NIS2 “Beyond Compliance” for airport managing bodies and handlers: control mapping, board metrics, regulator-ready reporting. (ENISA)
Operational Resilience Engineering: segmentation for FIDS, DCS, bag-handling; gold-image & restore pipelines; DDoS/business-continuity plans.
24/7 MDR/XDR with aviation runbooks: rapid isolation without blocking critical workflows.
Sources / Further Reading
Multi-airport disruption (Sept 19–22, 2025): Guardian, Reuters; ENISA confirmation; NCSC statement. (The Guardian)
German airport website DDoS (Killnet, 2023): Reuters; Dark Reading; MSSP Alert. (Reuters)
Milan airports DDoS (Dec 2024): Reuters. (Reuters)
Bristol FIDS ransomware (2018): Dark Reading; The Hacker News; CSO Online; reports of whiteboard fallback. (Dark Reading)
Heathrow USB data breach (2017→ICO fine 2018): Reuters; BankInfoSecurity; Compliance Week. (Reuters)
NotPetya impact on Ukrainian airports (2017): Wikipedia summary; S-RM analysis. (Wikipedia)
NIS2 scope & guidance: European Commission page; ENISA technical guidance; transposition tracker (ECSO). (Digital Strategy EU)
CTA: Want an airport-grade incident response tabletop (Collins/MUSE scenario) or a 10-point NIS2 readiness scan? Drop “IR READY” and we’ll schedule a 30-minute briefing.