Airport disruption after cyber-attack – expert commentary

Major European airports, including Heathrow, were thrown into chaos over the weekend as thousands faced delays and cancellations after a major cyber-attack. Airlines were forced to check passengers in manually after the attack hit systems used for check-in and boarding, causing hours-long queues on Saturday (20 Sept). Two of our experts share their thoughts.

Dr Junade Ali, Fellow and cyber expert at the Institution of Engineering and Technology said: “The cyberattack on Heathrow and other airports was rooted in a supply-chain attack, which targeted the MUSE check-in/boarding software. Supply-chain cyberattacks work by targeting the third-party technology used by critical national infrastructure. In this case, the attacks targeted technology used by Collins Aerospace. Defenders of cyberattacks face an asymmetric fight, whilst they must address every threat, an attacker need only succeed once.

“It is currently unknown what the specific attack vector is or who can be attributed to the attack; however, legislation like the NIS Regulations will require reporting of the details of such attacks to regulators. It is unclear if any data was compromised, for example through using ransomware which encrypts files to extort money or if it was simply a denial-of-service attack - which would overwhelm the system externally so it cannot operate normally. A March 2023 report from the European Union Agency for Cybersecurity has found ransomware to be the most common type of cyberattack conducted on transportation infrastructure in recent years.

“Initial service restoration could occur within hours to days, however, a forensic investigation of the cause may take much longer. British Airways is reportedly using fallback protocols to prevent interruption of service, and this highlights the need for resilient systems which can adapt to failures whilst maintaining safety and security.

“In a world where technology is ever more complex, cybersecurity remains at the heart of mitigating risk. Key to mitigating this risk is having robust security and resilience built in.”

Rimesh Patel, former Chair of Institution of Engineering and Technology’s Central London Network and Independent Cyber Specialist said: “Organisations across all industries have been making concerted efforts to optimise cyber resilience across their business operations. However, this alleged Collins Aerospace cyber incident serves as a stark reminder of the critical need to secure not just internal systems, but also the supply chain. This incident highlights a growing vulnerability: supply chain attack vectors now require the same level of diligence as those dedicated to protecting organisational-specific cyber controls. Failure to address these risks, even lower priority ones could result in far-reaching consequences, with the potential to disrupt both horizontally and vertically across entire ecosystems and civilian lifestyles.

“For those suppliers considered part of the UK’s Critical National Infrastructure (CNI), it is imperative that they apply the principles of 'Risk Tolerate, Treat, Transfer, and Terminate' with a cyber-first approach. Reactive cybersecurity controls are no longer sufficient as a baseline for operations. Proactive measures, such as continuous monitoring, advanced threat detection, and rapid incident response, are now non-negotiable for maintaining business continuity and security.

“For our European counterparts, the implementation of the NIS2 Directive is an essential step in strengthening cybersecurity across critical sectors. In the UK, our equivalent of the Cyber Security and Resilience Bill, introduced in the King’s Speech on 17 July 2024, continues to challenge all industries to strengthen their cybersecurity frameworks and adopt more resilient practices across their operations.

“To embed cyber resilience into business operations, organisations can proactively test their supplier upstream systems and applications, perform regular cyber tabletop exercises aligned with their specific risk profiles, to help identify vulnerabilities before they become threats. Proactive cybersecurity is now an ongoing priority, not a reactive measure.

“As we come to Cyber Security Awareness month (in October), UK industries should be celebrating their resiliency efforts and not excelling in hindsight lessons learned. We will only have two reminders, one from our alert-monitoring systems another from the attackers themselves.”

 
ENDS

Notes to Editor

About the IET

• We inspire, inform and influence the global engineering community to engineer a better world.     
• We are a diverse home for engineering and technology intelligence throughout the world. This breadth and depth means we are uniquely placed to help the sector progress society.     
• We want to build the profile of engineering and technology to change outdated perceptions and tackle the skills gap. This includes encouraging more women to become engineers and growing the number of engineering apprentices.    
• Interview opportunities are available with our spokespeople from a range of engineering and technology disciplines including cyber-security, energy, engineering skills, innovation, manufacturing, technology, transport and diversity in engineering.    
• For more information, visit www.theiet.org.    
• Follow the IET on LinkedIn, Facebook and Instagram via @TheIET / @InstitutionofEngineeringandTechnology.    

Media enquiries to:

Rebecca Gillick
External Communications & PR Lead
E: rgillick@theiet.org