Why Building Resilience Must Be a Priority for the Aviation Sector

Rob Demain explores what airlines, airports and their suppliers need to do to avoid major operational disruption.

So far this year, the aviation sector has been buffeted by a series of major security incidents. First came a ransomware attack on Kuala Lumpur International Airport in March. Then Qantas Airways reeled from a damaging data breach across June and July. Now a cyber-attack on a supplier of software provider Collins Aerospace has triggered widespread disruption across some of Europe’s busiest airports.

Clearly, aviation is now firmly in the crosshairs of threat actors. It’s time to make cyber resilience a priority before something even more catastrophic occurs.

Back to pen and paper

According to Thales, there has been a 600% increase in cyber-attacks over the past year, with 27 separate incidents carried out by 22 different ransomware groups between January 2024 and April 2025. Why the surge?

“Airports and airlines sit at a critical intersection between digital infrastructure and physical mobility”

Airports and airlines sit at a critical intersection between digital infrastructure and physical mobility. It’s a position that makes them highly attractive targets. Whether driven by financial gain, geopolitical agendas, or ideological motives, attackers know the disruption they can cause is immense. Grounded planes and stranded passengers put significant pressure on operators.

This latest attack on Collins Aerospace achieved just that, with airlines and airports forced into contingency mode. Automated check-in and boarding systems were taken offline by attackers, with airports resorting to manual processes for check-ins and boarding.

Weak links in critical infrastructure

The Collins Aerospace incident highlights how interconnected supply chains and third-party vulnerabilities can significantly disrupt critical national infrastructure (CNI). It underlines the increasing need for far stronger oversight and resilience.

From airlines and airports to navigation systems and software suppliers, every link in the aviation chain is vulnerable to attack without specialist cyber defences in place. While manual fallback procedures can keep operations afloat they come at significant cost, both financially and operationally.

Collins Aerospace will be working diligently to contain the attack and limit its blast radius. Given its role as a major supplier to commercial aviation and the defence industry, the priority will be on ensuring it successfully identifies and addresses the entry point and ensures there is no further trace of the attacker in other areas of their IT infrastructure.

Its incident response team will be working with specialists to trace the attackers’ movements, remove them from the network and restore their systems. Detection speed, communication and customer management are all crucial aspects in that phase. However, this phase could take some time. The company’s check-in software, Muse, processes sensitive passenger data, including biometrics. Airlines, airports and their consumers will want full assurances that their systems are completely safe to use again before doing so.

A thorough investigation with digital forensics will also be required to determine what data may have been accessed or stolen by the attackers. It’s common for data theft to occur in such attacks as a precursor to ransomware, with Thales’s report revealing that 71% of incidents involve credential theft or unauthorised access to critical systems.

What happens next?

We must learn from this latest attack. For organisations throughout the aviation supply chain, there is a critical need to make cyber resilience a priority within business continuity and disaster recovery planning.

“Aviation is now firmly in the crosshairs of threat actors”

That doesn’t just mean regular data backups. Industry players must also focus on ensuring they have the right coverage across logs and telemetry – to quickly investigate attacks, contain them and successfully evict the adversary. It’s also imperative to have tested response playbooks in place, which means regular attack simulations and cross-supply chain tabletop exercises to highlight and rectify vulnerabilities before they are exploited by an attacker.

Organisations that can demonstrate rapid incident identification and clear escalation pathways are far better placed to minimise operational downtime, reputational damage and regulatory exposure. By treating cyber resilience as a core component of operational resilience, businesses can bounce back faster.

In an increasingly connected industrial landscape, the strength of critical systems depends on the robustness of each and every link.