This past weekend, airports across Europe, including Brussels, London Heathrow, and Berlin, were hit by a cyberattack that rippled far beyond the continent. Flight delays and cancellations cascaded into global travel disruptions, underscoring just how interdependent and fragile the aviation ecosystem has become.
The ripple effects were not limited to Europe. In the U.S., a telecommunications outage at Dallas–Fort Worth International and Love Field grounded more than 1,800 flights, stranding passengers across the country. While these incidents stemmed from different root causes, one cyber, the other telecom, they point to the same uncomfortable truth: aviation infrastructure is only as strong as its weakest link, whether digital or physical.
An Expansive Attack Surface
Airports are among the most complex operational environments in the world. They rely on a sprawling web of systems and extended Internet of Things (xIoT) devices, and if one is compromised, the impact can have serious safety, security, and operational implications.
| Device Type | Function Delivered | Impact if Compromised |
|---|---|---|
| Passenger Check-In Kiosks (CUSS) | Self-service check-in, boarding pass, and baggage tag printing. | Long queues, flight delays, loss of passenger confidence. Potential data theft if manipulated. |
| Common-Use Terminal Equipment (CUTE/CUPPS) | Airline/ground staff systems for check-in, boarding, and bag drop. | Disruption of multiple airlines simultaneously, cascading operational failures. |
| Boarding Gate Readers | Scans boarding passes for passenger validation. | Boarding delays, potential for unauthorized access if bypassed. |
| Baggage Handling Systems (BHS) | Sorts and routes passenger luggage to aircraft. | Misrouted or lost bags, operational delays, reputational damage. Safety risks if explosives/contraband are not screened properly. |
| Explosive Detection Systems (EDS) / CT Scanners | Security screening of baggage for prohibited items. | Inability to screen baggage → flights grounded by regulation. National security exposure if bypassed. |
| Passenger Screening Devices | Detects weapons and explosives on passengers. | Direct safety risk; failure can enable security breaches. |
| Access Control & Badging Systems | Restricts staff access to secure zones. | Unauthorized personnel access to airside/critical zones. Insider threat amplification. |
| CCTV / Video Surveillance | Monitoring of terminals, baggage areas, and airfield perimeters. | Loss of visibility; delayed incident detection and response. Privacy/data exposure if feeds are exfiltrated. |
| Building Management Systems (BMS) | Environmental controls in terminals and hangars. | Discomfort, operational disruptions, potential cascading failures (e.g., fire suppression disabled). |
| Perimeter Intrusion Detection | Detects unauthorized entry at perimeter fences/runways. | Blind spots for physical intrusion; regulatory compliance violations. |
| Airfield Lighting Control Systems (AFL/ALCMS) | Runway/taxiway lighting management for aircraft movement. | Severe safety risk: misdirected aircraft, grounding flights. |
| Aircraft Docking Guidance Systems (VDGS) | Guides aircraft into gate positions. | Increased risk of ground collisions and delays. |
| SCADA Systems for Fueling & Power | Control fueling pumps, hydrants, and electrical distribution. | Safety hazards, service outages, and possible environmental spills. |
| Passenger Wi-Fi and IoT Sensors | Passenger experience, flow management, retail analytics. | Limited direct ops impact, but sensitive data leakage and an entry point for attackers. |
| Digital Signage & Flight Information Display Systems (FIDS) | Displays flight, gate, and safety information. | Passenger confusion, misdirection, and reputational damage. Potential for disinformation if hijacked. |
Many of these systems are supported by third-party vendors and suppliers. While essential for efficiency, this interconnectedness creates an expansive attack surface. A vulnerability in a single supplier or unmanaged device can escalate into widespread disruption across multiple airports, precisely what we saw in Europe.
Spotlighting Security Hygiene Across Connected Devices
Security hygiene in aviation xIoT means more than audits or contractual oversight. It requires active defense:
- Active discovery and vulnerability assessment across all connected devices and systems.
- Automated remediation to eliminate weak links, such as outdated firmware, default/reused credentials, and risky configurations.
- Continuous monitoring to detect device drift and isolate rogue or suspicious systems in real time.
Unlike in other industries, downtime in aviation reverberates instantly across economies and societies. Attackers understand this leverage and will continue to exploit it.
IoT, OT, and the Unmanaged Device Challenge
Many devices airports rely on fall into the unmanaged device category: IoT, OT, and cyber-physical systems that traditional IT tools were never designed to protect.
- They use diverse, proprietary protocols that evade legacy profiling methods.
- They often run outdated firmware with no clear patch path.
- Default credentials and reused passwords are widespread.
- Risky configurations (FTP, SSH, Telnet enabled by default) are common.
- Some devices even ship with manufacturer-installed backdoors and are banned by the U.S. and warned by allied governments.
This makes them prime targets for attackers.
Compliance Is Raising the Bar
Cybersecurity in aviation is no longer optional; it’s mandated. Airports must now align with evolving regulatory frameworks, including:
- ICAO Annex 17 (Security): Requires member states to integrate cybersecurity, including xIoT, into national aviation security programs.
- EU NIS2 Directive: Compels airports to secure xIoT devices through stronger risk management, supply chain controls, and incident reporting.
- TSA Security Directives (U.S.): Mandate airports and airlines to implement vulnerability management, access controls, and monitoring across IT, OT, and xIoT systems.
- CISA KEV Catalog & Directives: Compel remediation of actively exploited vulnerabilities, including those impacting unmanaged xIoT devices in critical infrastructure.
- NIST Cybersecurity Framework & ISO 27001: Provide structured best practices for identifying, protecting, and managing risks across xIoT and other connected systems.
These regulations share a common theme: airports must secure and monitor their xIoT environments. Compliance and resilience are now inseparable.
Risk-Tiering Airport Devices
To manage risk effectively, airports should categorize devices into criticality tiers:
High-Criticality:
ATC communications, radar, runway lighting, explosive detection, restricted access control. Compromise here endangers lives and halts operations.
Medium-Criticality:
Baggage handling PLCs, HVAC, flight displays, biometric gates, CCTV. Attacks disrupt operations and reputation.
Low-Criticality:
POS, public Wi-Fi, elevators, water pumps. Indirect impact, but common attacker entry points.Adding Context with KEV and EPSS
Inventory and tiering are just the beginning. Airports also need to know which vulnerabilities matter right now.
FIRST’s Exploit Prediction Scoring System (EPSS):
Provides a probability score for how likely a vulnerability will be exploited in the next 30 days.CISA’s Known Exploited Vulnerabilities (KEV):
Identifies flaws already being exploited in the wild. For unmanaged devices, KEV highlights vulnerabilities that cannot wait.
A CVSS 7.5 vulnerability with a 65% EPSS score may pose more danger than a CVSS 9.8 with a 0.1% EPSS score, especially when vendor patching is slow.
Together, KEV and EPSS transform vulnerability management from overwhelming to actionable.
From Overwhelmed to Resilient
Traditional IT security tools safeguard servers and endpoints, but they cannot protect the diverse cyber-physical systems that underpin modern airports. We created the Phosphorus Platform to take aviation security teams from overwhelmed to resilient.
Resilience requires the ability to:
- Find and assess every device safely and precisely, building a risk profile enriched with KEV/EPSS context.
- Fix vulnerabilities automatically, rotating passwords, patching firmware, and closing risky configurations without disrupting airport operations.
- Manage continuously, ensuring misconfigurations, rogue systems, and vendor supply chain exposures are addressed in real time.
A Call to Action for Aviation Leaders
The European cyberattack and U.S. outage are wake-up calls. Aviation must address its entire attack surface with the same urgency as physical safety. Just as airports enforce strict access controls on runways, they must apply the same rigor to the digital systems and devices that keep planes moving.
Attackers will continue probing for weak links, and regulators are raising expectations. The only way forward is to close those gaps before they are exploited.
At Phosphorus, we help aviation leaders find, fix, and manage every connected device across their environments with the intelligence needed to stay both secure and compliant.
Contact us for a demo to see how Phosphorus helps airports secure every device in their ecosystem.
Related Posts
For too long, vulnerability management has relied on CVSS scores alone to guide remediation...
As outlined in the advisory, advanced persistent threat (APT) actors sponsored by the Chinese...
