.jpg?width=400&height=225&name=Evangelists-Martin%20Kraemer%20(1).jpg)
Blog post updated for clarity.
In late September 2025, several European airports reported significant delays and flight cancellations due to disruptions with their check-in and passenger systems. As a global leader in aviation technology and the backbone of passenger travel, protection of systems and customer operations is paramount for Collins Aerospace. Nonetheless, the vendor of the vMUSE check-in system had been hit by a ransomware attack.
ARINC error message: Source: Cyberplace.social
The organization operates ARINC AviNet, a virtual environment that hosts their ARINC vMUSE ground system for customers. Attackers exploited vulnerabilities in the ground system and its proprietary network, resulting in significant operational delays, reputational damage, and a loss of passenger trust. It is believed that the attackers accessed the shared AviNet network and subsequently encrypted portions of the ARINC Multi-User System Environment (vMUSE).
|
Airport |
Location |
|---|---|
|
London Heathrow |
United Kingdom |
|
Glasgow Airport |
United Kingdom |
|
Berlin Schönefeld |
Germany |
|
Dublin Airport |
Ireland |
|
Cork Airport |
Ireland |
|
Brussels Airport |
Belgium |
Strategic Lessons for Executives
Despite comprehensive regulations like NIS2, most organizations significantly underestimate the security risks stemming from a lack of visibility into their vendors' security posture. Vendor risk management is not merely a compliance checkbox but a strategic issue of resilience, as this incident demonstrates how a third-party ransomware attack can ripple across entire ecosystems.
The incident was likely a result of security negligence. Researchers discovered several outdated systems (IIS 8.5, Glassfish 2014, Oracle 2015, and end-of-life Cisco ASA devices) that presented predictable vulnerabilities for attackers. Legacy systems represent not just technical debt but also significant business continuity risks. Therefore, modernization programs and operational investments must be integrated.
The effort airports invest in continuity planning was evident as fallback procedures were successfully invoked. While fallback was available, it proved highly disruptive. When experts attempted to restore the software, they were most likely reinfected which is why it took such a long time to resolve. This highlights that detection, response and recovery must be considered a holistic process.
The incident clearly underscores the need to elevate cyber risk to the board level. The outage affected passenger experience, operational continuity, and brand reputation.
Strategic Imperatives
Supply chain security requires visibility, not just assurances, to mitigate the ripple effects when a vendor is compromised. Security assurance from vendors must evolve beyond simple checkbox exercises to in-depth analysis of their practices and configurations. Merely documenting compliance with ISO 27001, NIST and NIS2 will no longer suffice. As high-impact cyberattacks persist, organizations, especially those in critical infrastructure, will demand greater visibility and transparency from their vendors. When it comes to maintaining a country's operations, the focus must shift from minimizing liability to ensuring continuity.
In sectors where legacy systems are prevalent, rigorous legacy management is essential. For systems with unpatchable vulnerabilities, compensating controls must be implemented, and a phased retirement of high-risk systems must be planned. Legacy systems are common in critical infrastructure, often deemed essential for continued operations and complex to replace. Without proper monitoring and maintenance, outdated systems and missing patches will expose an organization's vulnerabilities.
Strengthening supply chain governance is a critical step forward. Organizations should map out dependencies, conduct joint exercises, and establish contractual obligations for security monitoring. Developing resilience by design is the optimal approach. Investments in redundancy, the development and testing of rapid recovery processes, and regular crisis simulations are valuable tools for organizational preparedness.
Conclusion
Critical infrastructure organizations must not over-prioritize liability reduction, which often gets incorrectly conflated with compliance requirements. Instead, nation states must incentivize business continuity and offer guidance and oversight to small and medium businesses that cannot afford to develop their own resilience functions. Incentives must be structured so that organizations perceive expensive cybersecurity investments as worthwhile, leading to greater risk reduction and fewer losses.
This approach is crucial for improving supply chain risk management in critical infrastructure, where adversaries are likely to exploit weaknesses. Policymakers must advocate for stronger regulatory oversight and shared responsibility models, particularly in aviation. Executives must view cybersecurity as a strategic business enabler, rather than a technical afterthought.
With KnowBe4 Defend you can:
