Navigating cyber threats

Natalie Forrestill from AtkinsRéalis outlines how airports are responding to a raft of cyber regulations globally, addressing legacy systems and bolstering their supply chains.

Airports worldwide are under mounting pressure to boost their cyber resilience as governments sharpen regulations on critical infrastructure.

In fact, since 2022 there has been a surge of new cybersecurity mandates for the aviation sector in major jurisdictions.

In the United States, authorities rolled out mandatory cyber measures for airports – from faster incident reporting to isolating critical systems – via Transportation Security Administration (TSA) directives.

Australia likewise expanded its security laws to include aviation, requiring airports to implement cyber risk management and incident reporting as part of operating critical infrastructure.

In Europe, the EU’s Network and Information System Directive 2 (NIS2) compels airports to establish comprehensive cyber risk programmes, adhere to strict 24-hour and 72-hour breach notifications, and enforce stronger supply chain security controls.

These obligations are mirrored in the UK’s forthcoming UK Cyber Security & Resilience Bill. In many cases, these rules broaden scope to smaller airports and threaten heftier fines for non-compliance.

This global regulatory momentum is reinforced by international aviation bodies (ICAO, ACI, IATA), which are simultaneously urging stronger cyber defences in aviation.

All these efforts reflect heightened concern for cyber threats to critical airport systems – especially operational technology (OT) and complex supply chains that keep airports running.

AtkinsRéalis frequently carries out formal cyber assessments of OT systems for several global airports – including baggage, traffic, lighting and heating systems – and these have revealed a number of common themes that highlight the unique challenges airports face in managing legacy infrastructure and evolving cyber threats.

Operational technology: critically overlooked?

Despite growing preparedness for cyber threats, many airports are still evolving their understanding of which systems should be considered ‘critical’ from a cyber resilience perspective.

This is often shaped by legacy regulatory frameworks and a historical emphasis on IT systems, which has inadvertently led to OT being under-prioritised.

Often, organisations begin by assessing systems already known to fall under existing regulations, then gradually expand their scope to apply lessons learned and extend good practices across other systems.

Some of the recurring themes we saw in our assessments suggest that OT systems are not always formally recognised as ‘critical’. Not due to neglect, but because OT systems are ‘part of the furniture’.

These systems – often decades old – may lack current documentation, and essential knowledge about them is frequently held by just a few individuals.

The impact of COVID-19 and broader economic shifts have also contributed to the loss of in-house expertise, while some suppliers may have potentially ceased operations or no longer support the equipment.

This makes it challenging to build a picture of these systems: how they work and what they are connected to.

OT systems in situ tend to be older or specialist systems that have fewer security measures designed in, or do not support the newer security features of modern software and firmware. This leaves airport operators with the choice of either replacing vast swathes of infrastructure at enormous expense; or managing the risk and implementing other controls, such as restricted physical access, or stronger incident response and recovery procedures to mitigate damage.

Although the IT sector has made significant strides in cybersecurity controls and their widespread application, translating these principles to OT environments remains complex.

We’ve seen organisational policies and cyber teams attempt to apply IT-centric approaches to OT with limited success. Take patching, for example, IT undertakes this frequently but this is not always feasible in OT due to high availability requirements, and the need for rigorous testing before deployment.

Risks and consequences

These challenges give rise to several recurring risks across OT environments, such as:

– Limited asset visibility: Without a comprehensive view of assets and their vulnerabilities, unknown assets and vulnerabilities may remain on the network, creating exploitable gaps.

– Unclear network boundaries: Poor understanding of how systems interconnect can allow attackers to move laterally across other systems, escalating the impact of the breach.

– Supply chain exposure: Legacy contracts and unmanaged supplier relationships often lack modern security provisions, leaving systems vulnerable to third-party compromise.

The consequences are far more than theoretical. A cyber breach could lead to wide-scale disruption – extinguishing runway lights, halting baggage flow, or interfering with boarding pass scanners.

In 2024, Seattle-Tacoma International Airport suffered a cyber attack that affected its internet connectivity, display systems and baggage sorting operations, resulting in over 400 delays and cancelled flights.

Although UK airports have not faced a comparable cyber attack, incidents such as the power outage at Heathrow and IT disruption at Stansted in 2025 are a reminder of the consequences when critical systems are disrupted.

A helicopter view

To stay ahead of both regulatory developments and evolving cyber threats, airports must adopt a strategic, integrated approach to securing OT and supply chain systems.

As opposed to a system-by-system basis, where dependencies are often overlooked, operators should focus on understanding their collective systems and their interactions.

Adopting a cross-cutting, ‘systems of systems’ approach will enable airports to gain better insight of their cybersecurity posture and identify their highest and commonly shared risks across their estate which can be tackled holistically.

This not only improves resilience but also delivers greater value for investment.

A robust OT cybersecurity strategy must be developed alongside the IT security frameworks, ensuring alignment while recognising the distinct requirements of each domain.

This includes processes to manage the supply chain throughout the life of any asset – from procurement to decommissioning.

Embedding this approach into organisational policies, standards, and cybersecurity training is essential.

Upskilling operational teams about cybersecurity and conversely, IT professionals on the nuances of OT, will help to bridge the gap and foster a cyber resilience culture and reap long-term benefits.

By proactively addressing the cyber risks associated with legacy OT systems and supply chain dependencies, operators can strengthen their defences, reduce exposure to regulatory penalties, and safeguard the continuity of operations and passenger safety.

About the author

Natalie Forrestill is a senior cybersecurity consultant at AtkinsRéalis.