Not Cleared for Takeoff: Aviation’s OT Cybersecurity Problem

Introduction

International aviation relies on systems built for reliability in closed networks, not for threat resistance in interconnected environments. A compromised air traffic control system doesn’t just delay flights; it necessitates manual routing, reduces capacity, and can ground entire regions until the threat is cleared. The sector now faces threats its legacy foundations were never designed to withstand—a reality that becomes glaringly clear once you examine the complexity of modern aviation’s digital systems.

Modern Aviation’s Digital Framework

The aviation industry depends on a wide range of interconnected systems, many of which were built independently and don’t natively interoperate. Airport resource allocation, including arrivals and departures scheduling, relies on an Airport Operational Database (AODB) and a Departure Control System (DCS). Baggage handling depends on its own mix of barcode scanners and tracking tools. Complex air traffic control, GPS, communication, and passenger check-in systems all need to synchronize across international networks. When any one of these systems fails, the effects cascade quickly.

These systems operate in shared IT-OT environments that were never built to defend against modern cyber threats. Legacy architectures, vendor-specific integrations, and siloed operational teams create both known and unknown vulnerabilities. Many aviation systems are decades old and maintained by vendors that no longer exist, leaving operators with unpatchable equipment and no clear upgrade path. At the same time, airport access-control infrastructure must authenticate thousands of daily transitions between public and restricted zones, increasing the number of exposed endpoints. The result is a patchwork of interdependent systems with multiple points of failure. Because airports are part of national critical infrastructure, a breach represents more than operational disruption—it can escalate into a national-level security risk. Recent events show how quickly these weaknesses can be exploited.

Recent Attacks

August 2024: Rhysida ransomware hit Seattle-Tacoma International Airport. Digital displays, check-in systems, and baggage handling went down. Flights continued but employee data was exposed—approximately 90,000 individuals had personal information compromised, including Social Security numbers and medical records. Staff were forced to revert to manual processes, handwriting boarding passes and physically sorting luggage.¹

March 2024: Liverpool John Lennon Airport’s website was targeted by the “Anonymous Collective,” a hacktivist group citing political motivations related to UK foreign policy. The DDoS attack caused intermittent website disruption, demonstrating how smaller airports with limited security budgets become accessible targets.²

Legacy systems, fragmented oversight, and IT-OT silos create exploitable blind spots. What’s worse, nation-state actors and ransomware groups are aware of this and are now deliberately targeting aviation OT.

Cybersecurity Regulations

As aviation cyber threats grow, regulators around the world are responding with new rules and compliance standards. Though stricter cybersecurity requirements will raise the industry’s overall resilience, they also create new operational and financial hurdles. Airlines and airports now have to navigate a complex and expanding set of cybersecurity frameworks, each with its own demands and reporting standards.

1. ICAO (International Civil Aviation Organization): Established by the United Nations, this specialized agency sets global standards for civil aviation and works with member states to maintain uniform practices across international air travel. Its Aviation Cybersecurity Strategy outlines ICAO’s vision for securing global aviation and urges each country to develop national aviation cybersecurity strategies and implement appropriate risk-management frameworks.
2. IATA (International Air Transport Association): Formed by the global airline industry, IATA develops operational standards and best practices for safe and efficient air transport. Its cybersecurity initiatives focus on guidance, information sharing, and standardized security assessments across the aviation supply chain.
3. EASA (European Union Aviation Safety Agency): Established under the European Union, EASA regulates aviation safety and sets standards for civil-aviation operations in EU states. Its recent “Part-IS” regulation mandates that airlines, manufacturers, airports, air-navigation service providers and other aviation stakeholders implement an Information Security Management System and appropriate risk-management controls to protect aviation operations from cyber threats.
4. CIRCIA (Cyber Incident Reporting for Critical Infrastructure Act): A U.S. federal law that mandates that certain “covered entities” within designated critical infrastructure sectors need to notify CISA within 72 hours after the entity reasonably believes it has experienced a substantial cyber incident, and within 24 hours of making a ransom payment in response to a ransomware attack. The law is designed to improve transparency and oversight of cyber-threats across infrastructure sectors, including entities like airports and airlines where they fall within scope. For more on CIRCIA, you can refer to our breakdown here.

Compliance isn’t optional. The reporting burden alone requires automated visibility across OT assets.

What Aviation Needs

Protecting aviation’s digital system requires coordination between multiple agencies, organizations and countries. The potential high cost of inaction is far greater than the costs to implement modern safety standards. Traditional IT security tools can’t see OT protocols (Modbus, DNP3, BACnet). Standard patching breaks operational technology. Air-gapped networks have now become a myth—most modern airports have IP connectivity between zones. Aviation leaders must view cybersecurity not as just a compliance checkmark, but as a cornerstone of safety and reputation.

1. Asset Discovery & Malware Prevention
   Problem: Air-gapped systems and standalone equipment can’t deploy
   traditional agents. Contractors can introduce infected USB devices.
   Operators lack visibility into what systems exist, and they cannot protect
   what they cannot see.
   Solution: TXOne Portable Inspector performs agentless malware scanning without software installation or reboots. This works on legacy systems (Windows 2000/XP) through modern Windows 11 and Linux and automatically collects asset inventory during scans, giving operators visibility.TXOne Safe Port sanitizes USB devices through a kiosk-style station and sends Portable Inspector scan results and media-inspection events to ElementOne for centralized auditing.
2. Legacy System Protection
   Problem: Unpatchable systems from defunct vendors remain in production. Windows 2000/XP workstations often still control core processes, but they cannot accept modern agents and cannot be updated without breaking validated applications. If left unaddressed, every new vulnerability becomes a permanent exposure, placing these assets directly in the path of modern ransomware and OT-focused intrusions.
   Solution: TXOne EdgeIPS and EdgeFire deliver virtual patching at the network layer, so legacy systems stay protected without any software installation, configuration changes, or reboots. The appliances sit inline or on mirrored traffic, learn legitimate OT communication patterns, and block exploit attempts and unauthorized protocol activity before it reaches the endpoint. They provide OT-protocol inspection, segmentation, and compensating controls tailored for systems that cannot be modified.
3. Access Control & Operation Lockdown
   Problem: Every day, thousands of people move between public and restricted airport zones. Access-control systems require continuous authentication, and static credentials do not scale. Public-facing kiosks and terminals also sit in exposed areas and require strict hardening to prevent tampering or misuse.
   Solution: TXOne Stellar provides application lockdown, USB device control, and behavioral CPSDR monitoring for public-facing systems and operational workstations. For zone-based least-privilege enforcement, TXOne EdgeIPS and EdgeFire segment OT networks and restrict communication paths. Automated audit trails across both endpoint and network layers support operational and compliance reporting.
4. Compliance Automation
   Problem: Manual documentation for ICAO, IATA, EASA, and CIRCIA requirements consumes security resources. Fragmented tools create reporting gaps.
   Solution: TXOne ElementOne centralizes security events and device information from Portable Inspector, Safe Port, and Stellar, providing unified visibility and generating automated reports from consolidated logs, asset details, and inspection history. This reduces audit workload and ensures consistent documentation across evolving regulatory frameworks.

A Secure OT Flight Path

Aviation is an attractive target for threat actors. The interconnected control systems that support airport operations, ground services, and airline logistics create exposure that can’t be ignored. OT cybersecurity must be treated as a national-level priority, not an afterthought. By aligning airport operators, airlines, and government regulators around stronger protection for critical OT systems, the sector can reinforce the safety and continuity of global air travel.

Sources:

1. Port of Seattle. (April 2024). “Port Cyberattack Archive.” https://www.portseattle.org/news/port-cyberattack-archive
2. The Cyber Express. (March 2024). “Anonymous Collective Claims Liverpool Airport Cyberattack.” https://thecyberexpress.com/liverpool-airport-cyberattack/