select search filters
briefings
roundups & rapid reactions
Fiona fox's blog
Scientists comment on a reporter cyber-attack at European airports including Heathrow.
Rimesh Patel, former Chair of Institution of Engineering and Technology’s Central London Network and Independent Cyber Specialist, said:
“Organisations across all industries have been making concerted efforts to optimise cyber resilience across their business operations. However, this alleged Collins Aerospace cyber incident serves as a stark reminder of the critical need to secure not just internal systems, but also the supply chain. This incident highlights a growing vulnerability: supply chain attack vectors now require the same level of diligence as those dedicated to protecting organisational-specific cyber controls. Failure to address these risks, even lower priority ones could result in far-reaching consequences, with the potential to disrupt both horizontally and vertically across entire ecosystems and civilian lifestyles.
“For those suppliers considered part of the UK’s Critical National Infrastructure (CNI), it is imperative that they apply the principles of ‘Risk Tolerate, Treat, Transfer, and Terminate’ with a cyber-first approach. Reactive cybersecurity controls are no longer sufficient as a baseline for operations. Proactive measures, such as continuous monitoring, advanced threat detection, and rapid incident response, are now non-negotiable for maintaining business continuity and security.
“For our European counterparts, the implementation of the NIS2 Directive is an essential step in strengthening cybersecurity across critical sectors. In the UK, our equivalent of the Cyber Security and Resilience Bill, introduced in the King’s Speech on 17 July 2024, continues to challenge all industries to strengthen their cybersecurity frameworks and adopt more resilient practices across their operations.
“To embed cyber resilience into business operations, organisations can proactively test their supplier upstream systems and applications, perform regular cyber tabletop exercises aligned with their specific risk profiles, to help identify vulnerabilities before they become threats. Proactive cybersecurity is now an ongoing priority, not a reactive measure.
“As we come to Cyber Security Awareness month (in October), UK industries should be celebrating their resiliency efforts and not excelling in hindsight lessons learned. We will only have two reminders, one from our alert-monitoring systems another from the attackers themselves.”
Dr Junade Ali, Fellow and Cyber Expert, Institution of Engineering and Technology, said:
“The cyberattack on Heathrow and other airports was rooted in a supply-chain attack, which targeted the MUSE check-in/boarding software. Supply-chain cyberattacks work by targeting the third-party technology used by critical national infrastructure. In this case, the attacks targeted technology used by Collins Aerospace. Defenders of cyberattacks face an asymmetric fight, whilst they must address every threat, an attacker need only succeed once.
“It is currently unknown what the specific attack vector is or who can be attributed to the attack; however, legislation like the NIS Regulations will require reporting of the details of such attacks to regulators. It is unclear if any data was compromised, for example through using ransomware which encrypts files to extort money or if it was simply a denial-of-service attack – which would overwhelm the system externally so it cannot operate normally. A March 2023 report from the European Union Agency for Cybersecurity has found ransomware to be the most common type of cyberattack conducted on transportation infrastructure in recent years.
“Initial service restoration could occur within hours to days, however, a forensic investigation of the cause may take much longer. British Airways is reportedly using fallback protocols to prevent interruption of service, and this highlights the need for resilient systems which can adapt to failures whilst maintaining safety and security.
“In a world where technology is ever more complex, cybersecurity remains at the heart of mitigating risk. Key to mitigating this risk is having robust security and resilience built in.”
Dr Hisham Al Assam, Reader in Computing, University of Buckingham, said:
“The exact technical details of the Collins Aerospace MUSE system attack and who was behind it have not been made publicly available yet.
“What is clear is that the incident highlights how “common use” shared systems in aviation create a dangerous infrastructure consolidation, leading to single points of failure. Such models turn efficiency into fragility, where a single compromise can disrupt several airlines at once.
“The big lesson: gains in efficiency through shared systems increase systemic vulnerability. For companies and airports, robust backup systems, vendor cybersecurity assurance, and contingency planning are no longer optional, they’re absolutely essential.”
Prof James Davenport, Hebron and Medlock Professor of Information Technology, University of Bath, said:
“If it is a cyberattack (which seems probable) it’s a slightly curious one. Attacks on M&S, Co-op etc. have focused on (a) stealing the customer data; (b) wrecking the software by encrypting the system so that it takes a long time to restore, and draws people’s attention to the data theft.
“Now I doubt that this system, which essentially routes between the check-in etc. desks and the individual airlines, actually has much personal data stored in it.
“Also this software is installed in many airports, only a few of which (but the busiest) have been affected (or at least are telling us).
“A firm like Collins/RTX which has many clients will have good ways of restoring/re-installing, unless these themselves have been subverted.
“So I don’t see why Collins/RTX should pay up, and ever if an airline wanted to pay up, it couldn’t restore the system, as that is with Collins.
“It looks almost more like vandalism than extortion, based on the information we have. I think significant new details would have to emerge to change this view.”
Professor Martyn Thomas FREng, Emeritus Professor of IT, Gresham College, London, said:
“Judging by BBC News coverage, it seems that we can’t yet be sure this is a cyberattack or, if it is, whether the attackers are nation-state-based or criminals or teenage hackers.
“It’s clear from the number of recent cyberattacks and their impact that this is a problem that will grow, possibly rapidly, until software developers get much better at writing secure software and company IT staff get much better at evaluating the security of software their company choses to purchase or to use remotely. IT staff also need to become better at configuring the software their company uses, to drastically limit the ways in which hackers can download software into user accounts to which they have gained access (often by phishing or deception).
“Solving the problem of insecure software will take a long time, because many (possibly most) software developers do not have the qualifications or training that are equivalent to those required for electrical engineers or civil engineers for example. Software development has become a craft skill rather than engineering and we are seeing the consequences: some brilliant software with powerful features, but inadequate focus on assuring the safety and security that are vital in systems where failure can lead to serious harm.
“We have been lucky so far, as the motivation of cyber criminals has been disruption or financial gain. If they were to decide to cause serious injury or many deaths, the same attack strategies could be used on critical systems in healthcare or major infrastructure.”
Prof Alan Woodward, Visiting Professor of Computing, University of Surrey, said:
“The issue appears to be in a piece of software called Muse. It’s from a company called Collins Aerospace. It is a system that allows multiple airlines to use the same desk at an airport to check in passengers and drop bags.
“The problems began on Friday night. We don’t know why yet but it has been accepted it’s some form of cyber attack.
“Muse can be installed on the premises at an airport or run from a cloud based system. Either way it appears Collins operate the system and thus it is they who have to fix the issue.
“So far we know that Heathrow, Berlin and Brussels are affected causing delays and cancellations.
“The big open question is why only these airports were affected. Muse is used across many airports but in the words of the Collins release only a “select” few have been affected.
“It could be that an upgrade was sent on Friday and it contained malware. But why only 3 airports installed it is unclear. If it is an attack on a centrally run system then the impact could grow: either hackers might widen their impact or the system may have to be shut down affecting all users.
“It might still be that it was a simple error in a software update rather than a cyber attack but the various releases suggest it was an attack.
“It is surprising as Collins Aerospace is part of RTX, one of the world’s largest defence contractors, who provide cyber security advice.
“We won’t know more until we see further releases or the impact widens which would support one of the theories above.
“As a mode of attack this is not unsurprising as so called “supply chain” attacks are becoming more common as they enable one successful system penetration to potentially affect many users, including large organisations, as in this case.”
Declared interests
Dr Junade Ali: “No COIs”
Prof James Davenport: “No conflicts”
Prof Alan Woodword: “No conflicts of interest.”
Prof Martyn Thomas: “I have no conflicts of interest in anything related to this.”