August 24, 2024. Saturday morning at a major international airport in the Pacific Northwest. Thousands of travelers expected smooth check-ins and timely departures.
Instead, screens went dark. Systems crashed. Operations ground to a halt.
Airport officials identified system outages, indicating a cyberattack. They isolated critical systems. Airline agents began handwriting boarding passes. Passengers waited in uncertainty as digital infrastructure suddenly became impossible to ignore through its absence.
The Rhysida ransomware gang had infiltrated airport systems, encrypted data, and demanded 100 Bitcoin (nearly $6.5 million at time of the attack). They accessed personal information from systems managing employee, contractor, and parking data. Approximately 90,000 individuals ultimately received breach notifications.
Airport leadership refused to pay. But the damage was done: thousands of hours of emergency response, days of operational disruption, and a sobering demonstration that even major transportation hubs remain vulnerable. How attackers gained entry remains undisclosed, but the incident exposed gaps in preparedness most organizations wouldn’t discover until crisis forces revelation.
[Tip: Don’t want to wait for a crisis to reveal your preparedness gaps? Consider tabletop simulation exercises. More about those at the end of the article.]
Pressure Points that Collapse Centralized Networks
Thirteen months later, in September 2025, airports across Europe faced similar chaos. Heathrow, Berlin Brandenburg, and Brussels experienced significant disruptions when hackers targeted check-in and boarding systems.
The attack targeted a link in the software chain that enabled airlines to process passengers at shared check-in desks across multiple airports. The Everest ransomware group later claimed responsibility. One compromised system, cascading failures across countries.
As security researchers explained, centralization creates single points of failure: “You have one system which has been targeted, and it is a single point of failure. To create massive damage, you just need to target one specific software that manages the check-in and luggage process.”
These incidents weren’t connected, but they revealed similar vulnerabilities. The Cybersecurity and Infrastructure Security Agency (CISA) lists aviation as critical infrastructure whose disruption could have national security and economic consequences. EUROCONTROL estimates airlines lose at least $1 billion annually to fraudulent website operations alone, with broader cyber attack costs reaching into the billions globally.
Compliance Is a Floor, Not a Ceiling
The Transportation Security Administration (TSA) has issued specific cybersecurity requirements for airport and aircraft operators, mandating:
- TSA-approved cybersecurity implementation plans
- Cybersecurity risk assessments (aligning with NIST)
- Defensive measures and resilience against evolving threats
- Architectural reviews assessing physical security separation and controls between networks
- Penetration testing on both IT systems and OT networks
But as the crisis demonstrated, meeting regulatory requirements provides a foundation, not comprehensive security.
The specific entry points varied in these airport attacks. Everest exploited passenger check-in systems. Rhysida’s method remains undisclosed. But both incidents exposed a fundamental challenge facing not just airports but all critical infrastructure: the complexity of operational technology and IoT devices that traditional security programs often miss.
The Attack of the IoT Zombie Army
Security teams naturally focus on obvious operational technology: baggage handling, ticketing systems, HVAC controls, access management, and surveillance. But the attack surface extends far beyond these visible systems.
Consider what happened at a major university campus. Late one evening, the IT Security Team received escalating complaints about network connectivity. Investigation revealed that DNS servers were producing high-volume alerts.
The source? Over 5,000 compromised IoT devices making hundreds of DNS lookups every 15 minutes. Vending machines, lamp posts, and thermostats. All had been connected to the network for ease of management and improved efficiency. An IoT botnet had spread from device to device by brute-forcing default and weak passwords.
As the incident commander reported: “Short of replacing every soda machine and lamp post, I was at a loss as to how to remediate the situation.”
The university eventually regained control, but the lesson stands: IoT devices that seem benign become attack vectors when networked without proper segmentation. The vending machine that accepts credit cards. The smart thermostat. The connected lighting system. Each represents a potential entry point.
Even mundane devices can be exploited. If a vending machine connects to the network and that system isn’t isolated, it becomes an attack point. Many such devices have fully loaded operating systems embedded in them, creating capabilities attackers can leverage.
The Lesson for Airports: Pressure Test Your Plan
One of the airport’s most important lessons wasn’t about preventing the breach. It was about responding to it.
They had business continuity and disaster recovery plans. But the airport’s experience revealed gaps between having plans and testing them thoroughly.
Airport employees spent over 4,000 hours responding. They discovered:
- Inadequate communication options
- Outdated contact lists for key personnel
- Compromised Voice over IP systems, forcing them to purchase prepaid cellphones
- Capacity limitations that magnified the attack’s impact
These practical details only emerge through realistic testing. Tabletop exercises simulating cyberattacks. Drills testing communication protocols. Regular reviews ensure backup systems actually work.
A dedicated attacker with sufficient resources can usually defeat defensive systems. This doesn’t mean accepting compromise as inevitable, but it does mean response capabilities matter as much as preventive controls.
Resilience ≠ Prevention: Building Systems That Recover
The Pacific Northwest and the European airport incidents demonstrate why resilience matters more than prevention alone. The goal isn’t perfect defense but rather building systems that withstand attempts, detect breaches quickly, and recover effectively.
This requires a fundamental mindset shift. Rather than pursuing impossible perfection, resilient security accepts that some attacks will succeed regardless of preventive measures. This acceptance enables organizations to invest appropriately in detection and response capabilities.
The foundational elements of operational resilience include:
- Comprehensive visibility across all systems. Unified monitoring spanning endpoints, networks, cloud environments, OT systems, and IoT devices. The university botnet succeeded because thousands of devices operated without adequate visibility. Organizations need to see threats moving laterally through OT/IoT infrastructure.
- Rapid detection and response. Technologies and processes that identify and contain threats within minutes rather than days. Modern attackers move laterally across networks in under an hour. Organizations lacking quick response capabilities pay in prolonged disruption.
- Continuous adaptation to emerging threats. Regular updates to security controls based on threat intelligence rather than waiting for incidents to expose vulnerabilities. Resilient organizations update controls proactively as threats change.
- Business continuity during active incidents. Critical functions that continue operating even during security events, minimizing impact on customers and operations.
- Layered defenses that complement rather than duplicate. Multiple security measures working together so that when one layer fails, others contain the threat.
For organizations managing OT systems and constellations of IoT devices, resilience requires:
- Complete asset inventory identifying all connected devices
- Network segmentation preventing compromised devices from accessing operational systems
- Architectural reviews assessing controls between IT and OT networks
- Tested response protocols with communication backups and practiced procedures
For regulated industries, compliance with federal mandates provides foundations but doesn’t guarantee resilience. Organizations with mature resilience programs report measurable benefits: reduced cyber insurance premiums (often 15-30%), shorter recovery times, maintained operations during attempted breaches, and protected reputation.
Saturday Morning Comes for Everyone
The airport recovered, strengthened defenses, and improved monitoring. But the fundamental challenges persist. Operational technology continues converging with information technology. IoT devices proliferate. Attackers target critical infrastructure because disruption creates leverage.
The lessons extend beyond aviation to utilities, manufacturing, building management, and healthcare. The fundamental vulnerabilities remain consistent.
Organizations must choose: address vulnerabilities proactively, or wait until systems go dark on a Saturday morning.
Richey May Cyber helps organizations assess and strengthen operational technology security with specialized capabilities for critical infrastructure environments including aviation. We understand TSA requirements, OT/IT convergence challenges, and the practical realities of securing complex operational environments.
This is the first in a series on operational technology security. In February, we’ll examine the IT/OT convergence challenges facing utilities. In March, we’ll explore practical approaches to protecting industrial control systems and smart buildings.
