Walk through any modern airport (or dash, if you’re afraid you’ll miss your flight) and you’ll encounter a highly distributed cyber-physical environment. All around you are:
- Display boards, communications devices and sensors
- Security checkpoints, scanners and access control
- Baggage handling and conveyor systems
- Trains and people movers connecting terminals
- Traffic management and parking systems
- Retail shops and duty-free stores, many with self-checkout kiosks
These components have been the backbone of airports and airline ground operations for decades, but now they’re deeply interconnected — to IT networks, each other and, often inadvertently, the internet. Each one must operate continuously and predictably, as part of what the European Union Aviation Safety Agency (EASA) calls a “system of systems” with countless attack paths, where cyber threats can disrupt operations or impact safety.
If that sounds abstract, it stopped being so in September 2025. A ransomware attack on Collins Aerospace’s MUSE check-in and boarding platform (software shared by multiple airlines across multiple airports) forced Heathrow, Brussels, Berlin and Dublin to revert to manual check-in and paper boarding passes, cancelling and delaying flights across Europe for days. No one breached those airports directly. Attackers compromised a single shared supplier, and the disruption cascaded outward. That is the connected airport’s risk profile in one incident.
Against this backdrop, four major challenges are reshaping airport cyber-physical risk. Let’s explore them.
1. OT/IoT/IT Convergence Is Expanding the Attack Surface
Network convergence has been underway in every industry for years, but asset owners are still grappling with the consequences. Without strong segmentation and compensating controls, an attack on any one connected system can trigger cascading failure, degrading essential services and forcing operational shutdowns.
The mechanics are usually unglamorous. Building automation and physical access systems run on protocols like BACnet and Modbus that were designed for reliability, not security. They frequently ship with no encryption, no authentication and default or hard-coded credentials. Many are connected wirelessly to otherwise protected networks, which makes them low-effort entry points. Once an attacker has a foothold on a flat or poorly segmented network, lateral movement toward higher-value systems is the easy part.
So, if a compromised security camera can open a door into operational networks, or a fault in baggage handling can ripple into gate operations and flight schedules, then cybersecurity isn’t adjacent to operational resilience; it is operational resilience.
2. Complex Ownership Blurs Lines and Increases Risk
Airports are essentially small cities, operated by a mix of public authorities, tenant passenger and cargo airlines that lease terminal space, and third-party companies that operate most ground and flight support services. These stakeholders share infrastructure but often operate under different security policies, budgets and regulations.
Generally speaking:
- Airport operators manage runways, terminals, and shared OT infrastructure
- Airlines control their own operational technology and passenger systems
- Third-party providers handle ground operations like fueling, baggage sorting, and maintenance
Especially in major hubs where an airline operates large portions of the environment, airport and airline officials often don’t know where their cybersecurity responsibilities start or stop.
When ownership is fragmented, so is security — the Collins Aerospace incident showed exactly how that fragmentation gets exploited. The weak point wasn’t any one operator’s network; it was a shared third-party platform that sat upstream of all of them. So, who’s responsible when there’s a breach or a failure?
When unglamorous camera in a parking garage or the HVAC controller in a server room isn’t a peripheral concern. It can be the door in, the target, the spy and the weapon, all at once. Yet these devices frequently sit outside the scope of both IT and OT security programs.
3. Threat Actors Are Targeting Critical Infrastructure
With their mandate to move passengers and cargo safely and on time, airports and airlines are prime targets for a broad spectrum of adversaries: nation-state advanced persistent threat (APT) groups pursuing espionage or sabotage, financially motivated ransomware operators, ideologically driven hacktivists, and insiders or compromised suppliers with legitimate access. Geopolitical tension sharpens the threat, and attacks on critical infrastructure routinely rise alongside it, aimed at disrupting the systems that underpin daily life, including safe travel.
What’s less understood is how operational networks actually get hit. Based on Nozomi Networks Labs’ analysis of real-world cyber-physical incidents, the pattern is consistent:
- Intrusions start at the edge. Internet-facing firewalls, VPN gateways and remote-access platforms have become the preferred initial-access vector. Attackers either exploit vulnerabilities in these exposed devices or simply log in with stolen, valid credentials, bypassing perimeter defenses and blending into normal activity.
- The action is at the endpoints, not the controllers. Drawing on the MITRE ATT&CK® for ICS knowledge base, our research finds that roughly 72% of attack techniques observed in real cyber-physical incidents target OT endpoints, such as human-machine interfaces, engineering workstations, application and control servers, data historians and jump hosts, rather than PLCs and RTUs directly. Endpoint protection inside the OT environment is not optional.
- Then they move from watching to acting. Adversaries typically begin with observation, conducting industrial discovery, protocol reconnaissance, and the collection of process and operational data. From there, the step that truly matters is manipulation: altering control logic and setpoints, modifying device firmware or inhibiting safety functions.
That final, destructive step has so far been observed mainly in other sectors, and largely in the context of kinetic conflict rather than aviation. We have not yet seen process manipulation of this kind at an airport. The uncomfortable truth, though, is that the underlying techniques, and the access they depend on, are not unique to any one industry. Many of these systems don’t even require an exploit. A great deal of OT remains insecure by design, which lets attackers interact with it through legitimate functionality.
Transportation offers a stark adjacent example. In August 2023, saboteurs halted roughly 20 freight and passenger trains in Poland not with malware, but by broadcasting unauthenticated “radio-stop” emergency commands over the rail network’s legacy analog radio system, a protocol with no encryption and no authentication that could be abused with a few dollars of equipment. No vulnerability was exploited; the system simply did what it was built to do, for whoever asked.
These threats are also being amplified by artificial intelligence, which adversaries are now integrating across every stage of an operation:
- AI-supported attacks accelerate and scale human tasks such as reconnaissance, scripting, vulnerability and zero-day research, convincing phishing and deepfake-based impersonation.
- AI-orchestrated attacks use agents to coordinate multi-stage workflows, automating lateral movement and decision-making with less human involvement.
- AI-enabled malware adapts on the fly, generating commands dynamically, producing polymorphic payloads and evading anomaly detection.
- Attacks on AI systems themselves, including prompt injection, data poisoning and model manipulation, are an emerging frontier, and a pressing one as AI adoption accelerates inside leading OT platforms.
4. The Overlooked IoT Attack Surface
Amid the focus on OT, the IoT layer is the part defenders most often miss, and it’s everywhere in an airport: surveillance cameras, building management and HVAC controllers, access-control readers, environmental and baggage sensors, and digital signage. These devices are widely exposed, lightly monitored and increasingly abused across the entire attack lifecycle. Nozomi Networks Labs research into connected cameras and building management systems shows the same device can play four very different roles for an attacker:
- As an entry point. Internet-connected IoT like cameras, BMS, HVAC and access control is a favored initial foothold, thanks to weak authentication and direct exposure.
- As a direct impact target. Because these systems govern physical conditions and physical access, manipulating them is itself the objective. An attacker might unlock a door, blind a camera or disrupt climate control in a server room.
- As an intelligence platform. A compromised IP camera hands an adversary real-time situational awareness and surveillance, reconnaissance that is especially valuable for coordinating activity in a conflict scenario.
- As an attack platform. Their sheer numbers and weak security make IoT devices ideal for botnets, internet scanning, and proxying malicious traffic.
In other words, the unglamorous camera in a parking garage or the HVAC controller in a server room isn’t a peripheral concern. It can be the door in, the target, the spy and the weapon, all at once. Yet these devices frequently sit outside the scope of both IT and OT security programs.
5. Intensifying Regulatory Pressure
Airports and airlines are heavily regulated globally, as both critical infrastructure and within the aviation industry. For much of the sector, 2025–2026 marks a turning point: when aviation-specific cybersecurity becomes enforceable and auditable.
This is especially true under EASA Part-IS, among the most stringent aviation cyber regulations to data and, in practice, a global benchmark. Part-IS came into force for airport operators on 16 October 2025 and extended to the wider aviation population (air carriers, maintenance organizations, training organizations, air navigation service providers and the authorities themselves) on 22 February 2026.
While the name implies a sole focus on information systems, the regulation explicitly requires stakeholders across aviation to protect all safety-critical systems, OT and IoT included, from cyber and information threats through:
- Asset inventory
- Risk management, including supply chain risk
- Continuous monitoring and detection
- Incident reporting
And the teeth are real: non-compliance can carry administrative fines of up to 4% of annual turnover. NIS2, the TSA Security Directives for aviation, and other regional and international frameworks all push in the same direction. Notably, Part-IS singles out supply-chain risk, the exact vector that took down check-in across Europe.
Protect the Cyber-physical Infrastructure That Keeps Planes Flying
For CISOs, OT security leaders and GRC officers, these four challenges can’t be managed in isolation. They require a unified approach to OT and IoT security that provides the visibility, context and control needed to manage risk across complex, interconnected environments.
The Nozomi Networks platform helps aviation organizations stay compliant and resilient by providing a complete, accurate inventory of OT and IoT assets, risk-based vulnerability management and continuous security monitoring to detect and respond to the threats and anomalies that matter most. That detection is informed by Nozomi Networks Labs, our threat-research team, which continuously tracks OT and IoT threat actors and discloses new vulnerabilities across industrial protocols and devices.
We work with more than 125 aviation organizations, including some of the biggest airports in the world. To learn how Nozomi Networks can help you gain context, control and confidence to withstand cyber threats without impacting reliability and safety, contact us today.
