Lessons from the Cyberattack on European airports: We just dodged a big one
Prayukth KV
30. September 2025
Lessons from the Cyberattack on European airports: We just dodged a big one
The recent attacks on European airports exposed systemic, process level and incident response weaknesses that are not unique to airports in Europe alone but are shared by many airports across the globe. Today, we can no longer afford to view critical infrastructure protection in terms of threat detection and resilience alone. Instead, infrastructure such as airports need to manage threats, respond to incidents and be up an running with minimal disruption within the lowest possible time frame.
At Shieldworkz, we have already spoken about the threat actor and the geopolitical forces behind the attack. This post is not about that. Instead, in today piece we examine the systemic weaknesses that expose critical infrastructure to such attacks in the first place. The purpose of this post is to learn together on how the eco-system can work together to prevent such incidents by learning from the past. This post is also not about blaming anyone but instead to work together to prevent such incidents from occurring in the future.
Systemic faults
The cyberattack caused a failure in ARINC Multi-User System Environment (Muse) platform that led to a series of shutdowns impacting many mission critical systems such as ground operations, passenger check-in and conveyor belts. A disruption at this scale across 4 major airports carries an economic cost and could also have caused a kinetic event or even a terrorist strike or multiple unauthorized physical intrusions while the staff were busy attending to the fallout of the original incident.
This is not a far-fetched and unimaginable possibility. The days of single plane or space battles are long over. Today, geopolitical forces act across planes simultaneously to overwhelm defenses and to exploit smaller openings to create a major incident. As we have shown in our earlier report on the recent cyberattack, the roots of this incident go deep into events occurring in the region a few days back. We have to look at cyber incidents by assigning the appropriate context to understand the objectives and motives of the threat actors.
The systemic faults exposed during the incident include:
· Delayed incident response
· Lack of stand-by systems and operational support to continue operations
· Lack of operational and supply chain visibility
· Lack of decoy systems to deflect inbound attacks and to confuse threat vectors and bad actors
Now lets look at each of these aspects in detail.
Delayed incident response
All airports involved did not respond to the incident rapidly which led to the chaos that eventually grounded nearly 140 flights. If the airports involved had assessed their readiness to deal with such an incident and addressed the gaps, this incident could have been contained faster.
Incident response should consider a single point of failure along with cascading failures and the playbook should ideally have operational responses and redundancies for both. In the first instance, all such software and processes should be identified and tagged for specific IR actions in case of a failure. The IR response should be enacted faster in such cases as any delay could lead to more systems and processes getting impacted.
In case of cascading failures where multiple systems are targeted, the focus should be on bringing systems back in a phased manner with complete assurance on the threat being contained. In both cases, we recommend that the incident response strategy, playbooks and actions be tested across scenarios and timings to build incident response muscle memory (we will cover this in detail in a subsequent blog post). Repeated exercises will also eliminate panic or impulsive actions by employees. Further, with clear delineation of roles and responsibilities, teams will be able to categorize and respond to incidents with more accuracy in a timebound manner.
This is why Shieldworkz recommends immersive incident response simulation. This is where every single aspect of incident response is tested in an ever escalating environment to test the truth depth of incident response strategies and actions. Let me know if you are interested in knowing more about a custom incident response simulation exercise for your business.
Lack of stand-by systems and operational support to continue operations
As we have seen, the impacted airports tried their best to continue business to the best extent possible throughput the incident but were unable to do so. Lack of stand-by systems and redundancies that could be turned on to divert services on to was missing. Such systems can help the incident response teams focus more on containment and remedial measures and reduce the chaos. Such a focus could prove to be an invaluable asset when any organization deals with a cyber incident and the crisis that follows.
Lack of operational and supply chain visibility
This is a common problem that compounds security challenges. Without adequate visibility beyond the SBoM and HBoM in terms of the actual cybersecurity practices followed by the vendor eco-system and having a standard baseline set of security practices being followed by the eco-system as a whole, it becomes a challenge to secure assets and infrastructure.
Lack of decoy systems to deflect inbound attacks and to confuse threat vectors and bad actors
By deploying decoy systems, actual attacks can be deflected and diverted to simulated environments where the TTPs and threat vectors can be studied in detail. Such environments ensure security of core systems and reduce the load on security teams by:
· Preventing attacks on actual systems
· Enabling attacks to be studied. The TTPs investigated can be used to add incident response practices to the IR playbook
· Frustrating threat actors by making them waste attack cycles on fake targets
An IEC 62443-based risk and gap assessment to assess the state of infrastructure security and the prevailing security level will also be very helpful.
Finally, nothing can beat agentic-AI based infrastructure monitoring which is offered by OT security vendors such as Shieldworkz.
By relying on a combination of such tactics and strategies, critical infrastructure operators can ensure their IR strategies remain in top gear and in the best condition to defend against sophisticated cyber attacks.
