Securing airport MRO facilities in a new age of cyber threats

As part of the Cybersecurity Awareness Month, we are doing a deep dive into OT security strategy and measures for various critical infrastructure sectors. Today we will examine cybersecurity measures for the Maintenance, Repair and Overhaul facilities connected with the aviation sector.

The aviation industry operates on a foundation of precision, safety, discipline, diligence, process adherence and timing. A flight delayed by a software glitch isn't just an inconvenience; it's a cascade of disruption costing millions. We saw this playout during the September 2025 ransomware attack on Collins Aerospace, that crippled check-in and baggage systems at major hubs like London Heathrow, Brussels, and Berlin. This was one among the several wake-up calls that have emerged in the last 5 years.

While this attack targeted passenger-facing IT systems, it sent a critical warning to the entire aviation ecosystem, especially to the often-overlooked backbone of airline operations: Maintenance, Repair, and Overhaul (MRO) facilities.

Before we start, don’t forget to read our blog on OT Security for the renewables energy sector.

Complex infrastructure

MRO operations often consist of a complex fabric of Operational Technology (OT) right from robotic arms and smart torque wrenches to complex diagnostic systems and building management controls. This is usually where the physical and digital worlds meet. And as the Shieldworkz 2025 Threat Report mentions with ample evidence, this convergence is now the number one target for attackers.

If a check-in system going down can ground flights, imagine what a compromised engine diagnostic tool or a manipulated fuel gauge or even a modified Angle of Attack sensor could do?

Emerging threats to MRO operations: What the Shieldworkz 2025 Threat Report uncovers

The latest cyber threat intelligence report shows that attackers are no longer just knocking on the door; they have blueprints to the building. The Shieldworkz 2025 report highlights several alarming trends that are directly applicable and relevant to MRO facilities everywhere. These include:

• The 24-Hour window: Speed and stealth are the new weapons. The report notes that as much as 68 percent of OT intrusions now achieve some level of system access in under 24 hours. This translates into the hackers having the ability to deploy malware or keep the infrastructure under surveillance for extended periods of time. For an MRO, this means an attacker could move from an initial phishing email to controlling a vital piece of machinery before the next shift change.

• Data and control manipulation is the "Supreme Threat": Forget about just stealing data; attackers can now subtly modify it. Detected three times more often than any other tactic, this threat presents a new and dauting challenge for MROs. An attacker could alter a torque specification in a digital manual, change a calibration setting on a diagnostic tool, or even feed false sensor data from an engine test bed, leading to a chain of catastrophic and untraceable safety failures.

• "Deauthentication Storms": Attackers are increasingly targeting the unmonitored Wi-Fi and wireless networks connecting smart tools and IoT sensors. The report found a 120 percent year-over-year increase in these attacks, which can instantly sever communications, halt automated processes, and create massive operational blind spots. Hangars often have Wi-Fi networks that are used to convey diagnostic data and other critical data to dashboards from the systems where they reside. If hackers are able to access such networks, then they can at the very least gain access to data streams that can be manipulated.

• The IoT attack surface expansion: With an estimated 85 million new industrial IoT sensors deployed, MROs' attack surfaces are growing exponentially and several of these sufaces may even be unmonitored and unmanaged. Every smart tool, unpatched PLC, and remote access point is a potential doorway, often secured with nothing more than a (easily-guessed) default password.

The recent European airport attack outlined a critical vulnerability in the system. MRO facilities are just as, if not more, reliant on a vast chain of third-party vendors for their specialized diagnostic software, machinery, and remote support. A single compromised vendor or device update could potentially bypass all perimeter defenses and give an attacker the keys to the treasury.

Best practices for securing the MRO Hangar and everything within it

Securing an MRO facility isn't the same as securing an office. OT security prioritizes availability and safety over confidentiality. You can't just "turn it off and on again" when the system in question is a multi-ton aircraft jack.

Here are the core best practices to adopt:

• Achieve total visibility (Asset Inventory): The first step is a comprehensive inventory of every device on your network, from the engineer's laptop to the oldest PLC on the shop floor. Identify all connections, data flows, and dependencies. The asset inventory list should also categorize the assets, behaviours and communications. 

• Implement Zero-Trust segmentation: Assume your perimeter will be breached. A "flat" network where an infected laptop can talk to a critical engine diagnostic system is unacceptable. Use network segmentation (VLANs, firewalls) to create isolated zones based on the IEC 62443 standard. A smart wrench should only be able to talk to its server, not the building's HVAC system.

• Harden access control: Enforce strict identity and access management.

  • Secure Remote Access: All third-party vendor and remote maintenance access must go through a secure, monitored, and time-limited gateway (a "jump box").

  • Enforce "least privilege": A technician's credentials should only grant access to the specific tools and systems required for their job.

  • Eliminate default passwords: This is the lowest-hanging fruit and the most common entry point.

• Develop a resilient patching strategy: Patching OT is hard, as downtime is not an option.

  • Risk-based patching: Prioritize patches for internet-facing systems and critical vulnerabilities.

  • Virtual patching: For legacy systems that cannot be patched, use an Intrusion Prevention System (IPS) to shield the known vulnerability, effectively "patching" it at the network level.

• Establish OT-specific monitoring: Your IT-focused Security Operations Center (SOC) likely won't recognize an anomalous command sent via Modbus or other industrial protocols. You need OT-specific threat detection that understands industrial traffic and can spot behaviour’s of interest such as unauthorized configuration changes or unusual process values (e.g., "Why is that robot arm's torque value at 150 percent?").

• Plan and drill your response: Have a dedicated and tested OT Incident Response Plan. This plan should be able to answer critical questions: Who has the authority to shut down a maintenance line? What are the manual/analog backup procedures? How do you restore a compromised PLC from a known-good backup? Conduct tabletop exercises with both IT and operations staff. Factor in an escalating scenario and test your incident response in real time.

• Align your security measures against standards: IEC 62443 and NIST CSF can be the guiding benchmarks for implementation of security controls.

• Conduct regular assessments: Ensure that all parts of the infrastructure are assessed at least once every 180 days.

A 5-step roadmap and a checklist for MRO security

Just to reiterate, this is a journey and not a sprint. Here is a practical roadmap from Shieldworkz to build your MRO's cyber resilience.

Phase 1: Assess and identify (weeks 1-12)

• CHECKLIST:

  • [ ] Assemble a cross-functional team (IT, OT/Engineering, Safety, Management).

  • [ ] Commission a complete, passive OT asset inventory.

  • [ ] Conduct a high-level risk assessment. Identify "crown jewel" systems whose failure would stop operations or create a safety hazard.

  • [ ] Map all network connections, especially IT-OT convergence points and external vendor access.

Phase 2: Secure and segment (months 3-9)

• CHECKLIST:

  • [ ] Remediate all default credentials.

  • [ ] Begin network segmentation. Start with the most critical zone (e.g., safety systems, diagnostic servers) and isolate it.

  • [ ] Deploy a secure remote access solution for all third-party vendors.

  • [ ] Implement a "virtual patching" solution to shield your most critical unpatchable systems.

Phase 3: Monitor and Detect (months 9-18)

• CHECKLIST:

  • [ ] Deploy an OT-specific network monitoring tool for your newly segmented zones.

  • [ ] Integrate OT alerts into your existing security monitoring (SIEM/SOC), with a clear playbook for OT-specific incidents.

  • [ ] Establish a secure, offline backup and restoration process for all critical OT assets (PLC logic, HMI configurations, etc.).

Phase 4: Respond and refine (months 18-24)

• CHECKLIST:

  • [ ] Finalize and test your OT-specific Incident Response plan.

  • [ ] Conduct your first MRO-focused tabletop exercise (e.g., "A ransomware has encrypted our diagnostics server. What do we do?").

  • [ ] Implement a formal patch management and vulnerability review process.

Phase 5: Optimize (Ongoing)

• CHECKLIST:

  • [ ] Move from reactive security to a proactive, Zero-Trust architecture.

  • [ ] Continuously review and update asset inventory and risk assessments.

  • [ ] Provide ongoing security awareness training for all MRO staff (e.g., "Don't plug that USB in here," "Report this suspicious HMI behavior").

The security of an aircraft in flight begins with the security of its maintenance on the ground. The threats are no longer theoretical. By learning from recent attacks and adopting a security-first mindset, MRO facilities can protect their operations, their assets, and, ultimately, the safety of the flying public.

Start with a risk assessment project for your MRO in 5 easy steps.

Talk to our MRO security expert.