Europe’s skies were thrown into chaos over this past weekend by a supply chain attack, and airports, airlines, and passengers felt it. As cybersecurity professionals, we must look not just at what occurred, but how and why it happened, and what steps organizations (airports, airlines, vendors) must take to reduce risk going forward.

What Happened: The Incident in Detail

Starting Friday, September 19, 2025, multiple major European airports experienced severe disruptions in check‐in, boarding, and baggage operations caused by a cyberattack on a third‐party service provider-Collins Aerospace (specifically, the check‐in and boarding system/services)

Here are the key facts and timeline:

• Friday, 19th Sept: Attack begins. The automatic check-in and boarding system supplied by Collins Aerospace suffers ransomware disruption. Airports start shifting to manual operations.
• Saturday/Sunday, 20th/21st Sept: Disruptions spread. Airports like Brussels, Berlin Brandenburg, and London Heathrow are among the worst affected. Some flights cancelled; many delayed.
• Monday, 20th Sept: Continued disruption. ENISA confirms the root cause: a ransomware attack through a third‐party software provider. The “type of ransomware has been identified.” Law enforcement is involved. Some systems are being restored; manual processes are still fallback.

Which airports were affected (most severely):

• Brussels Airport (Zaventem, Belgium): One of the hardest hit. On Monday, about 60 of its ~550 flights were cancelled. AP News+3Reuters+3AP News+3
• London Heathrow (UK): Delays, manual check‐in, disruptions to some flights; improving by Monday. Reuters+2Reuters+2
• Berlin Brandenburg: Significant delays. Manual fallback required. Berlin also had greater congestion due to the Berlin Marathon. Reuters+2Reuters+2
• Dublin Airport (Terminal 2 in particular): Impacted, though less severely than Brussels. Terminal 2 check-in and boarding affected; staff switching to manual workarounds. Reuters+1

“And what exact systems were broken or affected?”, you ask. That would be the automatic check‐in desks, bag-drop systems, boarding pass verification at manned desks were disabled. Self-service kiosks and online check‐in had varying degrees of resilience or partial functionality. The offline period forced airports to shift to manual processes: handing out boarding passes and bag tags by hand, improvising with laptops / iPads where possible. As expected, many flights were delayed.

ENISA’s update:

ENISA (the EU Agency for Cybersecurity) has officially confirmed this incident is a ransomware attack on a third-party service provider.

They stated: “The type of ransomware has been identified. Law enforcement is involved to investigate.” The origin (who was behind it, or whether state-sponsored) has not yet been publicly disclosed.

Collins Aerospace says it is working with affected airports, and that software updates are in the final stages of being applied to restore full functionality. Reuters+1

Previous Disruptions: Learning From the Past

This isn’t the first time that air transport has suffered from third-party or large-scale IT system failures. Some past incidents provide useful comparisons and warnings. The most recent and/or significant was the CrowdStrike / Microsoft outage (July 2024).

Essentially, a faulty update to CrowdStrike’s Falcon Sensor software led to widespread Windows system crashes. This resulted in thousands of flights cancelled or delayed, illustrating how even non-malicious software failures (i.e. not necessarily a cyberattack) at third-party vendors can cascade severely in aviation.

Key Supply-Chain & Third-Party Risk Issues Highlighted

From what we’ve seen in this incident, several supply chain risk factors are clearly in focus. Let’s enumerate and analyse them.

Centralisation and single points-of failure

• Collins Aerospace provides a service used by many airports. When its check-in/boarding service goes offline, many airports are affected simultaneously. This single point of failure amplifies risk.
• Cloud-based / networked systems with shared codebases or shared infrastructure increase the blast radius of a compromise.

Dependency on third-party software providers

• Airports & airlines often outsource or rely on vendors for non-core but mission-critical systems: check-in, boarding, baggage drop. Those systems must be secure. The security posture of suppliers becomes the security posture of the operator.
• Ransomware attacks (especially through remote software supply chain) have become common vectors.

Lack of redundancy or fallback capability

• Many airports had to fall back to manual processes. Manual is better than nothing, but it is slow, error-prone, resource intensive. Not all airports or airlines may have mature or tested fallback procedures.

Dissemination of updates / patching

• ENISA notes the type of ransomware was identified and a secure update was pending/progressing. But until updates are properly tested and rolled out, systems may remain vulnerable. Delay in patching or applying fixes by vendors or by airports compounds exposure.

Regulatory / contractual obligations

Contracts with vendors for critical services may not always fully cover cybersecurity requirements, incident response, and liability. When incidents occur, legal, regulatory, and reputational costs can skyrocket.

What This Means for the Industry

Looking beyond this single incident, there are broader implications:

• The infrastructure vendor ecosystem for aviation is under increasing scrutiny. Once - maybe vendor failures or hacks were considered rare; now, they are more common (with 2 major ones in the past 2 years). Organisations that ignore third-party risk are gambling with operations and reputation.

• Regulatory regimes (like NIS2 in the EU, the EASA cybersecurity rules) are pushing for more responsibility to be shared across the ecosystem - not just airports and airlines, but their vendors. Noncompliance could lead to heavy financial, legal, reputational penalties.

• The severity of disruptions will likely grow. As systems become more interconnected (cloud, shared services, AI tools, etc.), dependencies grow; so does exposure.

• Cyber insurance, contractual liability, and supply chain insurance will become more central. Vendors will need to show strong security hygiene to be insurable and to avoid being excluded in agreements.

Advisory: How to Manage Supply-Chain Risks for Different Industries 

Given that supply-chain risk is central to this incident, here are concrete advisory steps organisations in aviation, airports, and supply vendors should adopt (Cyberkach recommendations):

Comprehensive vendor risk assessment

• Maintain an up-to-date inventory of all suppliers whose software, hardware, or services touch critical operations.
• For each (where possible), assess: cybersecurity posture (e.g. ISO/IEC 27001, SOC2, or equivalent), incident history, recovery time objectives (RTO), means of communication.
• Include sub-tiers (Fourth-Parties): e.g. who supplies the vendor’s tools, libraries, services (e.g. cloud, networking).

Contractual cybersecurity requirements

• In all contracts/service level agreements (SLAs), include clauses about security standards, patching timelines, minimum controls (e.g. encryption, least privilege, logging).
• Require vendors to report incidents promptly and transparently.
• Define responsibilities in case of supply-chain compromise: who pays what, who leads communication, what remedies (including customer remediations) are required.

Redundancy & fallback / resilience planning

• Every mission-critical service (just like check-in, boarding, baggage handling, in this scenario) should have a tested fallback: manual methods, alternative systems, alternative vendor, or local infrastructure.
• Regular drills: simulate vendor outage or ransomware compromise to see how operations degrade, and fine-tune the fallback.

Segmentation & minimising blast radius

• Vendor systems should be isolated: network segmentation, least privilege access, strict controls between vendor software and core safety or air-traffic control systems.

Proactive patching, monitoring & threat intelligence

• Vendors must have strong, well-documented patching regimes. For vulnerabilities discovered (or in ransomware incident responses), quick testing and roll-out is critical.
• Use continuous monitoring: anomaly detection, logging, incident response capabilities.
• Subscribe to threat intelligence feeds; understand which threat actors target aviation or infrastructure, what tools, techniques, and procedures (TTPs) they use.

Regulatory compliance and best practice frameworks

• Adhere to  national directives (NIS2, EASA cybersecurity guidance, etc.). These increasingly require strong supply chain risk management.
• Seek auditing and certification in cybersecurity; regular external reviews.

Incident response & communication plans

• Have well rehearsed incident response plans that cover vendor compromise: notification, mitigation, recovery, and public communication.
• Clear communication with staff, passengers, regulators. Transparency helps maintain trust.

How Cyberkach Can Help Companies Avoid Disruption of This Kind

As Cyberkach, our mission is to help organisations build robustness against cyber disruptions. Here are the services we offer to mitigate this kind of scenario:

Simulations & war-games

• We can run vendor outage / ransomware scenarios, tailored to different business contexts. E.g. simulate the kind of attack seen on Collins Aerospace: automatic check‐in disabled, fallback to manual, baggage drop impacted, etc. This helps expose gaps in plans.
• Tabletop exercises with leadership, operations, IT, security, legal, communications teams to rehearse responses.

Vendor risk management program design and implementation

• We assist in building or improving vendor risk assessment frameworks: tools, scoring, workflows, continuous monitoring.
• Reviewing existing contracts to ensure cybersecurity clauses are adequate.

Technical security assessments / audits

• Audits of vendor software, especially those critical systems such as check-in, boarding, etc. Penetration testing, code review, cloud/ network security review.
• Red team / adversary emulation to test detection and mitigation capabilities.

Training & awareness

• Train staff, vendor partners on incident detection, escalation, and fallback procedures

Incident response (IR) readiness and forensics

• Build IR plans that cover third-party vendor compromises. Ensure you have forensic support, legal and regulatory counsel ready.
• After an incident, conduct root cause analysis to feed back into vendor requirements and overall resilience.

Want a complimentary assessment to your security posture, then contact us and we’ll schedule a quick 30-minute briefing. You can also Subscribe to our Newsletter to get the latest cyber news in your inbox.