How a cyberattack on a software product brought EU airports to a halt - Industrial Cyber

Analysis Attacks and Vulnerabilities Expert Industrial Cyber Attacks Product security Transportation How a cyberattack on a software product brought EU airports to a halt October 14, 2025 Security incident at RTX subsidiary Collins Aerospace Cybersecurity has made it into the daily press again, and airports too. Sound familiar? What happened? At airports in Berlin, Brussels, Dublin, and London, passenger check-in had to be done manually in some cases (with pen and paper, I imagine it to look something like the picture above), which led to long waiting times, delays, and canceled flights over several days. However, it was not a direct attack on the airports, but on the software provider Collins Aerospace — more specifically its cMUSE software. The Collins software ARING cMUSE is used for passenger processing — i.e., for processes such as check-in and baggage drop-off. What kind of attack was it and how is Collins dealing with it? There is almost no information about the nature of the attack and how the software company is dealing with it, except for the report of the incident by Collins’ publicly traded parent company RTX to the US Securities and Exchange Commission on September 19. The report also states that it was a ransomware attack — and, of course, that no financial impact on the publicly traded parent company RTX is expected. There is no information from Collins Aerospace itself, a US company that provides technical solutions for commercial and military aerospace. Some media articles refer to information from the EU cybersecurity agency ENISA, according to which the exact ransomware group is known to ENISA. A German Tagesschau news report from September 24 states that Collins Aerospace “appears to be rebuilding the system after attempting to restart it on Monday.” The Wikipedia article on the incident states that on September 29, Collins began rolling out a “replacement system” at Brussels Airport. The reports do not indicate whether this replacement system comes from a backup or whether everything is being rebuilt from scratch. How is the attack being interpreted by the media? Many articles offer calming reassurances: aviation security was not compromised at any time, and the attack was not actually an attack on airports, which were only indirectly affected — collateral damage, so to speak. At a time when Russian aircraft are constantly showing up in places where they don’t belong, these reassurances certainly make sense. The air safety argument is credible; passenger handling is really far removed from software that could compromise air safety. But Collins also develops software solutions for cockpits, engines, and air traffic controllers, for example. The collateral damage hypotheses remains exactly that: a hypothesis — at least if it is only based on what’s known publicly. Sure, it could have been a ransomware gang with purely economic interests, in which case an airline is just as much a random target as a gummy bear factory. But even if the goal was actually to paralyze air traffic, a software provider for airports would be a good choice from an attacker’s point of view. A closer look at the product security incident Regardless of whether the impact on airports was intentional or not, from an operator’s perspective, this remains a supply chain incident in which an attack on a software supplier has had an impact on the operator. And in any case, it is a product security incident. If the CRA were already in force, Collins Aerospace would now have to report to ENISA, at least for a “severe incident,” and perhaps also for an “actively exploited vulnerability.” In its official statement, RTX notably confirms explicitly a “product cybersecurity incident involving ransomware on systems that support its Multi-User System Environment (‘MUSE’) passenger processing software.” According to the Collins website, cMUSE can be used in the cloud, on-premises, or in a hybrid configuration; however, there is no information on which model the affected airports have chosen. The RTX report states that the MUSE systems are operated at the airports in their own networks, “outside the RTX Enterprise network.” That sounds like an on-premises installation. The truly compelling question from a product security perspective remains unanswered: How did the ransomware get onto the “support systems” for the MUSE software for the Collins software installations at the four airports? If we knew that, we would also know how much we need to worry about Collins Aerospace’s other products, which may be more interesting from an attacker’s point of view. After all, these carry out such minor functions as navigation, communication, radar, and targeting systems for military aircraft. Sarah Fluchs Sarah Fluchs is the CTO of OT cybersecurity consultancy admeritia, the Co-Convenor for revising the ISA/IEC 62443-3-2 standard, Managing Director for the ISA99 committee, and a member of the EU Commission's CRA Expert Group. She holds a PhD (Dr.-Ing.) in automation engineering, with her PhD thesis "cybersecurity decision diagrams" focused on making and communicating cybersecurity decisions during engineering and has co-authored the Top 20 Secure PLC Coding Practices. Related NIST NCCoE publishes six final 5G cybersecurity guides to address critical infrastructure risks beyond network interfaces FERC approves virtualization standards, CIP updates to strengthen bulk power system security amid rising cyber threats DOE’s CESER Strategic Plan sets three-pronged strategy to harden energy infrastructure, boost cyber resilience CISA flags rising threats to endpoint management systems after Stryker breach, urges stronger defense Claroty reports 82% of CPS attacks used remote access protocols as hacktivists target HMIs and SCADA at scale WEF Aviation Sustainability report warns cyber vulnerabilities threaten operational and regional stability, calls for resilience Dream Security flags critical RCE vulnerability in GNU Inetutils telnetd, exposing ICS and OT systems EU unveils coordinated strategy to counter cyber, sabotage and disinformation threats amid rising hybrid attacks Booz Allen warns AI‑driven cyberattacks outpace human-driven defenses across critical infrastructure Food and Ag-ISAC finds 72 active threat actors behind persistent, sophisticated cyber attacks targeting food supply chains