Jessica Weld

A recent cyber-attack on aerospace giant Collins Aerospace, has caused widescale outages of its MUSE Software, a check in system used by some of Europe’s largest airports including Dublin Airport and London Heathrow has caused mass disruption, resulting in stranded passengers and endless flight delays, ultimately resulting in mountains of manual work for ground staff.

The EU’s Cybersecurity Agency has since confirmed that this was a malicious ransomware attack. Hackers have deliberately knocked out Collins Aerospace systems for potential monetary gain.

In a time where large ransomware attacks on vital networks and systems are becoming increasingly common, organisations must not only strengthen cybersecurity measures, but it’s becoming increasingly imperative that they also have adequate plans in place for if and when crises like this arise. 

Industry Specific View – Commercial Aviation

The Commercial Aviation industry operates on a tightly coordinated supply chain which in recent decades, has become heavily automated. An issue with one link in the chain can cause a catastrophic domino effect which can, as a result, affect many flights and thousands of passengers. 

Within the European Union, airline passengers are heavily protected against such delays under EU 261 regulations. These regulations entitle passengers to compensation for events such as delays, cancellations and missing luggage. 

Compensation agency Skycop revealed that in 2024 alone, airlines owed passengers €6 billion under EU 261 regulations. One can only imagine the cost of passenger compensation with the amount of flights and passengers affected by this cyber-attack. Alongside this, airlines will have to factor in staff overtime, the cost of repositioning crews and aircraft and additional airport fees. (EU flight delays in 2024 may cost airlines over €6 billion).

For the airline industry, the financial risks associated with such an attack are far too high to not have a robust contingency plan in place. 

The Airline Response  

The Dublin Airport Authority’s Head of Media Relations, Graeme McQueen, informed RTÉ that both Ryanair and Aer Lingus test their manual check-in processes on one flight per week.

While regular testing is useful to familiarise staff with manual processes, it is not sufficient in testing the airline’s capacity to cope with a wide-scale outage. For if the system were to fail, it’s unlikely that it does so for one flight. More often than not, outages are widescale. 

The system outage caused Aer Lingus to revert to fully manual check-in processes for all scheduled flights. As a result, queues for check-in were taking 30 to 40 minutes at times. This caused multiple flight delays and as many as 13 Aer Lingus flights were cancelled on the second day of the outage, Tuesday, September 23rd. 

Better Business Continuity Planning Practice

A fit-for-purpose business continuity plan first and foremost must require a comprehensive risk assessment of potential threats. The instructions of the business continuity plan should comprehensively respond to all of these potential threats so that the organisation is fully prepared for any eventuality.

Secondly, resilience measures are vital to business operations and must be incorporated into business continuity planning. These are the measures taken to ensure that when an incident like this occurs, the recovery time is as quick as possible. A common resilience measure would be the use of backup systems to ensure downtime is minimised. 

Regular testing of business continuity plans is vital to ensure their success in the event of an incident. Testing is important to raise staff awareness of crisis procedures so that response time is quick. Testing is also beneficial to spot any weaknesses in planning and processes so they can be rectified. 

Capacity planning is very important in business continuity planning. As previously noted, outages are usually widespread and rarely occur in single iterations. Organisations need to be prepared for the worst-case scenario and must ensure that their entire business operation can be supported by the business continuity plan in the event of an incident.

Lessons to be Learned by Airlines 

While it is known that airlines had regularly tested contingency plans in place to deal with an issue like this, it is clear that capacity was an unfortunate downfall of the incident response. This flaw wouldn’t appear in testing as usually conducted by Ryanair and Aer Lingus as they only tested on one flight a week. It is apparent that the airlines didn’t account for manpower requirements to handle manual procedures for all scheduled flights.  

Resilience measures also appear to be lacking as there is no back-up system available to assist the recovery effort. Improvement in backup systems would reduce the risk posed by such incidents and in this particular event, would prevent the enormous financial losses. 

Finally, as it almost goes without saying, tightening of cybersecurity measures should be top priority for the airlines, airports and suppliers like Collins Aerospace. In the current climate, ransomware attacks pose detrimental risks to vital, fast-moving industries like commercial aviation. In an ever developing and increasingly automated world, organisations need to prioritise investment in cybersecurity to reduce risk.