Natalie Forrestill, Senior Cyber Security Consultant at AtkinsRéalis, outlines how airports are responding to a raft of cyber regulations globally, addressing legacy systems and bolstering their supply chains
Airports worldwide are under mounting pressure to boost their cyber resilience as governments sharpen regulations on critical infrastructure. Since 2022 there has been a surge of new cybersecurity mandates for the aviation sector in major jurisdictions.
In the United States, authorities rolled out mandatory cyber measures for airports – from faster incident reporting to isolating critical systems – via Transportation Security Administration (TSA) directives. Australia likewise expanded its security laws to include aviation, requiring airports to implement cyber risk management and incident reporting as part of operating critical infrastructure. In Europe, the EU’s Network and Information System Directive 2 (NIS2) compels airports to establish comprehensive cyber risk programmes, adhere to strict 24-hour and 72-hour breach notifications, and enforce stronger supply chain security controls. These obligations are mirrored in the UK’s forthcoming UK Cyber Security & Resilience Bill. In many cases, these rules broaden scope to smaller airports and threaten heftier fines for non-compliance.
This global regulatory momentum is reinforced by international aviation bodies (ICAO, ACI, IATA), which are simultaneously urging stronger cyber defences in aviation. All these efforts reflect heightened concern for cyber threats to critical airport systems – especially operational technology (OT) and complex supply chains that keep airports running.
AtkinsRéalis frequently carries out formal cyber assessments of OT systems for several global airports – including baggage, traffic, lighting and heating systems – and these have revealed a number of common themes that highlight the unique challenges airports face in managing legacy infrastructure and evolving cyber threats.
Please note that you are now leaving the AtkinsRéalis website (legal name: AtkinsRéalis Group inc.) and entering a website maintained by a third party (the "External Website") and that you do so at your own risk.
AtkinsRéalis has no control over the External Website, any data or other content contained therein or any additional linked websites. The link to the External Website is provided for convenience purposes only. By clicking "Accept" you acknowledge and agree that AtkinsRéalis is not responsible, and does not accept or assume any responsibility or liability whatsoever for the data protection policy, the content, the data or the technical operation of the External Website and/or any linked websites and that AtkinsRéalis is not liable for the terms and conditions (or terms of use) of the External Website. Further, you acknowledge and agree that you assume all risks resulting from entering and/or using the External Website and/or any linked websites.
BY ENTERING THE EXTERNAL WEBSITE, YOU ALSO ACKNOWLEDGE AND AGREE THAT YOU COMPLETELY AND IRREVOCABLY WAIVE ANY AND ALL RIGHTS AND CLAIMS AGAINST ATKINSRÉALIS, AND RELEASE, DISCHARGE, INDEMNIFY AND HOLD HARMLESS ATKINSRÉALIS, ITS OFFICERS, EMPLOYEES, DIRECTORS AND AGENTS FROM ANY AND ALL LIABILITY INCLUDING BUT NOT LIMITED TO LIABILITY FOR LOSS, DAMAGES, EXPENSES AND COSTS ARISING OUT OF OR IN CONNECTION WITH ENTERING AND/OR USING THE EXTERNAL WEBSITE AND/OR ANY LINKED WEBSITES AND ANY DATA AND/OR CONTENT CONTAINED THEREIN.
Such waiver and release specifically includes, without limitation, any and all rights and claims pertaining to reliance on the data or content of the External Website, or claims pertaining to the processing of personal data, including but not limited to any rights under any applicable data protection statute. You also recognize by clicking “Accept” that the terms of this disclaimer are reasonable.
The information provided by Virtua Research cited herein is provided “as is” and “as available” without warranty of any kind. Use of any Virtua Research data is at a user’s own risk and Virtua Research disclaims any liability for use of the Virtua Research data. Although the information is obtained or compiled from reliable sources Virtua Research neither can nor does guarantee or make any representation or warranty, either express or implied, as to the accuracy, validity, sequence, timeliness, completeness or continued availability of any information or data, including third-party content, made available herein. In no event shall Virtua Research be liable for any decision made or action or inaction taken in reliance on any information or data, including third-party content. Virtua Research further explicitly disclaims, to the fullest extent permitted by applicable law, any warranty of any kind, whether express or implied, including warranties of merchantability, fitness for a particular purpose and non-infringement.
The consensus estimate provided by Virtua Research is based on estimates, forecasts and predictions made by third party financial analysts, as described above. It is not prepared based on information provided by AtkinsRéalis and can only be seen as a consensus view on AtkinsRéalis' possible future results from an outside perspective. AtkinsRéalis has not provided input on these forecasts, except by referring to past publicly disclosed information. AtkinsRéalis does not accept any responsibility for the quality or accuracy of any individual or average of forecasts or estimates. This web page contains forward-looking statements based on current assumptions and forecasts made by third parties. Various known and unknown risks, uncertainties and other factors could lead to material differences between AtkinsRéalis' actual future results, financial situation, development or performance, and the estimates given here.
Operational technology: critically overlooked?
Despite growing preparedness for cyber threats, many airports are still evolving their understanding of which systems should be considered ‘critical’ from a cyber resilience perspective. This is often shaped by legacy regulatory frameworks and a historical emphasis on IT systems, which has inadvertently led to OT being under-prioritised.
Often, organisations begin by assessing systems already known to fall under existing regulations, then gradually expand their scope to apply lessons learned and extend good practices across other systems. Some of the recurring themes we saw in our assessments suggest that OT systems are not always formally recognised as ‘critical’. Not due to neglect but because OT systems are ‘part of the furniture.’
These systems – often decades old – may lack current documentation, and essential knowledge about them is frequently held by just a few individuals. The impact of COVID-19 and broader economic shifts, have also contributed to the loss of in-house expertise, while some suppliers may have potentially ceased operations or no longer support the equipment. This makes it challenging to build a picture of these systems: how they work and what they are connected to.
OT systems in situ tend to be older or specialist systems that have fewer security measures designed in, or do not support the newer security features of modern software and firmware. This leaves airport operators with the choice of either replacing vast swathes of infrastructure at enormous expense; or managing the risk and implementing other controls, such as restricted physical access, or stronger incident response and recovery procedures to mitigate damage.
Although the IT sector has made significant strides in cyber security controls and their widespread application, translating these principles to OT environments remains complex. We’ve seen organisational policies and cyber teams attempt to apply IT-centric approaches to OT with limited success. Take patching for example – IT undertakes this frequently but this is not always feasible in OT due to high availability requirements, and the need for rigorous testing before deployment.
Risks and consequences
These challenges give rise to several recurring risks across OT environments, such as:
- Limited asset visibility: Without a comprehensive view of assets and their vulnerabilities, unknown assets and vulnerabilities may remain on the network, creating exploitable gaps.
- Unclear network boundaries: Poor understanding of how systems interconnect can allow attackers to move laterally across other systems, escalating the impact of the breach.
- Supply chain exposure: Legacy contracts and unmanaged supplier relationships often lack modern security provisions, leaving systems vulnerable to third-party compromise.
The consequences are far more than theoretical. A cyber breach could lead to wide-scale disruption - extinguishing runway lights, halting baggage flow, or interfering with boarding pass scanners. In 2024, Seattle-Tacoma International Airport suffered a cyberattack that affected its internet connectivity, display systems and baggage sorting operations, resulting in over 400 delays and cancelled flights. Although UK airports have not faced a comparable cyber-attack, incidents such as the power outage at Heathrow and IT disruption at Stansted in 2025 are a reminder of the consequences when critical systems are disrupted.
A helicopter view
To stay ahead of both regulatory developments and evolving cyber threats, airports must adopt a strategic, integrated approach to securing OT and supply chain systems. As opposed to a system-by-system basis, where dependencies are often overlooked, operators should focus on understanding their collective systems and their interactions. Adopting a cross-cutting, “systems of systems” approach will enable airports to gain better insight of their cybersecurity posture and identify their highest and commonly shared risks across their estate which can be tackled holistically. This not only improves resilience but also delivers greater value for investment.
A robust OT cyber security strategy must be developed alongside the IT security frameworks, ensuring alignment while recognising the distinct requirements of each domain. This includes processes to manage the supply chain throughout the life of any asset – from procurement to decommissioning.
Embedding this approach into organisational policies, standards, and cyber security training is essential. Upskilling operational teams about cyber security and conversely, IT professionals on the nuances of OT, will help to bridge the gap and foster a cyber resilience culture and reap long-term benefits.
By proactively addressing the cyber risks associated with legacy OT systems and supply chain dependencies, operators can strengthen their defences, reduce exposure to regulatory penalties, and safeguard the continuity of operations and passenger safety.
This article was first published in Airport World, Issue 4 2025.
Please note that you are now leaving the AtkinsRéalis website (legal name: AtkinsRéalis Group inc.) and entering a website maintained by a third party (the "External Website") and that you do so at your own risk.
AtkinsRéalis has no control over the External Website, any data or other content contained therein or any additional linked websites. The link to the External Website is provided for convenience purposes only. By clicking "Accept" you acknowledge and agree that AtkinsRéalis is not responsible, and does not accept or assume any responsibility or liability whatsoever for the data protection policy, the content, the data or the technical operation of the External Website and/or any linked websites and that AtkinsRéalis is not liable for the terms and conditions (or terms of use) of the External Website. Further, you acknowledge and agree that you assume all risks resulting from entering and/or using the External Website and/or any linked websites.
BY ENTERING THE EXTERNAL WEBSITE, YOU ALSO ACKNOWLEDGE AND AGREE THAT YOU COMPLETELY AND IRREVOCABLY WAIVE ANY AND ALL RIGHTS AND CLAIMS AGAINST ATKINSRÉALIS, AND RELEASE, DISCHARGE, INDEMNIFY AND HOLD HARMLESS ATKINSRÉALIS, ITS OFFICERS, EMPLOYEES, DIRECTORS AND AGENTS FROM ANY AND ALL LIABILITY INCLUDING BUT NOT LIMITED TO LIABILITY FOR LOSS, DAMAGES, EXPENSES AND COSTS ARISING OUT OF OR IN CONNECTION WITH ENTERING AND/OR USING THE EXTERNAL WEBSITE AND/OR ANY LINKED WEBSITES AND ANY DATA AND/OR CONTENT CONTAINED THEREIN.
Such waiver and release specifically includes, without limitation, any and all rights and claims pertaining to reliance on the data or content of the External Website, or claims pertaining to the processing of personal data, including but not limited to any rights under any applicable data protection statute. You also recognize by clicking “Accept” that the terms of this disclaimer are reasonable.
The information provided by Virtua Research cited herein is provided “as is” and “as available” without warranty of any kind. Use of any Virtua Research data is at a user’s own risk and Virtua Research disclaims any liability for use of the Virtua Research data. Although the information is obtained or compiled from reliable sources Virtua Research neither can nor does guarantee or make any representation or warranty, either express or implied, as to the accuracy, validity, sequence, timeliness, completeness or continued availability of any information or data, including third-party content, made available herein. In no event shall Virtua Research be liable for any decision made or action or inaction taken in reliance on any information or data, including third-party content. Virtua Research further explicitly disclaims, to the fullest extent permitted by applicable law, any warranty of any kind, whether express or implied, including warranties of merchantability, fitness for a particular purpose and non-infringement.
The consensus estimate provided by Virtua Research is based on estimates, forecasts and predictions made by third party financial analysts, as described above. It is not prepared based on information provided by AtkinsRéalis and can only be seen as a consensus view on AtkinsRéalis' possible future results from an outside perspective. AtkinsRéalis has not provided input on these forecasts, except by referring to past publicly disclosed information. AtkinsRéalis does not accept any responsibility for the quality or accuracy of any individual or average of forecasts or estimates. This web page contains forward-looking statements based on current assumptions and forecasts made by third parties. Various known and unknown risks, uncertainties and other factors could lead to material differences between AtkinsRéalis' actual future results, financial situation, development or performance, and the estimates given here.