## Arrest in Connection with Major Airport Cyberattack
British authorities have taken a significant step in the ongoing investigation into a widespread ransomware incident that impacted automated check-in and baggage systems at several prominent European airports. A man in his 40s from West Sussex was arrested under the Computer Misuse Act, only to be released on conditional bail as the investigation unfolds.
### Ongoing Investigation
Paul Foster, Deputy Director of the National Crime Agency’s Cyber Crime Unit, commented on the arrest, stating, “While this is a positive step, the inquiry into this incident is still in its early stages.” He emphasized the persistent threat of cybercrime, highlighting its capacity to disrupt critical services in the UK. The NCA aims to work alongside national and international partners to mitigate such threats and enhance public safety.
### Incident Background
The chaos began on September 19 when significant outages forced airlines to revert to manual processes. This failure created extensive queues and led to hundreds of delays and cancellations across major hubs, including London Heathrow, Brussels, Berlin, and Dublin. Passengers found themselves grappling with handwritten boarding passes and improvised baggage handling as ground staff scrambled to manage the disruption.
### Identification of the Attack
The disruption was quickly traced to a vendor’s product. Collins Aerospace’s passenger processing software, known as MUSE (Multi-User System Environment), was the target of the attack. RTX, the parent company of Collins, disclosed the event in an 8-K filing, acknowledging it as a “product cybersecurity incident involving ransomware.” This incident raises serious concerns about the cybersecurity of systems used within critical transport infrastructures, particularly as these systems are integrated into customer-specific networks.
### Ransomware Classification
The European Union Agency for Cybersecurity (ENISA) identified the ransomware family involved in the attack but opted not to disclose its identity as investigations continue. This confirmation moved the situation from merely operational issues to a recognized ransomware event, underscoring the risks posed by third-party software to crucial operations. In general, ransomware encrypts files or systems and demands a ransom for their decryption.
## Continued Impact on Airport Operations
Despite some progress in recovery efforts, airport operations are still lagging due to the aftermath of the cyberattack. Operators at Berlin’s airport have indicated that check-in and baggage handling processes have not yet fully returned to normal. Travelers should be prepared for ongoing delays and cancellations as teams navigate the recovery process. Meanwhile, Brussels has reported limited operations in specific areas, and Heathrow stated that while most flights are proceeding, passengers should verify their schedules. Dublin, on the other hand, has noted smoother operations, although some airlines continue to employ manual procedures.
### Incident Response Measures
RTX has activated its incident response plan, collaborating with both internal and external cybersecurity experts. They have also informed domestic and international law enforcement about the situation. Notably, the company shared that customers had been directed to backup or manual processes. They do not anticipate a material financial impact from the incident at this time. This situation reveals two critical realities: vendors must recognize that their software could be a target and that customers must have contingency plans not reliant on the vendor’s network.
### Implications for Cybersecurity in Aviation
Cybersecurity experts view this incident as a stark reminder of supply chain risks within the aviation industry. A single compromised platform can disrupt numerous airlines and airports simultaneously, reinforcing the call for enhanced security measures between software providers and their customers. There is an urgent need for effective, offline recovery options for critical operations, alongside improved mechanisms for rapid threat sharing among operators and regulatory bodies to facilitate swift containment and recovery.
