I recently had the privilege of attending Defend the Airport, a leading aviation cybersecurity conference hosted by the Technology Advancement Center (TAC) in Columbia, MD. TAC is a nonprofit organization dedicated to fueling the people and technology needed to solve critical defense and cybersecurity challenges for the nation. The events they host bring together a veritable who's who from the U.S. government and industry to discuss pressing airport cyber threats.
TAC excels at getting the right people in the room, and Defend the Airport was no exception. Here are some of my biggest takeaways from the event.
Aviation Cyber Threats: We Are Exposed
According to a recent report by the Cyberspace Solarium Commission, the number of cyberattacks on the aviation industry increased 131% from 2022 to 2023. A flight delay may irritate travelers, but a complete grounding of all commercial air traffic – like the January 2023 incident when air traffic control systems went offline for two hours – is far more disruptive. While that outage wasn't caused by a cyberattack, it underscored just how easily malicious actors could cripple systems for days or weeks.
The critical role of our nation's airports in commerce, logistics, and military operations is undeniable. At Defend the Airport, speakers like Rear Adm. Mark Montgomery highlighted how the U.S. military relies on commercial aviation to move personnel and supplies. They detailed actions by Volt Typhoon, a PRC-based threat actor that compromises critical infrastructure to enable future disruptions, showing how cyberattacks can undermine national functions even without kinetic conflict.
Attack Scenarios: What We Faced on the Cyber Range
TAC's team brought these threats to life through demonstrations on the Adega Airport Cyber Range, a realistic simulation reproducing the actual network of an anonymous US civil airport. These weren't hypothetical scenarios; they replayed real-world attacks on aviation infrastructure. The scenarios included attacks on:
- Baggage Handling System (BHS) disruption → halting sortation can quickly strand thousands of bags and create cascading delays.
- Fuel management manipulation → dealing with false level readings can require time-consuming manual verification, and can potentially ground flights during peak hours.
- Air traffic–adjacent IT interference → reducing situational awareness can force a failover to manual tracking, reducing landing capacity.
- Radar spoofing → tampering with critical systems that are relied upon for accurate airplane location data; increases the possibility an incursion (e.g., drones) would go undetected.
- PLC/OT command injection → attacking programmable logic controllers can cause physical equipment damage and trigger extended outages of essential systems like jet bridges, ground power units, and HVAC controls.
The results of these simulated attacks were both sobering and alarming, demonstrating the cascading effects that even a single successful breach could have on airport operations and national security.
We Can Do Better
The good news? Technical solutions exist to counter these airport cyber threats. TAC gave selected vendors a chance to showcase how their tools detect or prevent the attacks demonstrated on the cyber range. The vendors performed impressively; many demonstrated detection capabilities that could trigger automated defenses and remediation workflows.
Our Zentera demo took a prevention-first approach, emphasizing Zero Trust principles specifically tailored for aviation environments. We were called upon to defend a PLC and a serial device server against an attack ripped from the headlines: a payload delivered with the help of an Internet-connected thermometer. We showed how airports could maintain normal operations while completely blocking the attack vectors we'd seen earlier, proving that security doesn't have to come at the expense of operational efficiency.
But the reality is grim: few facilities have implemented these safeguards. Limited budgets (especially for rural airports), competing priorities, and chronic understaffing often delay action. That works... until it doesn't.
We Will Do Better
Voices for change are growing louder. At Defend the Airport, Dr. Wanda Jones-Heath, USAF Principal Cyber Advisor, pushed for proactive security: implementing controls and policies upfront instead of reacting post-attack.
Amid the gloom around current aviation cybersecurity, I spotted hope: Government and industry leaders are resolved to make things better through tight partnerships. Public and private sector attendees agreed on a fundamental principle: "We will do better."
Achieving this needs new policies and funding - but not necessarily new tech. As vendors like us showed, the solutions needed to eliminate these vulnerabilities already exist. The challenge now is implementation at scale, supported by adequate resources and coordinated efforts across the aviation ecosystem.
The stakes are too high for anything less than our full commitment to securing this critical infrastructure. The conversations at Defend the Airport made clear that the aviation industry recognizes this responsibility, and is prepared to act on it.
5 Takeaways from the Event
- Small footholds, big impact. Compromised IoT/serial devices can chain to PLCs and disrupt ops.
- Detection isn’t enough near controllers. Prevention at the session/protocol layer reduces blast radius.
- Identity + protocol control wins. Overlay access and allow-listing stop high-impact paths without re-IP or firewall rewrites.
- Start small, prove it’s ops-safe, then scale. Pilot one OT cell (e.g., BHS), measure, and expand deliberately.
- Partnerships are the force multiplier. Airports, vendors, and agencies aligned on taking action now.
Quick FAQ
How do we secure PLCs without network surgery?
Use an identity-aware overlay to gate every session, then allow-list industrial protocols/commands. No IP changes or firewall rule rewrites required.
What’s the fastest win for baggage systems?
Ring-fence the BHS OT cell, restrict paths to controllers, and broker vendor maintenance sessions with time-boxed access and audit.
How do we mitigate nation-state “pre-positioning”?
Assume attempts are ongoing. Block lateral movement with segmentation/overlays, require identity on every session, and stream high-signal telemetry to the SOC for continuous hunting.
