Aviation Cybersecurity for Airports: Why It Matters and What You Need to Know

Quick Answer

Airport cybersecurity is no longer optional—it's mandatory. The FAA is convening the Civil Aviation Cybersecurity Aviation Rulemaking Committee to develop comprehensive cybersecurity standards for airports, aircraft, ground support systems, and air traffic control. Meanwhile, the TSA has already imposed emergency cybersecurity requirements on Part 139 airports. Recent ransomware attacks have disrupted major airports, including Seattle-Tacoma International (impacting 90,000 people) and multiple European airports, such as Heathrow, forcing staff to use whiteboards for flight information and manually check in passengers. Beyond servers and networks, airports must secure operational technology systems, including lighting controls, navigation aids, HVAC systems, access control systems, and ground equipment—vulnerabilities that many operators are unaware of.

The Aviation Cybersecurity Landscape Has Changed—Here's Why You Should Care Right Now

If you're an airport operations manager, fixed-base operator, or aviation facility director, cybersecurity may seem like an IT issue. It's not anymore. It's an operational safety issue, a regulatory compliance requirement, and increasingly, a business continuity imperative.

Three forces are converging to make aviation cybersecurity urgent in 2025:

1. Federal Mandates Are Here (And More Are Coming)

The Transportation Security Administration issued emergency cybersecurity requirements in March 2023 for TSA-regulated airports and aircraft operators. These aren't suggestions—they're enforceable regulations with severe penalties for non-compliance.

But that's just the beginning. Congress directed the FAA to establish the Civil Aviation Cybersecurity Aviation Rulemaking Committee by May 15, 2025, tasked with developing findings and recommendations on cybersecurity standards for civil aircraft, aircraft ground support information systems, airports, air traffic control mission systems, and aeronautical products and articles. This committee will shape the future regulatory landscape for aviation cybersecurity.

What this means for you: More regulations are coming. The airports that start building cybersecurity programs now will have a significant advantage when new mandates take effect.

2. Attacks Are Increasing—And They're Devastating

The aviation sector has experienced a significant increase in cyberattacks. The industry experienced a 24% increase in cyberattacks, with 52 reported in 2020, 48 in 2021, and 55 in 2022. Notably, 71% of these attacks involved the misappropriation of login credentials and unauthorized access to IT infrastructure.

Here's what that looks like in practice:

Port of Seattle/Seattle-Tacoma International Airport (August 2024): A ransomware attack knocked out airport Wi-Fi, baggage systems, check-in kiosks, ticketing, passenger display boards, the airport website, the flySEA app, and reserved parking. Employees had to use dry-erase boards for flight and baggage information, and airlines manually sorted through bags. The attack affected 90,000 people and disrupted operations for days.

Collins Aerospace System/European Airports (September 2025): A ransomware attack on Collins Aerospace's ARINC Multi-User System Environment software platform disrupted multiple airports, including Heathrow, Berlin Brandenburg, Brussels, and Dublin, resulting in flight cancellations and delays as staff resorted to manual procedures for electronic check-in and baggage handling.

Kuala Lumpur International Airport (March 2025): A ransomware attack with a $10 million ransom demand disrupted flight information display systems, check-in counters, and other services for hours, potentially even days.

These weren't theoretical vulnerabilities—these were operational shutdowns at major airports serving millions of passengers.

3. The Cybersecurity Skills Gap Is Real

Most airport operations teams are excellent at managing physical infrastructure, coordinating flight operations, and ensuring passenger safety. However, cybersecurity requires a different expertise—one that most facilities lack in-house.

The challenge? You're expected to comply with technical regulations, even if you don't have a technical staff member who understands the systems' vulnerabilities, their connections, or where to begin.

Beyond Servers: The Airport Systems Attackers Actually Target

Here's the critical insight most airport operators miss: When cybersecurity experts talk about "systems," they're not just talking about your email server or website.

From 28 years of experience working with aviation systems at the FAA, I can tell you that airports have dozens of connected systems that most people don't think about as "cyber" targets:

Navigation and Landing Systems

• Instrument Landing Systems (ILS)

• Precision Approach Path Indicators (PAPI)

• Approach lighting systems (ALS)

• Localizer and glideslope equipment

• Very High Frequency Omni-Directional Range (VOR)

Airport Lighting and Signaling

• Runway edge lights

• Taxiway guidance signs

• Airport beacon systems

• Remote control systems for lighting intensity

Ground Operations Technology

• Automated weather observation systems (AWOS/ASOS)

• Fuel management systems

• Ground power and air conditioning units

• Baggage handling systems

• Access control and security cameras

Communication and Data Systems

• Airport communications systems

• Flight information display systems (FIDS)

• Public address systems

• Network-connected HVAC controls

• Building management systems

The concerning reality: Many of these systems were installed before cybersecurity considerations were a priority. They have default passwords, no encryption, outdated software, and direct connections to other networks.

An attacker doesn't need to compromise your primary server to cause operational chaos. They can target:

• A remote lighting controller that hasn't been updated in 10 years

• A weather observation system with a known vulnerability

• A building management system running on Windows XP

• A contractor's laptop that connects to multiple airport systems

The Regulatory Framework: What's Already Required and What's Coming

Aviation cybersecurity regulations come from multiple agencies, and understanding how they intersect is crucial. Depending on your facility type, you may be subject to one or more of these frameworks:

Understanding the Regulatory Landscape

TSA Airport Security Programs (49 CFR Part 1542): These requirements apply to airports that regularly serve certain air carrier operations, including:

• Scheduled passenger service with aircraft of 61+ seats

• Public charter service with 61+ seats

• Smaller scheduled services that deplane into sterile areas

• Airports serving aircraft operators under Part 1544 or foreign carriers under Part 1546

FAA Part 139 Airport Certification: Approximately 520 U.S. airports are certificated under Part 139, which covers:

• Scheduled passenger operations: Aircraft with 10+ passenger seats

• Unscheduled passenger operations: Aircraft with 31+ passenger seats

Part 139 airports are required to maintain Airport Operating Certificates and comply with safety and emergency response requirements. As of February 2023, particular Part 139 airports must also develop and implement Safety Management Systems (SMS) to identify and manage hazards and risks.

FAA Part 171—Non-Federal Navigation Facilities: If your facility operates non-federal navigation aids (ILS, VOR, DME, etc.), you're subject to Part 171 requirements for equipment reliability and accuracy. While these regulations don't explicitly address cybersecurity yet, compromised navigation systems directly impact the safety requirements.

Important Note: The TSA cybersecurity requirements apply to TSA-regulated airports, which is a broader category than just Part 139 certificated airports. Similarly, aviation facilities with navigation aids under Part 171, FBOs with critical systems, and general aviation airports may also face cybersecurity compliance requirements—especially as new regulations emerge from the Civil Aviation Cybersecurity ARC.

TSA Cybersecurity Requirements (Current—Since March 2023)

TSA's emergency amendment (issued March 7, 2023) imposes four core requirements on TSA-regulated airports and aircraft operators, including those committed to the Department of Defense's Civil Reserve Air Fleet:

1. Network Segmentation: Separate operational technology (OT) systems from information technology (IT) systems so that if one is compromised, the other can continue operating safely

2. Access Control Measures: Implement security controls to prevent unauthorized access to critical cyber systems

3. Continuous Monitoring and Detection: Deploy policies and procedures to defend against, detect, and respond to cybersecurity threats and anomalies

4. Patch Management: Apply security patches and updates promptly using a risk-based methodology

FAA Part 139 and Safety Management Systems (SMS)

Part 139 certificated airports are required to maintain Airport Operating Certificates and comply with safety requirements that cover signs, lights, markings, runway safety, aircraft rescue and firefighting, and other related aspects.

As of February 2023, particular Part 139 airports must develop and implement Safety Management Systems to identify and quantify potential hazards and risks. Cybersecurity incidents can now be classified as safety events requiring reporting and investigation under SMS frameworks.

The Civil Aviation Cybersecurity ARC (Coming Soon)

The FAA must convene the Civil Aviation Cybersecurity Aviation Rulemaking Committee, which will provide findings and recommendations to the FAA on cybersecurity standards. The committee will submit interim reports every 6 months, meaning new guidance and potentially new regulations will be forthcoming.

Bottom line: Whether you're TSA-regulated under Part 1542, FAA-certificated under Part 139, operate navigation aids under Part 171, or run an FBO or general aviation facility, the regulatory bar is rising. Airports and aviation facilities that invest in cybersecurity infrastructure now won't have to scramble when new mandates arrive.

The Single Most Important First Step: Know What You Have

From my experience helping airports navigate these challenges, here's what I tell every operations manager who's just waking up to the cybersecurity requirement:

You cannot protect what you don't know exists.

The most critical first step isn't buying expensive security software or hiring a cybersecurity firm. It's conducting a comprehensive asset inventory and vulnerability assessment.

What This Actually Means:

Asset Inventory:

• Document every system connected to a network (even air-gapped systems can have vulnerabilities)

• Identify who has access to each system

• Determine what data each system holds or transmits

• Map how systems connect

Vulnerability Assessment:

• Identify outdated software and firmware

• Find systems with default or weak passwords

• Discover unsecured remote access points

• Locate systems with known security vulnerabilities

Why This Matters:

Many airport operators discover through this process that they have:

• Legacy systems running software that's no longer supported

• Shadow IT—systems installed by contractors or vendors that nobody realized were still on the network

• Interconnected systems—the lighting controller that somehow connects to the same network as passenger Wi-Fi

• Forgotten access points—remote access accounts created years ago for maintenance that were never disabled

Once you understand what you have, you can prioritize risks and develop a realistic cybersecurity roadmap that aligns with your budget and staffing needs.

What Happens If You Don't Take This Seriously

The consequences of ignoring aviation cybersecurity aren't abstract:

Operational Disruption: At Seattle-Tacoma International, employees had to use dry-erase boards for flight information, and airlines had to sort through bags manually—imagine trying to manage that during the peak holiday travel season.

Financial Impact: Ransom demands can reach $10 million, and that doesn't include the cost of recovery, lost revenue, or potential legal liability.

Regulatory Penalties: Non-compliance with TSA cybersecurity requirements can result in daily fines exceeding $10,000, as well as potential operational restrictions or revocation of the certificate.

Reputational Damage: News coverage of a cybersecurity incident at your facility can affect passenger confidence, airline relationships, and community trust.

Safety Risk: In the worst-case scenario, compromised systems could affect navigation aids, lighting, or communications, creating genuine safety hazards.

Getting Started: A Practical Roadmap

Here's a realistic approach for small to medium-sized airports:

Immediate (This Month):

1. Schedule an asset inventory walkthrough with your operations and IT staff

2. Review TSA cybersecurity requirements and identify gaps

3. Change default passwords on critical systems

4. Document who has access to what systems

Short-Term (Next 90 Days):

1. Conduct a formal vulnerability assessment

2. Develop an incident response plan

3. Segment your networks (separate OT from IT)

4. Establish basic monitoring and alerting

Medium-Term (Next 6-12 Months):

1. Implement continuous monitoring capabilities

2. Develop a patch management program

3. Create cybersecurity training for all staff

4. Build relationships with cybersecurity resources

Long-Term (Ongoing):

1. Regular security assessments and penetration testing

2. Update and test incident response plans

3. Stay current with evolving regulations

4. Integrate cybersecurity into SMS/operations

Why Aviation Cybersecurity Requires Specialized Expertise

You wouldn't ask an IT professional to certify runway lighting—so why would you ask someone without aviation experience to secure aviation systems?

Effective aviation cybersecurity sits at the intersection of three domains:

1. Information Security—understanding cyber threats, vulnerabilities, and protections

2. Aviation Operations—knowing how airports actually function and what systems are critical

3. Regulatory Compliance—navigating FAA, TSA, and other aviation-specific requirements

Finding professionals who understand all three is rare. Most IT security firms understand cybersecurity, but they often lack a comprehensive understanding of ILS systems. Most aviation professionals understand operations but not information security.

That's why specialized aviation cybersecurity education and consulting exist—to bridge that gap.

Conclusion: The Time to Act Is Now

Aviation cybersecurity is no longer emerging—it's here. Federal agencies are actively developing new standards and regulations. Attacks are increasing at a rate of 24% year over year. And the airports that wait will face the dual burden of catching up on both security infrastructure and regulatory compliance simultaneously.

The good news? You don't have to become a cybersecurity expert overnight. You need to:

1. Understand what you're protecting (asset inventory)

2. Know what regulations apply (TSA, Part 139, future FAA rules)

3. Build a realistic roadmap (prioritized, budgeted, achievable)

4. Get specialized help (aviation cybersecurity expertise)

The airports that start now will be positioned not just to comply with mandates, but to actually protect their operations, passengers, and communities from real threats.

Next Steps: Deep-Dive Resources

This post provides the foundation. Here are specific topics we'll cover in upcoming articles:

• TSA Cybersecurity Requirements: A Complete Implementation Guide for TSA-regulated airports

• Securing ILS and Navigation Systems: Technical guidance for Part 171 facilities and ground systems engineers

• Aviation Cybersecurity on a Budget: High-impact, low-cost measures for small airports and FBOs

• Legacy System Risks: Assessing and mitigating vulnerabilities in older infrastructure

• Building an Aviation Incident Response Plan: What to do when a cyber event occurs

Want to go deeper? The Aviation Cybersecurity Academy offers comprehensive training on these topics, specifically designed for airport operators, FBO managers, ground systems engineers, and aviation facility managers who need to understand both the technical and regulatory aspects of aviation cybersecurity, regardless of their facility type or the applicable regulatory framework. You can find the first academy module here for free. You can find module 1 here for free.

Contact Aviation Relations for a free 30-minute discovery call to assess your facility's specific cybersecurity posture and regulatory compliance needs.

About the Author: Teddy Cooper is an ILS Electronic Engineer with the FAA's Advanced System and Design Service, with 28 years of aviation experience spanning military avionics and FAA engineering, specializing in navigation aids and airport ground equipment. He holds an MSIT degree with a specialization in Information Security and operates Aviation Relations, providing cybersecurity education and consulting services to aviation facilities nationwide.