The column – Cyber Security Week
A few days ago, between impalled automatic check-in, blocked luggage and interminable luggage ribbons to check-in desks, the Airports of Brussels, Berlin and Heathrow have experienced, once again, how fragile the technological system is and equally powerful its domino effect. The origin of the problem: a cyber attack that hit the Collins Aerospace Muse software, a company that operates not only in airport logistics, but be careful, also in defense.
This episode is useful not only as a chronicle of inconvenience in some way predictable, but also as a real laboratory in which critical issues are materialized that have long been denounced by those involved in cybersecurity, but which come with extraordinary ignored pervicacy.
In interconnected systems, such as the European airport network, it is enough that a single node vacilli because the entire system is in the abyss. If the system that manages check-in, luggage labeling, “automatic” boarding is freezing, not that point does not stop: there is a chain slowdown, a loss of efficiency that translates into delays, cancellations, extra costs. And this is despite or perhaps precisely because many technological components are “in the cloud” – that is, distributed, not directly under the physical control of local operators, often dependent on external systems or third parties. This makes the response to slower accidents, the most uncertain diagnosis, the most laborious remedy. The concrete lesson is that redundancy and manual procedures (which seem uncomfortable until everything goes well) become essential insurance against collapse. In this attack, the airports managed to limit the damage only by resorting to manual procedures, but it is not said that in all cases it can be.
The second theme is linked to the name of the “victim”. Collins Aerospace is not a dark and small supplier, but a high profile actor in the aerospace and defense sector. A company is expected to operate in sensitive contexts, with these involuntary crossings with military structures or critical infrastructure, has very high levels of safety: constant audit, robust redundancies, manual compliance, quick response to known vulnerability.
Yet it fell. Why? Possible reasons: risk underestimation, non -timely updates, dependencies hidden by external software, remote access not sufficiently armored, or simply human error. If such a company can be victims, it means that the problem is not marginal, but systemic: many other operators are probably not at the “ideal” level that we imagine, but much more exposed, with fragile defenses, perhaps with budget for cybersecurity that does not even approach the one dedicated to innovation or reduction of costs.
Given the goal, is it legitimate to ask: was it a “state-sponsored” attack? In times of geopolitical tensions and hybrid wars, critical infrastructures are often target. The hypothesis is not peregrine. However it is unusual. Attacks sponsored by some state usually pursue the exfiltration of data, long-term impairment, the construction of backdoor, not the simple chaos in the check-in checks of civil flights-activities that attract attention, but provide little strategic value. We then do an intellectual exercise. Possibility to: The striker made a mistake, ending up making more damage than expected and too much noise. Possibility B: We wanted to send a signal, perhaps political, economic or propaganda: to show that “we can penetrate you critical systems”. Possibility C: There is no state behind, but a well -equipped criminal group, perhaps with extortion intentions.
If the first is true someone has “burned” precious access; If the second is worth, we are witnessing a very worrying escalation; If it were good the third then we can imagine what groups supported by the states could do.
The attack on the Muse system is not only a technological black-out: it is the alarm bell that reminds us how the sky above us, now, is interwoven with data, codes and systems in which we put all our trust. And like every time a crack opens and a single bug, a flaw, or an error because the whole gross network is enough, without this that that trust, which is increasingly resembles an act of unconditional faith, go. Ultimately it is not a question of “if it happens again”, but of “how ready we will be when it happens next time”. Personally I fear very little.
