In September, international airports across Europe were forced into near paralysis after a cyber incident at Collins Aerospace, a major supplier to the aviation sector. Departure halls filled with stranded passengers. Check-in desks went dark. Airlines reverted to handwritten boarding passes and whiteboards to track baggage. Processing capacity collapsed almost instantly.
The root cause was not an airline failure, nor an airport system outage. It was an attack on MUSE (Multi-User System Environment) — a “common-use” software platform operated by Collins Aerospace and deployed at major hubs including Heathrow. Designed to allow multiple airlines to share terminals seamlessly, MUSE acts as the digital operating system of the airport floor, translating among hardware, airline databases, passenger records, and baggage systems.
By centralising these services, MUSE created exactly what attackers seek: a single platform whose compromise delivers maximum leverage. When it failed, the impact was immediate. Capacity did not degrade gradually; it dropped off a cliff. Without the software required to reconcile passenger lists, flight manifests, and baggage routing, delays cascaded into widespread cancellations.
International hubs were forced to invoke business-continuity plans. Manual check-in reduced throughput by nearly 90 percent, turning airports into holding zones rather than transport systems. Agencies including the National Cyber Security Centre (NCSC) and the European Union Agency for Cybersecurity (ENISA) confirmed the event was not a routine outage but a supply-chain cyber incident with sector-wide consequences.
When digital fragility becomes systemic risk
This incident illustrates how reliance on common digital platforms can transform a single software failure into a global blockade. In aviation, we would never accept an engine component that had not been stress-tested to the point of failure. Yet we routinely depend on digital infrastructure that, if misconfigured or compromised, can halt operations at scale.
The Collins incident was, in many ways, a best-case scenario for a supply-chain failure. The attack disrupted a business process system — passenger check-in — not a flight-critical or safety-critical control system.
But the same digital ecosystems that carry passenger details often interface with mission-critical data. If a similar compromise were to occur in an operational technology (OT) environment, the conversation would shift rapidly from inconvenience to danger.
Imagine a corrupted software update altering weight-and-balance calculations delivered to a pilot’s Electronic Flight Bag. Or ransomware preventing access to engine maintenance records needed to verify airworthiness. In such cases, fleets would be grounded indefinitely — not because aircraft were unsafe to fly, but because their safety could no longer be proven.
Between 2024 and 2025, hostile activity targeting the aviation sector has escalated. Safety depends on the integrity of data — fuel loads, navigation coordinates, cargo weights. A breach of that integrity is not a cyber issue alone; it is a direct threat to life.
The need for speed — and the duty to report
Collins is a supplier to Rolls-Royce and has a duty to report cyber incidents. After we learned about the event by watching the news, we contacted Collins to confirm the incident did not directly impact Rolls-Royce systems.
In today’s regulatory environment, silence is no longer defensible. New legislation is removing the option for vendors to “handle incidents quietly.”
Under the EU’s NIS2 Directive, organisations must submit an early warning to their national Computer Security Incident Response Team (CSIRT) within 24 hours of becoming aware of a significant incident. EASA Part-IS regulations require notification — including an initial severity assessment — within 72 hours.
Failure to report can result in penalties of up to 4 percent of global turnover. But the greater cost is not financial. For an industry built on trust, undisclosed incidents can lead to reputational damage, regulatory scrutiny, and inclusion in aviation safety investigations.
Resilience over illusion
We cannot firewall our way to perfect security. The focus must shift from fortress-building to resilience: the ability to absorb shock, fail safely, and continue operating while systems recover.
That requires three fundamental changes.
Continuous oversight of the supply chain
Annual, point-in-time security assessments are no longer sufficient. Organisations must move to continuous monitoring — using automated tools that assess supplier security posture in real time. If a critical vendor’s risk profile changes overnight, teams need to know before disruption hits.
Architecting for disconnection (Zero Trust)
We must assume the supply chain will be breached and design systems to contain that breach. Segmentation, least-privilege access, and Zero Trust principles are essential to preventing compromise from cascading across operations.
Operational readiness for manual fallback
The Collins incident proved that when screens go black, whiteboards come out. Every organisation needs an incident-response playbook that explicitly addresses vendor compromise and enables manual continuation of critical processes.
Ask a simple question: If Vendor X goes offline for 48 hours, how do we keep operating? Those procedures must be exercised regularly so teams can switch modes without operational collapse.
A resilience mindset
Resilience means accepting that cyberattacks will happen. The most secure organisations are not those that avoid attack entirely, but those that are engineered to fail safely, recover quickly, and keep operating while the smoke clears.
The Collins Aerospace incident exposed a deeper truth about modern supply chains. We have built global digital ecosystems that are fast and efficient — but increasingly fragile. System boundaries no longer stop at the edge of our networks. They now extend to the edges of our suppliers’ networks.
A proactive defence and response-readiness posture demands transparency, regulatory compliance, and a relentless prioritisation of safety and resilience. We cannot wait for the next black-screen day to start asking the hard questions.
This article is by Rolls-Royce Supplier Cyber Security Lead Clare McBrearty.