In May 1940, the Maginot Line failed. France’s series of defences were bypassed by the Wehrmacht through the Ardennes. That France hadn’t factored in Germany’s ability to bypass their defensive system is often derided.
The thing is, in a manner of speaking, they did plan for it. There were communication exchanges along the line in order to quickly relay information to the rest of the French forces.
What the French army didn’t plan, granted amongst many other things, was sabotage. The Wehrmacht sabotaged the telephone lines so that their panzers (tanks) were already through the line before any reaction could happen.
Fast forward to the weekend just gone and airports across Europe, but most notably Terminal 2 in Dublin Airport, stalled because of an issue most travellers didn’t think of from a supplier they hadn’t heard of.
The Muse check-in system developed by Collins Aerospace was the overlooked weak point in this instance. Passengers were frustrated by airport operator DAA and Aer Lingus when most of their ire really belong with a company they hadn’t heard of which is trusted far beyond these shores.
Collins, which is a subsidiary of RTX (formerly Raytheon), was hit by a ransomware attack. This led to check-in systems either going offline fully or slowing to an unusable crawl. This forced airlines, most notably Aer Lingus as the largest operator in Terminal 2, to go back to basics.
Bag tags were hand written, boarding passes were printed manually and everything slowed down considerably. The result was delays across the board as well as cancellations. The invisible plumbing that keeps air travel going only comes to the fore when something goes wrong.
[ Dublin Airport continuing to manage fallout from cyberattackOpens in new window ]
These are also the most likely points for such an incident to occur. If Visa or Mastercard suffered a severe cyberattack, you’d understand that making payments would become difficult.
It’s the same for Collins Aerospace and airport management, when they were hit then every airport using their services along with the passengers going through it felt the pinch.
The only difference is that you’ve heard of Visa and Mastercard and thought Collins was a dictionary company. More often than not, the point of failure comes in a company with the importance but lack of public profile of Collins.
It’s also a matter that is being addressed, albeit with a lot of heavy lifting, by the European Union. The NIS2 directive and, to a lesser degree in cases like these, the Cyber Resilience Act (CRA) are squarely aimed at ensuring the organisations you have heard of, like DAA, are using third party companies that meet clear thresholds for cyber resilience.
It extends security expectation across the supply chain, removing the excuse of the big brand blaming a third party supplier for the error. That big name, the one ostensibly providing the service like DAA and Aer Lingus were, is expected to have ensured its third party suppliers are fit for purpose.
NIS2 was meant to have been signed into law by all EU governments by October 17th, 2024. Ireland, like quite a number of other member states including France and Germany, is still running behind on transposing it into national law.
Had NIS2 been in place on time, then any company or organisation using Collins Aerospace’s products would have been required to check that these products met certain cyber hygiene requirements and that the contracts therein met certain ongoing cybersecurity standards.
There’s a reasonable chance DAA already did this, despite not being required to, as it and others impacted alerted the relevant authorities quickly about the issue. That wasn’t particularly difficult given how visible the fallout was. It can also be assumed that Collins’ product met the required cyber hygiene standards.
[ Area 14: Dublin Airport’s ghost underground stationOpens in new window ]
Where the likes of NIS2 and the CRA, which is also still in the processing stage, would have definitely made a difference is in fallback measures. The level expected is high and this past weekend’s disruptions would likely have been far less in such an instance.
That’s because of the penalties at play when it comes to not meeting NIS2 requirements, which can go as high as €10 million or 2 per cent of global turnover in some cases. It’s the type of stick that puts manners of organisations.
The incident at the weekend was for air travel passengers but the world we live and work in today is heavily reliant on invisible companies. That’s not a bad thing. An awful lot of the work these companies do is incredibly boring despite being vital to basic day to day activities.
Improving oversight on important boring work is the only way to reduce future incidents like what happened in Dublin last weekend.
The French likely would still have been in a world of bother without their phone lines being sabotaged but it’s still dreadful that they didn’t account for such an attack back in 1940.
By 2025, we should know better than to allow core pieces of infrastructure to be so vulnerable to attack.
