When the Digital World Grounds the Physical One
I remember standing in the chaotic departure hall of a major international airport a few years ago, grounded by a volcanic ash cloud halfway across the world. The screens were frozen, the staff were overwhelmed, and thousands of us were stranded. It was a powerful, tangible reminder that for all our advanced technology, we were still at the mercy of the physical world.
The irony is that today, the situation has completely inverted.
In late September 2025, thousands of travellers across Europe found themselves in a similar state of chaos. Flights were cancelled at Heathrow, check-in queues snaked through terminals in Brussels, and baggage systems ground to a halt in Berlin. But this time, the culprit wasn’t a force of nature. It was a ransomware attack on a single, obscure software provider that most of those stranded passengers had never even heard of: Collins Aerospace.
This is the new reality, and it’s one that C-suite leaders, especially those outside of the tech industry, are dangerously unprepared for. The Collins Aerospace breach is more than just another cybersecurity incident; it’s a stark wake-up call to the hidden, fragile, and deeply interconnected cyber dependencies that underpin our physical world. We have spent decades optimising our physical infrastructure for efficiency, building just-in-time supply chains and seamlessly integrated systems. In doing so, we have inadvertently created a digital house of cards. The Collins breach has shown us just how easily a single, well-aimed gust of wind can bring it all tumbling down.
The bottom line is this: your biggest cyber risk may not be in your own data centre. It’s likely hidden in the software of a trusted third-party vendor who runs a critical piece of your physical operations. And if you don’t understand that dependency, you’re not managing your real-world business risk.
Anatomy of a Modern Crisis: The Supply Chain Attack Vector
To grasp the strategic significance of this event, we have to dissect what actually happened. The attackers, identified as the HardBit ransomware group, didn’t target British Airways or Lufthansa. They didn’t breach the airports themselves. They went after a much softer, higher-leverage target: the software that all these organisations rely on.
The Single Point of Failure: The MUSE System
Collins Aerospace, a subsidiary of the massive defence and aerospace conglomerate RTX Corporation, provides a passenger processing system called MUSE. This system is the digital backbone of airport operations, handling everything from check-in and bag drop to boarding gate management. It’s the invisible software layer that connects the airline, the airport, and the passenger.
When the attackers hit Collins with ransomware, they didn’t just encrypt some corporate files. They effectively severed the digital spinal cord of every airport that relied on their platform. The result was immediate and catastrophic paralysis. Check-in desks couldn’t issue boarding passes. Baggage systems didn’t know where to route luggage. Boarding gates couldn’t validate passengers.
The only recourse was to revert to a painful, slow, and error-prone analogue world: manual check-in. For a system built for high-volume, high-speed digital processing, this was the equivalent of a modern logistics company suddenly being forced to use horse-drawn carts. The disruption was the goal, and it was achieved with devastating efficiency.
The Ripple Effect: Cascading Failures
This is the hallmark of a sophisticated supply chain attack. The initial breach is just the epicentre; the real damage is in the seismic waves that propagate outwards.
Think about the cascading failures:
- Airlines: Lost revenue from cancelled flights, massive costs from passenger re-bookings and accommodation, and significant reputational damage.
- Airports: Operational chaos, SLA penalties, and a loss of trust from both airlines and passengers.
- Passengers: Missed connections, ruined holidays, and lost business opportunities.
- Downstream Logistics: The delay in air travel has knock-on effects on air freight, postal services, and other time-sensitive deliveries.
The attackers didn’t need to breach hundreds of organisations. They breached one, and in doing so, they held a significant portion of Europe’s aviation infrastructure hostage. This is leverage at a scale we have rarely seen before.
Frankly, this incident exposes a fundamental flaw in how we’ve approached third-party risk management. For years, our focus has been on data privacy. We send vendors lengthy questionnaires asking how they protect our customers’ personally identifiable information (PII). While important, this is a dangerously narrow view. We failed to ask a much more critical question: “What happens to our physical operations if your system goes offline tomorrow?”
The Blurring Lines Between IT and OT
I once consulted for a large manufacturing firm. Their CISO was incredibly proud of the “air gap” between their corporate IT network and their operational technology (OT) network that ran the factory floor. He believed his critical machinery was safe from cyberattacks. During a walk-through, we found a third-party maintenance laptop for a specific piece of German engineering equipment. It was connected to the OT network to diagnose the machine, but the engineer had also connected it to the corporate Wi-Fi to download a manual. The air gap was a myth.
The Collins Aerospace breach is this exact problem on a global scale. The MUSE passenger processing system is a classic example of a cyber-physical system. It’s not just IT; it’s OT. It is software that directly controls the movement of physical assets—people and baggage.
For decades, the security of OT systems was based on obscurity and isolation. They ran on proprietary protocols, were not connected to the internet, and were therefore considered safe. That era is over. Modern OT is built on standard IT infrastructure. It runs on Windows or Linux, communicates over standard IP networks, and is often managed remotely via the cloud.
This convergence of IT and OT is what enabled the attack on Collins to have such a profound physical impact. The attackers used a classic IT attack vector—ransomware—to cripple a critical OT function. This blurring of lines requires a complete rethink of our security and resilience strategies. The CISO, who has traditionally focused on protecting data, and the Chief Operating Officer (COO), who has focused on physical processes, must now be joined at the hip. A vulnerability in the COO’s world can now be triggered by an event in the CISO’s, and vice versa.
A New Mandate for the C-Suite: Resilience Over Prevention
If there is one lesson to be learned from this incident, it is that prevention, while necessary, is no longer a sufficient strategy. In a world of deeply interconnected supply chains, you cannot prevent every breach. You must assume that one of your critical third-party vendors will be compromised.
The new mandate, therefore, is resilience. It’s not about building impenetrable walls; it’s about ensuring you can still operate when one of those walls inevitably crumbles. This requires a new level of strategic thinking from the C-suite.
1. Radically Remap Your Dependencies: You need to go beyond a simple list of vendors. You must map your critical business processes to the specific third-party software and services they depend on. This isn’t an IT task; it’s a business continuity task. For each critical process, you must ask: - Which vendors are single points of failure? - What is our plan to operate this process if that vendor is offline for an hour? A day? A week? - Have we tested this plan? Not a tabletop exercise, but a real-world drill where we actually switch to manual or alternative processes.
2. Scrutinise the Resilience of Your Vendors: Your vendor security questionnaires need a radical overhaul. Stop asking just about data encryption and start asking about operational resilience. - “Can you demonstrate your ability to operate your service from a completely separate, air-gapped backup site?” - “What are your tested Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for a bare-metal recovery from a ransomware attack?” - “Do you provide us with a ‘clean’, offline copy of our critical configuration data that we can use to restore services with an alternative provider if necessary?”
3. Invest in Graceful Degradation: In the digital world, we often think in binary terms: a system is either online or offline. This is a failure of imagination. Critical systems should be designed to degrade gracefully. When the Collins MUSE system went down, the entire process fell off a cliff, from 100% digital to near 0% efficiency with manual processes. A more resilient system would have had a semi-automated “limp mode.” Perhaps it could have operated in a read-only mode, allowing already-checked-in passengers to board. Perhaps it could have cached critical data locally at the airport level to allow for some degree of independent operation. We must design for failure, not just for success.
The image of thousands of people stranded in an airport because of a single piece of software is a powerful metaphor for the state of our modern infrastructure. We have built a gleaming, efficient, and interconnected world that is also terrifyingly fragile. The Collins Aerospace breach is a warning shot. It’s a call to action for every leader to look beyond their own four walls and truly understand the hidden cyber dependencies that now dictate the success or failure of their physical operations. The next volcanic ash cloud won’t be made of rock and dust; it will be made of malicious code. And the time to prepare for it is now.