Aviation Incident Response Guide: How to Respond to a Cyberattack on an Airline or Airport

The First 24 Hours: Immediate Response Actions

The first 24 hours of an aviation cyber incident determine how much damage is done and how long recovery takes. Immediate actions:

• Activate incident response team: Assemble security, IT, operations, legal, communications, and senior management
• Contain and isolate: Isolate affected systems from networks to prevent further propagation — but check operational impact before disconnecting anything safety-critical
• Assess operational status: Can flights continue? Can passengers be checked in? What are the manual fallback options? Aviation must continue to operate wherever safe to do so
• Preserve evidence: Do not immediately rebuild affected systems — forensic evidence of the attack may be required by regulators, insurers, and law enforcement
• Notify key contacts: Cyber insurer, legal counsel, NCSC (for significant incidents), and CAA operational team
• Establish communications cadence: Internal incident management calls every 2–4 hours minimum; brief the Accountable Manager and board

Regulatory Notification Requirements

Aviation cyber incidents trigger multiple regulatory notification obligations:

• CAA (NIS): OES-designated operators must notify the CAA within the required timeframe for significant incidents affecting essential services. Contact the CAA's Aviation Security team.
• ICO: Any personal data breach (passenger data, staff data) must be reported within 72 hours of becoming aware — not 72 hours after the breach occurred
• EASA: For Part-IS incidents affecting safety, notify your National Aviation Authority (NAA)
• NCA/Police: For ransomware attacks — the National Crime Agency and Action Fraud should be notified; for critical infrastructure attacks, NCSC cyber incident management team
• Insurers: Cyber insurance notification requirements are typically contractual — check your policy for notification timelines (often 24–72 hours)
• Passengers: If passenger personal data is at high risk, affected individuals must be notified without undue delay under UK GDPR Article 34

Operational Continuity During a Cyber Incident

Aviation operators cannot simply shut down operations during a cyber incident. Operational continuity planning for cyber scenarios should be tested in advance:

• Manual check-in procedures: Paper manifests and manual passenger processing when DCS is unavailable — staff must be trained and materials available
• Manual flight dispatch: Ability to dispatch flights using paper fuel orders, MEL references, and manual weight and balance calculation
• Degraded ATC communication: VHF voice communications as backup when CPDLC or ACARS is unavailable
• Ground handling coordination: Radio-based communication with ground handlers when operational IT systems are unavailable
• Revenue management: Offline booking fallback for customer-facing disruption
• Passenger communications: Template communications for passengers affected by system-related disruption, pre-approved by legal and comms teams

Post-Incident Review and Regulatory Reporting

After the immediate incident is resolved, aviation operators must complete a structured post-incident review:

• Root cause analysis: Understand exactly how the attacker gained access, what they did, and what data or systems were affected
• Timeline reconstruction: Build a complete chronology of the attack — required for regulatory reports and insurers
• Control gap analysis: Identify which security controls failed or were absent that allowed the attack to succeed
• Regulatory final report: NIS regulations require a final incident report within defined timeframes — ensure your root cause analysis is sufficient to support this
• Lessons learned: Implement identified control improvements before closing the incident
• Exercise update: Update incident response playbooks based on what worked and what did not during the actual incident

Frequently Asked Questions