OT/ICS Attacks on Air Traffic Control: How Adversaries Target Aviation Infrastructure

The ATC Threat Landscape: Who Is Targeting Aviation Infrastructure

Aviation OT/ICS systems attract a specific set of threat actors with different motivations:

• Nation-state actors: Strategic disruption capability — the ability to ground civilian aviation is a significant geopolitical lever. Russian GRU-linked groups (Sandworm) have demonstrated willingness to attack critical infrastructure OT systems (Ukraine power grid, NotPetya)
• Criminal ransomware groups: Secondary effect — ransomware targeting aviation IT can propagate to OT if networks are insufficiently segmented, causing unintended OT disruption
• Hacktivists: Ideologically motivated groups have targeted aviation infrastructure as a high-visibility target, though capabilities are typically limited
• Insider threats: Ground staff, IT contractors, and vendor personnel with access to OT networks present an insider risk that is particularly difficult to mitigate in airport environments

Key OT/ICS Systems in Aviation That Require Protection

Aviation OT encompasses a wider range of systems than most operators appreciate:

• ATC systems: Radar data processing, flight data processing, controller working positions, voice communications switching, AFTN/AMHS message handling
• Airport airfield systems: Runway and taxiway lighting control (AGL), Instrument Landing System (ILS), Visual Docking Guidance Systems (VDGS), PAPI
• Terminal systems: Baggage handling (SCADA/PLC), passenger boarding bridges, fixed electrical ground power (FEGP), pre-conditioned air systems
• Security systems: Access control systems for airside, perimeter intrusion detection, security camera management (VMS)
• Utilities: Building management systems (HVAC, power distribution), fuel hydrant systems, fire suppression systems
• Ground support equipment: Connected GSE management, fuel truck monitoring, de-icing management systems

How OT Attacks on Aviation Are Executed

Aviation OT attacks typically follow a multi-stage pattern: initial access via IT systems (spear phishing, exposed RDP, supply chain compromise), lateral movement through IT networks, IT/OT boundary breach (often via poorly secured historian servers or engineering workstations connected to both networks), and then OT network access and pre-positioning. The dwell time between initial access and OT action can be months — nation-state actors particularly invest in long-term access before triggering effects. This pattern mirrors documented attacks on energy OT (Colonial Pipeline, Ukraine power grid) and is directly applicable to aviation infrastructure.

Defending Aviation OT/ICS: A Layered Security Approach

Effective OT security for aviation infrastructure requires a defence-in-depth approach:

• Network segmentation: Robust IT/OT boundary with firewalls, data diodes where appropriate, and no direct connectivity between corporate IT and OT control networks
• OT asset inventory: You cannot protect what you cannot see — a complete, current inventory of all OT assets, firmware versions, and network connections
• OT monitoring: Passive network monitoring (Claroty, Dragos, Nozomi Networks) to detect anomalous OT traffic without disrupting operations
• Patch management: OT patching is more complex than IT — vendor approval, testing, and maintenance windows must be planned carefully
• Access control: Role-based access, no shared credentials, MFA where OT systems support it, and strict vendor remote access controls (time-limited, monitored sessions)
• Incident response: OT-specific incident response procedures that account for safety implications of system disruption

Frequently Asked Questions