The Perimeter Has Moved: Airports, Public Data, and the New Critical National Infrastructure Threat

It is just after midnight on a Thursday in March 2025 when a transformer at an electrical substation in west London catches fire. Within hours, Heathrow Airport, Europe’s busiest hub, is closed with more than 1,300 flights cancelled or diverted. Around 200,000 passengers are affected as airlines scramble to relocate aircraft and crew across multiple continents. The ripple runs for days.

There was no cyberattack or hostile state actor. Europe’s busiest aviation hub ground to a halt because of a single substation fire, a mile and a half outside its fence line. Counterterrorism officers from the Metropolitan Police took the lead on the investigation. The force said there was no indication of foul play, but retained an open mind. The ambiguity itself is part of the story. 

That is what critical national infrastructure protection looks like now. The threats are not all cyber. They are not all physical. They don’t often stay contained to a single physical location. And they rarely announce themselves clearly before they land.

The Limits of the Fence Line

Across Europe, airports are designated as critical national infrastructure. The same is true in North America, Australia, and across the Indo-Pacific. That designation carries legal weight, regulatory obligations, and a clear expectation that security operates at a level commensurate with the risk.

The problem is that most airport security thinking was built around a physical model, including the perimeter, the checkpoint, and the terminal. That model is not wrong, but it is incomplete. The threat picture for a major hub today includes power infrastructure a mile away, software platforms hosted in another country, geopolitical events on the other side of the world, and criminal groups operating entirely online. None of those sit inside the fence line, but all of them can bring an airport to a standstill.

Between 2024 and 2025, the European Union Aviation Safety Agency recorded a 600% increase in cyberattacks across the aviation sector. A modern airport is deeply dependent on systems and infrastructure that sit well beyond its own control, and a failure in any one of them can cascade immediately into operations.

The Heathrow fire made that visible to the public but the underlying reality had been apparent to practitioners for years.

The Converging Threat Picture – One Thread, Three Continents

In September 2025, a ransomware campaign targeting Collins Aerospace’s MUSE platform hit five European hubs simultaneously. Heathrow, Brussels, Berlin Brandenburg, Dublin, and Cork all lost automated check-in and boarding. Brussels cancelled half its departing flights over a single weekend. The UK’s National Crime Agency arrested a suspect in West Sussex shortly after.

This was an entirely different type of threat to the Heathrow power outage. Both led to the same operational outcome: Europe’s busiest airports delayed, disrupted, or entirely grounded.

Cyber incidents are not limited to Europe. In March 2025, Kuala Lumpur International Airport was hit by ransomware targeting Malaysia Airports Holdings Berhad, which operates 39 airports across the country. Flight information displays went dark. Check-in reverted to manual processes. Baggage handling collapsed. The attackers demanded ten million dollars. Malaysia’s Prime Minister Anwar Ibrahim rejected the demand immediately. “There is no way this country will be safe,” he said, “if its leaders and system allow us to bow to ultimatums by criminals.”

In June 2025, the FBI warned North American aviation operators that Scattered Spider, a criminal group that had already hit UK retailers and insurers, had turned its focus to airlines. Hawaiian Airlines, WestJet, and American Airlines all reported incidents within weeks. Qantas confirmed a breach of six million customer accounts, linked to a third-party contact centre platform. Three countries, one coordinated campaign, all in a single quarter.

And then there is the category of threat that no security team inside an airport can manage alone. Following escalation in the Middle East in early 2026, Airports Council International Europe warned the European Commission that the continent faced a systemic jet fuel shortage if the Strait of Hormuz did not reopen. Lufthansa drew up contingency plans to ground up to 40 aircraft andItalian airports began restricting refuelling. Ryanair’s chief executive predicted summer cancellations of five to ten per cent of flights. A geopolitical event thousands of miles away was directly reshaping operational planning at every major European hub. 

One Connected Picture

Airports face threats across four distinct fronts: 

• Physical disruption 
• Ransomware against shared infrastructure
• Coordinated criminal campaigns across multiple carriers
• Geopolitical events affecting fuel supply

These are not separate threat streams requiring separate teams and separate briefing chains. They are parts of one picture. And for airports and the government bodies that regulate them, the question is whether anyone is reading that picture as a whole, in real time, before the damage is done.

The Collins Aerospace attack was not invisible beforehand. These groups communicate online. The Scattered Spider campaign against North American carriers was preceded by weeks of documented activity against UK retailers and insurers. The Kuala Lumpur attack followed a pattern of regional targeting that was visible in publicly available intelligence long before the ransom demand was issued. In each case, the signal existed before the operational damage occurred.

The Heathrow fire is a physical example, but it points to the same information gap. The opening hours of any major incident involve deep uncertainty about the cause. Was this an accident? Was it deliberate? Is this the beginning of something coordinated? The teams best placed to answer those questions quickly are the ones already reading the public environment around the airport, not waiting for internal systems to flag that something has happened.

Where Publicly Available Information Fits

Most airport security frameworks still treat cyber and physical threats as parallel conversations, managed by separate teams with separate budgets and separate reporting lines. The threat environment has not respected that division for some time.

This is not a new principle. Intelligence and security practitioners have understood it for decades. What has changed is the volume of publicly available information, and the capability to analyse it systematically in real time. The gap between what is knowable and what organisations are actually reading has never been wider.

Real-time analysis of publicly available information does not replace internal security operations. Rather, it extends visibility into the areas that internal systems cannot reach: what is happening to vendors, to utilities, to threat actor groups that may have you in their sights but have not yet made their move. It shifts the posture from reactive to anticipatory. That is the capability Dataminr First Alert is built to provide.

The shared infrastructure that makes modern airports efficient, the platforms, the third-party providers, the power grid, the fuel supply chains, also makes them collectively vulnerable in ways no single operator fully controls. The airports managing that exposure best are the ones reading the broadest possible picture, earliest.

The Honest Question

Airport security has always been serious work. The people running it understand physical threats, access control, and passenger safety at a level most other sectors never have to think about.

The shift now required is not a rejection of those fundamentals. It is an extension of them. The same rigour applied to the terminal and the perimeter needs to apply to the digital supply chain, the geopolitical environment, the threat actors operating online, and the early signals that appear in public before anything physical materialises.

The last time something hit your operation, what did your team know, and how early? If the answer starts with the incident itself rather than the warning signs that preceded it, the perimeter has already moved. The question is whether your awareness has moved with it.