Varun Uppal, founder and CEO of Shinobi Security
Over the weekend, airports across Europe were thrown into chaos after a cyber-attack on one of their technology suppliers rippled through airline systems. Passengers faced hours-long queues, missed connections, and widespread disruption.
For travellers it was a frustrating inconvenience, for the aviation industry, it was yet another warning that your security is only as strong as your most vulnerable supplier.
My first reaction was concern, but not surprise. Aviation is a notoriously complex industry, underpinned by a patchwork of legacy systems and an ecosystem of third-party vendors, and this interconnectedness makes it an attractive target for attackers. A single foothold in one supplier’s network can cascade into operational paralysis across multiple countries.
It’s important to note that this wasn’t a direct assault on the airports themselves. It was a supply chain attack – a breach of a trusted partner whose systems underpin critical services. These incidents underscore a hard truth that cyber security is no longer an IT issue, it’s a business risk with real-world consequences.
The weak link problem
Too often, large organizations outsource critical services but fail to extend their own security standards to those vendors. The reliance on third parties isn’t inherently reckless – no modern business operates in isolation – but the absence of robust oversight is. If you outsource a core function, you are effectively inheriting that provider’s security posture, warts and all.
That means vendor questionnaires and trust-based contracts are no longer enough. Organizations need to demand regular, independent penetration testing of their providers, insist on contractual obligations for real-time monitoring, and assume that every third party will eventually be targeted. A “Zero Trust” approach – limiting the access of partner systems to only what they absolutely need – is essential.
Resilience is equally important. Airports previously defaulted to manual check-in when their systems went dark, but the scale of disruption shows those contingency plans were not fit for purpose. Businesses cannot just plan for prevention; they must also plan for failure and rehearse how to keep core operations moving under cyber duress.
Could this have been avoided?
It is highly likely that a more rigorous offensive security programme could have exposed the weaknesses exploited in this attack. Traditional annual penetration tests are not enough for high-value targets, because the pace of modern software development and the ingenuity of attackers require continuous testing, red-teaming, and simulated supply chain attacks.
This is not hypothetical. Attackers are already automating their methods, probing vast attack surfaces with tools and AI systems that scale far beyond human effort. Defenders, meanwhile, often remain tied to infrequent manual tests and legacy vulnerability scanners that generate noise but miss critical issues, which is an unsustainable imbalance.
Raising the bar
Businesses should learn a lesson from this weekend, which is they cannot afford to treat cyber security as a compliance exercise or a once-a-year box to tick. Supply chain risk must be managed continuously, with precision and realism. That means testing defences the way real attackers would, probing not just for technical flaws but for the business logic gaps that underpin day-to-day operations.
New approaches, including AI-driven penetration testing, are emerging to meet this challenge. Unlike legacy scanners that drown teams in false positives, AI systems can mimic the reasoning and tactics of skilled attackers at scale, surfacing real exploitable weaknesses within days rather than weeks. For overstretched security teams, that shift represents both relief and resilience – faster insight, fewer distractions, and continuous coverage that matches the rhythm of modern business.
A wake-up call
While airport outages may soon fade from headlines, the underlying lesson should not. Every organization, whether in aviation, finance, retail, or healthcare, relies on a lattice of third-party providers, and each of those relationships is a potential entry point for attackers.
Boards must start treating cyber resilience as core to operational continuity, not a line item in the IT budget. Vendors must be held to higher standards, and businesses must adopt testing and monitoring practices that reflect the realities of today’s threat landscape.
Cyber-attacks on critical infrastructure are not just technical incidents; they are disruptions that ripple across economies and societies. This weekend showed us, once again, how fragile those systems can be. The question now is whether businesses will take the opportunity to raise the bar before attackers strike again.
About the Author
Varun Uppal is the founder of Shinobi Security, where he’s building AI-powered hackers to revolutionize cyber security. Before starting Shinobi, he served as a Chief Information Security Officer (CISO) and spent years as an ethical hacker, giving him deep, hands-on expertise in offensive security and defense.
