FlySafe was not operational during this event. This analysis reconstructs publicly available signals — to demonstrate how predictive airspace intelligence could have provided advance warning.
ATC Cyber Vulnerability — 2024
2024 — 40% Outdated Systems, Sea-Tac Ransomware
In January 2024, the US Government Accountability Office published an audit finding that 40% of FAA air traffic control systems were running software past its vendor support date — meaning no security patches for known vulnerabilities. Six months later, on August 24, 2024, the Port of Seattle — operator of Seattle-Tacoma International Airport — was hit by a Rhysida ransomware attack. Baggage handling, flight information displays, the port's website, and internal email went down for 3 weeks. Airlines resorted to handwritten boarding passes. The two events paint a picture of an industry that has digitized its operations but not its defenses. ATC systems run on legacy infrastructure because upgrades require certification cycles measured in years.
What Happened
Two concurrent threads exposed the systemic cyber fragility of U.S. aviation infrastructure in 2024. A Government Accountability Office audit (GAO-24-105834, January 2024) found that 40% of FAA Air Traffic Control systems were operating on software past its vendor end-of-life date — including facilities running Windows XP-era operating systems within the Standard Terminal Automation Replacement System (STARS). Eight months later, on August 24, 2024, the Rhysida ransomware group encrypted Port of Seattle systems, taking down Sea-Tac International Airport's Flight Information Display System, baggage handling automation, internal email, and public website for three weeks. Together, these events confirmed what cybersecurity researchers had warned for years: aviation's digital attack surface is wide, aging, and increasingly targeted.
FAA ATC Legacy Systems Audit
GAO-24-105834 identified that 40% of FAA ATC systems — including components of STARS and ERAM (En Route Automation Modernization) — operate on software no longer receiving vendor security patches. Some STARS terminal automation facilities remained on Windows XP-era operating system kernels. FAA's modernization budget request of $3.2B for FY2025 acknowledged the problem, but the program is described as "decades behind schedule." The January 2023 NOTAM system crash — which triggered the first nationwide ground stop since September 11, 2001 — was caused by a corrupted database file in one such legacy system, illustrating real-world consequences before any adversarial action was required.
Rhysida Group — Port of Seattle Attack
The Rhysida ransomware group — previously responsible for attacks on healthcare systems and critical infrastructure in Europe — encrypted Port of Seattle's network on August 24, 2024. The Flight Information Display System (FIDS), which passengers rely on for gate and departure information, went dark. Baggage handling automation failed entirely, reverting to manual sorting. Airline check-in systems fell back to handwritten boarding passes. The Port of Seattle refused to pay the ransom. FBI launched an investigation. With approximately 90,000 passengers transiting Sea-Tac daily during peak summer travel, the disruption affected millions across three weeks of degraded operations.
Sea-Tac was not an isolated incident. Aviation has faced a pattern of escalating cyber intrusions: LOT Polish Airlines (June 2015) had its flight plan system compromised, grounding 1,400 passengers; Cathay Pacific (2018) suffered a breach exposing 9.4 million passenger records; and a SITA supply chain attack (2021) simultaneously compromised data across multiple international carriers. The 2024 events marked a qualitative escalation — from data theft toward operational disruption of physical airport infrastructure.
Warning Signs
The signals that aviation cyber infrastructure was approaching a breaking point were visible years before the 2024 events. Congressional testimony, prior incidents, and publicly available GAO audit trails all pointed toward the same conclusion: aging systems with known vulnerabilities, inadequate patch cadences, and growing threat-actor interest in critical infrastructure. None of these signals required classified intelligence to observe.
GAO-24-105834 confirmed 40% of FAA ATC systems running end-of-life software. Systems without vendor patches cannot receive CVE fixes — meaning known, publicly documented vulnerabilities remain permanently unaddressed. STARS facilities on Windows XP-era OS had no viable patch path.
A corrupted database file in a legacy NOTAM system triggered the first nationwide ground stop since September 11, 2001 — without any adversarial involvement. This was a proof-of-concept for exactly what a targeted cyberattack could replicate intentionally.
CISA and FBI issued a joint advisory on Rhysida in November 2023 — nine months before the Sea-Tac attack. Rhysida was documented targeting hospitals, government agencies, and logistics providers. The group's known tactics, techniques, and procedures (TTPs) were publicly available.
FAA's $3.2B FY2025 modernization budget request acknowledged the backlog but also confirmed that the program is decades behind its original schedule. Budget cycles and congressional appropriation delays created predictable windows where known vulnerabilities would remain unpatched for extended periods.
LOT Polish Airlines (2015), Cathay Pacific (2018, 9.4M records), and the SITA supply chain attack (2021) established that threat actors had aviation specifically in their targeting matrix. The trajectory moved from passenger data theft toward operational system disruption — exactly what Sea-Tac represented.
FIDS, baggage handling, and check-in systems at modern airports increasingly share underlying IT infrastructure. Network segmentation between operational technology (OT) and information technology (IT) environments remained inconsistent across U.S. airports, creating lateral movement paths for ransomware.
Timeline
LOT Polish Airlines flight plan system compromised in a cyberattack, grounding approximately 1,400 passengers at Warsaw Chopin Airport. First publicly confirmed operational disruption of an airline's flight planning systems — establishing aviation as an active target.
Cathay Pacific discloses a data breach affecting 9.4 million passenger records, including passport numbers, travel histories, and credit card data. Attack had begun earlier in the year. Largest aviation breach at the time; highlighted passenger data as a high-value target.
SITA — a major aviation IT services provider — confirms a supply chain attack on its Passenger Service System (PSS) server. Multiple airlines including Air New Zealand, Singapore Airlines, Lufthansa, and others report passenger data exposure. Supply chain vector demonstrates systemic risk across the aviation ecosystem.
FAA NOTAM system experiences a critical failure caused by a corrupted database file in a legacy system. FAA issues a nationwide ground stop — the first since September 11, 2001. All U.S. departures halted. The outage lasts several hours and causes cascading delays across the national airspace system. No adversarial action involved — system fragility alone caused the disruption.
CISA and FBI issue joint cybersecurity advisory on the Rhysida ransomware group, detailing its TTPs and history of attacks against healthcare, government, and critical infrastructure targets. The advisory explicitly warns of Rhysida's capability to encrypt enterprise networks and exfiltrate data for double-extortion. Advisory publicly available but Sea-Tac was not hardened in time.
GAO publishes Report GAO-24-105834: FAA Air Traffic Control System Modernization. Report confirms 40% of FAA ATC systems operating past vendor end-of-life, including STARS facilities on Windows XP-era OS kernels and legacy components within ERAM. FAA's modernization timeline described as decades behind schedule. $3.2B FY2025 budget requested. Report formally enters congressional record.
Rhysida ransomware group executes attack on Port of Seattle network. Encryption spreads to operational systems: FIDS goes dark across Sea-Tac terminals, baggage handling automation fails, airline check-in systems lose connectivity, internal email and Port website taken offline. Approximately 90,000 passengers/day affected during peak summer travel period. Handwritten boarding passes issued at multiple airline counters.
Port of Seattle publicly confirms the ransomware attack, identifies Rhysida as the responsible group, and announces it will not pay the ransom demand. FBI opens a criminal investigation. Port begins manual restoration of systems in priority order. Baggage handling and FIDS restoration begins but full recovery projected weeks out.
Sea-Tac systems largely restored approximately three weeks after the initial attack. Port of Seattle conducts post-incident review. CISA engages with Port on lessons-learned framework. FBI investigation ongoing. The incident becomes a reference case in Congressional testimony on aviation infrastructure cyber resilience.
Aviation Impact
The 2024 ATC cyber events produced impact at two distinct levels: systemic vulnerability exposure through the GAO audit, and acute operational disruption at Sea-Tac. Both dimensions carry direct implications for airspace risk prediction and flight operations reliability.
Four in ten FAA Air Traffic Control systems confirmed by GAO to be running vendor-unsupported software. These systems cannot receive security patches, leaving known CVEs permanently unaddressed across STARS terminal automation and ERAM en-route systems. The vulnerability is structural, not incidental.
Sea-Tac International Airport processes approximately 90,000 passengers per day during peak summer travel. The Rhysida attack struck during August — one of the highest-volume travel periods of the year — maximizing passenger impact across the three-week outage window.
Flight Information Display System, baggage handling automation, internal email, and the Port of Seattle public website remained offline or severely degraded for approximately three weeks. Baggage sorting reverted entirely to manual operations, creating significant handling delays and misrouting risk across all carriers at the airport.
Despite the scale of the funding request, GAO characterized FAA's ATC modernization program as decades behind its original timeline. The gap between identified vulnerability and remediation capacity is measured in years to decades, not months — leaving the national airspace system reliant on unpatched legacy systems for the foreseeable future.
FIDS offline: Passengers unable to confirm gate assignments, departure times, or connection status without staff intervention. Terminal operations degraded to verbal announcements.
Baggage handling: Automated sorting system inoperative. Manual sortation introduced high misrouting probability and processing delays, directly impacting on-time departure performance across all carriers.
Check-in reversion: Airline check-in systems lost connectivity to Port network. Handwritten boarding passes issued at multiple counters — a process that bypasses standard security data checks and significantly slows throughput.
Internal communications: Port email systems offline, forcing staff to coordinate airport-wide operations through personal devices and verbal channels — increasing error probability during a period of maximum operational stress.
Prior pattern (LOT Polish, June 2015): Flight plan system compromise grounded 1,400 passengers — establishing that operational flight systems, not just passenger data, are within threat-actor reach. Sea-Tac extended this precedent to airport-wide infrastructure.
Takeaway
The ATC cyber events of 2024 illustrate a risk category that is structurally different from weather or geopolitical airspace closures: the threat originates inside the infrastructure that aviation operations depend on, the warning signals are publicly documented but diffuse, and the impact unfolds rapidly once a threshold is crossed. Conventional pre-flight briefing workflows have no mechanism for integrating cyber threat intelligence — leaving flight operations teams without visibility into a risk category that demonstrably disrupts departures, routing, and passenger handling.
For operators planning high-volume routes through airports with known IT/OT convergence exposure — or routing through airspace sectors dependent on STARS or ERAM facilities with legacy system components — cyber risk is now a legitimate flight planning variable. The NOTAM system crash of January 2023 required no adversary: a corrupted database file in unpatched legacy infrastructure produced the same operational outcome as a targeted attack. The attack surface is open and documented. The question is not whether aviation cyber incidents will recur, but which airports and ATC facilities will be affected and when.
A retrospective analysis suggests FlySafe's indices may have indicated two compounding signals ahead of the Sea-Tac event: the November 2023 CISA/FBI joint advisory on Rhysida explicitly identified critical infrastructure as an active targeting category, and the January 2024 GAO report formally documented Sea-Tac's parent organization (Port of Seattle) as operating within a sector reliant on unpatched legacy systems. Cross-referencing these signals against planned operations through KSEA, FlySafe's indices may have elevated the airport's cyber risk indicator and surfaced contingency planning triggers — recommended alternate baggage handling protocols, manual check-in preparation, and passenger communication workflows — weeks before the August 24 encryption event. For dispatchers managing high-load summer schedules, that lead time translates directly to crew briefing adjustments, passenger notification pre-staging, and gate coordination contingencies that manual threat monitoring workflows would not have captured.
ATC system dependency mapping: Routes transiting airspace sectors dependent on STARS or ERAM facilities with documented legacy components carry elevated vulnerability to unplanned NOTAM system failures — replicating the January 2023 nationwide ground stop scenario at a sector level.
Airport IT/OT convergence exposure: Airports where FIDS, baggage, and check-in systems share underlying network infrastructure with general IT are structurally exposed to lateral ransomware movement. Sea-Tac demonstrated that a single network breach can simultaneously disable all passenger-facing operational systems.
Active threat group tracking: Rhysida, ALPHV/BlackCat, and other ransomware groups with documented critical infrastructure targeting should be integrated as dynamic threat indicators alongside weather and NOTAM data in pre-departure risk assessments.
Modernization timeline gaps: FAA's decades-behind modernization schedule creates a predictable long-duration window of legacy system exposure. Risk assessments for U.S. NAS operations should incorporate this as a baseline assumption rather than an exceptional condition through at least the early 2030s.
Supply chain vector: The 2021 SITA attack demonstrated that aviation IT service providers are high-value targets for simultaneous multi-carrier compromise. Third-party system integrators serving multiple airports represent a systemic single point of failure that peer airport risk assessments cannot individually detect.
Sources
-
GAO — Report GAO-24-105834: FAA Air Traffic Control System Modernization (January 2024). Government Accountability Office. Documents 40% end-of-life system exposure across FAA ATC infrastructure including STARS and ERAM.
-
Port of Seattle — Cybersecurity Incident Public Notice (August 2024). Official Port of Seattle disclosure confirming Rhysida ransomware group, systems affected, and Port's decision to refuse ransom payment.
-
Reuters — Seattle-Tacoma Airport Hit by Cyberattack (August–September 2024). Reporting on operational impact, passenger disruption, handwritten boarding passes, and three-week recovery timeline.
-
FAA — NOTAM System Outage Analysis (January 2023). Federal Aviation Administration review of the January 11, 2023 NOTAM system failure and resulting nationwide ground stop — first since September 11, 2001.
-
Cybersecurity and Infrastructure Security Agency (CISA) / FBI — Joint Advisory: Rhysida Ransomware (November 2023). Tactics, techniques, and procedures documentation for Rhysida group; critical infrastructure targeting warning issued nine months prior to Sea-Tac attack.
-
CISA — Aviation Sector Cyber Resilience. Sector-specific guidance on IT/OT convergence risk in airport environments, supply chain attack vectors, and recommended segmentation frameworks for critical airport operational systems.
This is a retrospective analysis of publicly documented events. FlySafe's prediction system was not operational during this event. All information is sourced from public records, aviation authority publications, airline statements, and open data.