Heathrow, Brussels, and Berlin paralyzed.

The Collins Aerospace incident was first read as a story of password negligence. It is that, in part. But the real question is not why those credentials had not been changed. It is why, three years later, they still granted access to an exposed server with no segmentation or monitoring. That is the question that directly concerns you.

Collins Aerospace: when an unmonitored FTP flow costs nine days of operations

On September 10, 2025, the Everest group accessed Collins Aerospace's FTP servers. Not through a sophisticated zero-day flaw. Not through a cloud attack. Through two credentials stolen during an infostealer infection in 2022: aiscustomer and muse-insecure. Credentials that had never been changed in three years.

In nine days, Everest exfiltrated more than 50 GB of data: passenger records, employee files, complete SQL databases. On September 19, Collins shut down its servers. Heathrow, Brussels, Berlin: check-in systems went down, thousands of passengers processed manually for a week.

In December 2025, the data is published on a cybercriminal forum. The post-incident investigation reveals exposed servers running on end-of-life technical stacks, unsegmented FTP flows, static credentials that were never audited.

According to the Verizon DBIR 2025 report, compromised credentials rank first among intrusion vectors. But a stolen credential alone does not make an attack: it needs an accessible, poorly isolated system to cause damage. Collins is the illustration of that. In 2025, Jaguar Land Rover and FAI Aviation Group suffered intrusions through comparable vectors.

The blind spot your network diagram does not show

In complex, multi-site, multi-team industrial environments, the attack surface does not look like what a classic network diagram represents. It looks more like an accumulation of decisions made under constraint, over ten years, by teams that had other priorities.

A Modbus flow between a PLC and a supervision system, opened in 2011 for a pilot project and never closed. A VPN access created for a subcontractor during a maintenance campaign, still active two years after the contract ended. A REST API exposed on a poorly monitored segment to let a legacy simulation tool communicate with a reporting system.

Each of these flows was created for a good reason. None was designed to be secure. According to a cybermalveillance.gouv.fr study from December 2025 among French SMEs and mid-market companies, 58% of companies admit they do not know how to assess the consequences of a cyberattack on their infrastructure. That figure is not surprising when you realize that most audits inventory machines, not the flows circulating between them.

The situation is worsened by an organizational blind spot specific to industrial environments: methods and engineering teams steer production and simulation tools, the IT department steers the networks, and no one oversees the space between the two.

Three concrete actions to reduce risk without waiting for the next budget

1. Map your flows, not just your equipment. Start with a workshop bringing together the IT and OT teams. Ask each manager to list the systems that communicate with outside their perimeter, the protocols used, and the date of the last review of those accesses. The goal is not exhaustiveness: it is to identify the three or four most exposed flows and address them as a priority. This partial mapping is also what NIS2 has required of industrial mid-sized companies since October 2024, so you might as well turn it into a budget lever rather than an additional constraint.

2. Treat credentials like technical debt. A quarterly audit of active credentials on exposed systems (FTP, VPN, API, remote access) is a simple, low-cost measure that eliminates an entire class of risks. Start with accesses created for external contractors: these are the ones most often forgotten, and the most frequently exploited.

3. Segment before modernizing. Replacing a legacy system takes time. Segmenting it from the rest of the network takes a few days. In practical terms: VLANs dedicated to OT flows, filtering rules on an industrial firewall (Stormshield or Fortinet in these environments). The goal: an intrusion on a simulation segment should not be able to reach production controllers. This is the kind of measure a CIO can launch without waiting for the next transformation budget.

The organizational dimension is at least as important as the technical one. Security for inter-system flows cannot be handled by one side alone. It requires shared governance between IT and OT, built with both teams, not imposed from the outside.

What Kaptngo changes in environments where a redesign is impossible

In many industrial environments, the obstacle is not the desire to secure legacy flows: it is that the protocols involved are old, sometimes proprietary, and do not natively support encryption or strong authentication. Rebuilding the network infrastructure to secure them is a heavy operation and often out of reach in the short term.

This specific problem is what akawan has addressed with Kaptngo. The principle: a secure zero-trust communication layer that sits between your existing systems to encapsulate any protocol and carry it in encrypted and authenticated form over the web, without redesigning the infrastructure. An old flow, a file exchange between sites, communication between controllers and central monitoring: Kaptngo handles them as they are, without modifying the equipment or the source protocols.

At akawan, we do not deliver the tool alone. We start by analyzing your real flows, identify the most exposed communications, and co-design the deployment scope with your IT and OT teams. That is what makes the difference between an installed solution and a system that lasts over time, in an environment where cooperation between teams is as important as the technology itself.

A pilot focused on six to eight weeks, limited to the most critical flows between two sites or two teams, is enough to validate the approach and demonstrate value before any broader rollout.

Your legacy protocols are not inevitable. Their unmonitored exposure is.

The Collins Aerospace incident was not caused by a sophisticated attack. It was caused by three years of inaction on stolen credentials, and by exposed communication flows left unmonitored. This kind of scenario is not reserved for large aerospace companies. It happens again and again in all industrial environments where production pressure has always taken precedence over auditing inter-system flows.

The question is not whether you have legacy systems in your information system. You do. The question is how many of those systems communicate with the outside world in an unsupervised way. The answer to that question is worth more than any compliance audit