Protecting Digital Public Spaces in a Time of Cyberwar

Do you remember all those terrorist attacks on airports last year? Most people don't —because nobody framed them as terrorism. A Turkish hacktivist group hijacked departure screens and PA systems across four North American airports —Harrisburg, Kelowna, Victoria, Windsor—broadcasting pro-Hamas slogans to terminals full of passengers.

Weeks earlier, a ransomware attack on Collins Aerospace's check-in software disrupted automated boarding systems at Heathrow, Brussels, and Berlin Brandenburg, resulting in manual check-ins and cancellations over a three-day period. Real disruption, significant scale, and then the conversation moved on. No explosions. No armed response footage. Just screens showing the wrong thing, at the wrong time, to tens of thousands of people who trusted what they were reading.

That framing — whether screen-based disruption qualifies as terrorism—sat at the centre of a pointed panel discussion at ISE 2026: Cyber Fortress: Revolutionising Public Space Security in Europe. The panel's answer was unambiguous. Yes, it does. If you build, integrate, or maintain public-facing AV infrastructure, that answer changes how you scope, design, and hand over every project from here on out.

Public information screens carry inherent trust. People look at a departure board and act on it. They follow wayfinding to an exit. They read emergency instructions and move. That trust is what makes the system useful — and what makes it dangerous when compromised. As one ISE panellist put it directly: terrorism involves making people unsure, disrupting society, and causing panic.

A screen at an airport telling passengers their flight is cancelled, when it hasn't been, achieves exactly that. Digital signage directing two groups of panicked people towards each other during an evacuation does the same—without anything more sophisticated than a compromised CMS login.

AVIXA's Recommended Practices for Security in Networked Audiovisual Systems already frames AV security as a shared responsibility across integrators, end users, and manufacturers. The ISE panel made the physical-world consequences of ignoring that impossible to dismiss.

Those risks are not theoretical. In 2025, a cyber incident affecting digital systems at a Barcelona train station led operators to halt all services for an entire afternoon. Screens went dark, and—without clear guidance on whether the failure was isolated or systemic—decision-makers defaulted to the safest option: stop everything.

The disruption was ultimately self-inflicted. It was caused not by the attack itself, but by the absence of a plan. Nobody had decided in advance: if this specific system fails, here is what we do—and just as importantly, here is what we don’t do. The screens were probably the least critical system in the building. Nobody knew that when it mattered.

One concept from the panel belongs permanently in every senior integrator's thinking: hybrid attack. Not in the thriller-film sense, but the operational one. Individually manageable disruptions—screens down, heating off, food deliveries misrouted, access turnstiles misbehaving—become something qualitatively different when coordinated. One screen flickering every five seconds is irritating. Heating off in a northern European airport in January is uncomfortable. Wrong evacuation information on screens is serious. All three at once in a building with 40,000 people and no reliable communication fallback, is a crisis none of those components could cause alone.

The AV layer is the one those 40,000 people watch for guidance. That is not an accident—it is precisely why public-facing screens are worth compromising. The attack surface is not abstract. It is the AV-over-IP endpoints on your last stadium install, the digital signage players in an airport terminal, the room booking panels and visitor kiosks in the corporate campus you handed over six months ago. Every one is a point where someone with network access and intent can put the wrong message in front of a crowd that will act on it.

The panel was direct about ownership: by default, nobody owns it. Every contractor, operator, tenant, and technology supplier brings their own pieces, and nobody agrees on the picture before the building opens. A stadium has its AV integrator, its IT team, its event management company, its catering contractor, its building management system vendor, and its venue WiFi operator. In a security incident, all respond differently, at different speeds, under different assumptions. The ISE audience asked who is actually responsible for the WiFi at an event of this scale. The panel's answer: nobody has clearly decided—which is the problem.

Germany's NIS2 implementation, which entered into force in December 2025, addresses this directly. Under the NIS2-Umsetzungs- und Cybersicherheitsstärkungsgesetz —Germany's NIS2 Implementation and Cybersecurity Strengthening Act —regulated organisations must demonstrate active supplier risk management. If your AV system touches a regulated client's network, you are part of their supplier risk register whether your contract says so or not. The procurement calculus has already shifted. A bid with credible security evidence beats a cheaper bid without it, because a regulated buyer who picks price over diligence has been negligent. Negligent buyers cannot transfer risk to insurers. The insurers take the premiums and decline the payout.

One of the panel's most useful contributions was a story from a security assessment at a large South Korean shipyard. The brief covered four operational systems on a major vessel. Every system passed its individual check. The critical vulnerabilities sat at the interfaces —the junctions between systems, where one vendor's assumptions about data formats, access control, and trust boundaries didn't match another's. Each supplier had a contract that looked fine in isolation. Nobody had a contract covering what happened where those systems touched each other.

For AV integrators working where AV meets operational technology (OT) —theatres, hospitals, industrial sites, transport hubs —this is the structural risk. IEC 62443, the OT cybersecurity standard the panel cited, provides the planning structure. But the human problem runs deeper. IT professionals and OT engineers have different professional cultures: IT teams apply known protocols and expect change; OT engineers maintain long-life systems and resist it. The panel put it bluntly IT works on set protocols; OT is run by engineers with a binary mindset, and getting those two to talk productively is harder than any technical configuration. AV increasingly lives at that boundary. AVIXA's guidance on securing AV systems against network threats handles the technical side. The cultural friction is yours to manage on site.

The Paris 2024 Olympics came up in an inquiry from the audience, and the panel's response was worth hearing. Paris was the first Games run under full-scale cyber warfare conditions. Beijing recorded up to 8,000 cyberattacks a day, and London 2012 planning factored in physical-cyber hybrid threats including vessel hijacking near sailing venues. Paris started preparation two years out —not by hardening systems first, but by mapping threat actors. Who wants to attack this event? What do they want to achieve? What are the most likely entry points? That intelligence-led posture shaped everything that followed. It stands in contrast to PyeongChang 2018, where a major attack on opening day took systems offline and recovery happened under live pressure. The BSI —Germany's Federal Office for Information Security —applies the same risk-mapping logic to regulated organisations. Any integrator working on major venue or public sector projects in Germany needs to understand how their clients are reading that guidance, because it flows directly into what clients ask of their suppliers.

The dwell-time figure the panel cited drives this argument home. Attackers sit on compromised systems for an average of 268 days before anyone discovers them or they choose to act. In utility and critical infrastructure environments, five years is on record. Someone may already be inside the network of the venue you are about to integrate into. Plan accordingly.

The statistic that should close any internal argument about security investment came from World Economic Forum data cited at the panel: 80 percent of small to medium (SBM) businesses that suffer a significant cyber incident are gone within two years. Not weakened —gone. For integrators who see this as a client risk rather than their own, the supply chain argument is the counter. Your clients under NIS2 are legally obligated to vet you. If they can't demonstrate they have done it, they are negligent. If they do vet you and you can't show active security practices, you lose the work. The European Commission's NIS2 policy overview sets out the obligations. Your clients' procurement teams are already writing them into tenders.

Insurance is the second mechanism. Skip the audit, ignore the contract clause, sign off on a system with default credentials still active —your cyber insurer takes the premium and declines the claim. That is standard policy language, not an edge case. Security protects whether your own business is still trading in two years.

The panel's practical guidance was deliberately accessible. You do not need to be ISO-certified to start. Sit down with your team, identify your most critical processes, map who owns what, and write down what happens when something fails. Tabletop exercises were the tool the panel kept returning to — put a failure scenario on the table before an incident forces you to improvise one. Decide in advance who notifies the client, who calls the affected vendors, who makes the call to isolate a system versus keep it running. The ENISA NIS2 technical implementation guidance lays out the detailed approach. It is worth reading even as a supplier —your regulated clients are using it to build procurement requirements, and those requirements will land on your desk.

Vendor contracts need explicit audit rights. If a supplier won't accept an audit clause, that tells you what you need to know about their security posture. Don't use them. Check what your suppliers are doing, and check periodically —not just at onboarding.

Scope the interfaces. Your individual systems may all pass their own security checks. The risk lives where they connect. Test it, document it, and put responsibility allocation in writing before handover. That single step stops more late-stage arguments than any amount of after-the-fact hardening.

The ISE panel said it plainly: we are in a time of cyberwar, and most of it runs beneath the surface until an airport shuts down or a stadium screen sends 20,000 people the wrong way. Public-facing AV is trust infrastructure. Build it, and you own part of that trust legally, commercially, and in a very physical sense. The regulation is in force. The liability is real. 80% of businesses that take a serious cyber hit don't come back. Stop treating security as something you layer on after sign-off. Design it in, document it at handover, audit it in your supply chain. The integrators doing that are winning tenders on security posture alone. The ones who aren't are a liability someone is about to discover —a client's legal team, an insurer reviewing a claim, or an attacker who has been patient for the better part of a year.