Updating RTCA Standards

Updating RTCA Standards

Changing technology, security regs affect airport access control systems

By Christer J. Wilkinson, Chair, RTCA Special Committee No. 199

April 2002

Since last July, a committee has been working in Washington to update the technical standards for access control systems at airports. Such systems are required at most commercial airports under regulation CFR Part 49 subpart 107.14#, issued in the late '80s. Here, the committee chair offers an update of its progress and solicits industry input.

The regulations concern access to secure areas of the airport by airport, airline, and tenant staff. (The requirements are not to be confused with passenger identification and screening, which is a completely different set of requirements.)

There are some 400 of these systems; each airport system is completely separate and stand-alone. The systems have been supplied by a spectrum of vendors, and adhere to a set of performance requirements - not to a specified common technology.

Originally the systems mainly used mag-stripe badge ID technology. However, in recent years many airports have been changing over to proximity card technology, which allows a card to be used without direct physical contact with a reader. Just one airport, San Francisco International, implemented a system with a biometric authentication system based on hand geometry, though many other airports had trial systems.

RTCA Committee 199 was established just before the tragic events of September 11, with the intention of updating the old standards to reflect the changes of the new Part 107 regulations issued in July 2001.

The old standard (D0 230) had been established by a previous RTCA committee in the mid-1990s after the original Part 107 regulations were published. The purpose of these standards was to give guidance to airports and consultants on implementing such systems, and to provide a baseline against which to establish federal funding applicability.

The previous committee, established several years after the regulations were changed, was in response to numerous problems encountered in access control system implementation at that time. (These problems are summarized in the GAO report RCED-95-25.)

RTCA was chosen to produce these standards because it is a formally established agency under the Federal Advisory Committees Act and is responsible for many such standards. (Indeed, the name RTCA used to stand for Radio and Telecommuni-cation Concepts for Aviation.)

The meetings of this agency are open to the public and are advertised in the Federal Register. The plenary sessions are held in Washington, D.C. every six or so weeks.

With the new Part 107 regulations issued in 2001 it was felt that the document DO 230 was now inappropriate for two reasons: the regulations had changed the requirements, and technology had advanced in the intervening years.

Thus the sponsoring agency of the original standard, the Airport Consultants Council,# approached the FAA and RTCA with the recommendation that the standard be updated. The recommendation was accepted and the committee commenced its deliberations in July 2001.

Change in Direction
At that time, it was thought that all that was necessary was an update to the existing wording to reflect the new regulations, the changes in technology, and the operational experience sustained since the previous issue. In this regard it should be emphasized that the RTCA committee is only involved in the definition and selection of technical standards. It does not determine policy or regulations which until now have been part of the normal formal rulemaking process of the federal government, which had been followed in the update of CFR 49 107.

The tragic events of September 11th radically changed the scope of the committee, though this was not clear until the issuance of the Aviation and Transportation Security
Act in November, 2001.

Impact Of 2001 Legislation
Much of the public discussion of this act has focused on the requirements to screen passengers and their luggage and the nature of the organization to which this responsibility should be allocated. However, it also had several significant impacts on the area of access control at airports nationwide.

Although many provisions of this act have yet to be issued in the form of regulation, the likely impacts on access control at airports are clear. These are:

o The increased requirements for criminal history checks on badge holders;
o The potential introduction of biometrics as a personnel authentication mechanism;
o The need to introduce new technologies to address specific problems such as piggybacking;
o The need to enhance perimeter security;
o The need to prepare for some level of employee screening;
o The need to integrate the access control system databases.

A Common Card Standard

In addition to the potential new requirements as indicated in the act, early in the process of establishing the new transportation security agency it became evident that there was an intention of moving towards a common card standard nationwide. This was made clear in the issuance of the Credentialing Direction Action Group study and the transportation workers identity card proposals, based on the GSA smart card in February of this year. The card media was not standardized in the original Part 107 requirements - by intent, as it was not clear then what would form a suitable common media.

In response to this change in scope the committee set up three working groups to address:

o Smart Card identification media;
o Biometrics; and
o Database integration.

KEY TECHNICAL ISSUES
Contacts were made with the new TSA agencies and work is proceeding on these issues. There are several key technical issues that need to be addressed.

On biometrics, there is a clear need to decide which biometrics authentication mechanism to use, and whether to allow multiple mechanisms, and if so which mechanisms. Given this choice there is a need to establish standards for interfacing such equipment to systems, performance standards for the systems, and standards for interchange of biometric information between systems. Clearly the number of biometric techniques should be limited, but which ones and exactly how many are unresolved issues.

With smart cards there is the need to decide on the nature of the smart card and what information it should contain, and the degree of encryption required. Central to this is the apparent choice of the GSA smart card by the TSA. This card uses contact technology and not the proximity technology currently in use at many airports. While it is functionally more capable than many proximity cards, can easily support biometrics, and has the advantage of an existing set of standards and procurement mechanism, it may not meet all the environmental requirements currently satisfied by current proximity cards. In addition, there is the issue of whether a single card could be used at multiple airports nationwide and how this should be achieved.

Database integration presents two major areas of concern. First, there is the issue of which data is to be stored in which part of the system; this issue is focused on the location of the biometric information. Second is the need to provide reliable, secure, and private transmission of data between these systems and any federal databases as provided for in the last year's transportation security act. Given the record of security violations at many commercial and federal computer systems, this is a clear area of concern.

Operationally, the problems of introducing such systems are immense. It is expected that the TSA will shortly introduce some regulations in this regard. Normally the process of specifying technical standards takes place after the regulations are drafted. However, given the previous experience the committee decided to press ahead in advance of the regulations.

Progress is being made, but in order to keep pace with the rapid developments in the TSA and to produce appropriate recommendations, the committee has moved to weekly teleconference calls rather that the normal bi-monthly meetings common to most committees,

The committee solicits input from the public and professionals in its deliberations. Contact the RTCA at [email protected] to participate in this important activity.

About the Author
Christer Wilkinson, Ph.D., is a senior project manager for DMJM Aviation H+N in Phoenix, and is chair of the RTCA Special Committee No. 199. Active in airport security for more than 20 years, he has worked for over 100 airports in ten countries. He can be reached at (602) 522-9727.