Forum report: Best Practices

March 11, 2008
Industry leaders explore the next generation of tech tools for airports.

Washington D.C. — The second annual Advanced Technologies for Airport Security (ATAS) conference held early February reflected an oft-repeated sentiment in airport security circles — the technology exists, so why isn’t it being used? The invitation-only conference brought together the major players — airport operators, consultants, and technology companies (who also sponsored the conference) — to share their experiences.

Keynote speaker Charles Slepian, founder and CEO of the Foreseeable Risk Analysis Center, says it is up to airport operators to take the lead on security advances. “Your industry is under attack,” Slepian says.

“You’ve got to be more vocal. You’ve got to be more willing to think out of the box.”

Mark Denari, director of aviation security and public safety at San Diego Regional Airport Authority, agrees. “We are on our own in so many ways,” Denari says. “We’re left to our own devices to meet these federal regulations to somehow detect, prevent, deter.”

However, waiting around for federal regulations and mandates is not the best approach, Denari says. “The federal government is going to do anything except encourage us. The enterprise is solely on the airport operator to make those moves.”

Comments Slepian, “I have heard very little from the government in regard to the problem of aviation security except to condemn a failure that takes place in the airport. There is no proactive thinking coming from Congress. There’s been no proactive thinking coming from the executive branch.”

Slepian says the government’s solution is to just throw money at the problem. “They’re able to get away with it because the public is ignorant. A demonstration project by Flir or Siemens, with the proper P.R. and media coverage on what you can do to change what exists, is a good first step. Because TSA is not going to do it on its own.

“If the public demands it, the government will legislate it. And so, demonstration projects are really what you need.”

“We live in a time now where if we don’t take a risk, we’re not going to derive a benefit,” Slepian says. “Take the risk. Ask for it, monitor it, and don’t be afraid to comment on it if it doesn’t come out right.”

Denari says waiting around for standards and regulations from the government is not a good reason to wait on getting new technology. “I’m not a slave to any standards,” Denari says. “As the airport operator we have to make the decision to do something.

“I’m paid to secure San Diego International Airport. I really think you have to get in there, make some decisions, and make things happen. I appreciate the standards; you can learn a lot from those standards. But at the end of the day, you can’t be a slave to the standards. Otherwise there’s paralysis.”

John Halsema, technical director for the security practice at Intergraph, agrees. “You need to be involved in what you want those standards to do. The priority of those standards in many of the panels I sit on is not well understood.

“The glass is half full, not half empty. But what really will help is to better understand what people need to push those standards and there are ways to get ad hoc agreements in place well in advance of a signed copy of most standards.”

Slepian also says going back to privatized aviation security, with airport management at the helm, is one solution. “Privatization that has to report to the federal government might be the way to go.”

“I have heard over and over again that the issue of airports taking over their own security is the issue of liability,” Slepian says. “As both an attorney and someone who has worked in the field of security for 40 years, I can tell you that just is not a good excuse. Under the safety act, the liability can be mitigated. You need not worry about that problem. Perhaps getting accustomed to having TSA workers in your airports has made us kind of lazy.”

Holes in the system
“Six and a half years,” Slepian says, “and you know that the change has been minimal. We are still looking for a terrorist to come up to a screening station with some kind of a weapon in his carry-on bag. When it’s much easier for that terrorist to board the weapon either through cargo and baggage, which is checked to enter the rear of the airport and enter the ramp, go into the SIDA [Security Identification Display Area] in which we have thousands of people who aren’t vetted before they go to work. That really is a huge hole in the system.”

While passenger security gets the most attention in the national media, it’s actually the other areas of security that has San Diego’s Denari most concerned.

“The TSA owns the passenger property screening process,” Denari says. “The five other conditions are the perimeter as we traditionally know it, vehicle access gates, employee access ports or any port from the facility terminal complex that feeds to the secure area, our lobbies, and roadways.”

Denari is particularly concerned about the threat to pre-security terminals. “The threat of a vehicle-born explosive is absolutely real, and we’re sticking our head in the sand if we don’t thinking something like Oklahoma City couldn’t happen at an airport.

“They wouldn’t even have to waste a suicide operative in commanding that type of threat. You simply command detonate the vehicle after you put it on the curb. You could see that happen at five, ten airports within an hour; you’d have total destruction; they would never have had to get to an aircraft. I believe that there’s a technology that can identify that potential threat early enough that we might be able to thwart it.”

Donald Ross, senior managing consultant for IBM’s Global Business Services division, expresses concern about terminal security, particularly at Dulles International. “That main terminal is a killing zone. All it would take is one vehicle-borne IED [improvised explosive device] or one man-packed IED to walk into a terminal with approximately five to six thousand passengers and do damage that would surpass anything that we saw on 9/11.”

San Diego’s Denari notes that there are just a handful of threats to aviation. “I think they’re all the same for all U.S. airports,” Denari comments. “What I think are different are the vulnerabilities. Those vulnerabilities are shaped by the environment — physically, situationally — and other kinds of things.”

Slepian is particularly concerned about undeveloped lands surrounding the perimeter as a launching pad for missiles and other weapons.

“The technology to both monitor airport security perimeters, the most likely place to launch such an attack, and to interdict such an attempt is available,” Slepian says. “The issue of cost has repeatedly stalled the development of wide-scale assault on this vulnerability.”

“Lesser and equally effective methods involving the clearing of vacant land security perimeter controls and closed-circuit television are among the ways to get started with such a program without breaking the bank or the budget. Action always beats reaction.”

Minding the gaps
Convincing people in charge of the airport’s purse strings can be something of a challenge, but persistence pays off. One airport employee in the audience relates that he even staged a fake hijacking, accessing the airfield through an open cargo warehouse just to prove the threat was there. He got a couple of extra patrols for his efforts.

“Many of us at my level have the will and the energy,” Denari at San Diego says. “Sometimes we just don’t get the political support of the top. Many of the folks seem to think it’s risk-management based, so why should a board approve a $19 million advanced security package at San Diego airport when there’s no particular intelligence that says the airport is going to be harmed? I think that’s a very difficult thing for all of us and sometimes it just takes a constant push to bring these things forward.”

Slepian evens sees profiling as a possible solution. “The Constitution of the United States is not a suicide pact,” he says. “Common sense should tell us that the political aversion to profiling, a system which has long held an important role in law enforcement around the world, has an especially vital place in the war on terrorism.”

“Criminal justice has recognized that profiling based on characteristics rationally related to terrorist activity is an appropriate and reliable tool when used within the law. Profiling based on race and gender characteristics is impermissible and not useful in an airport or elsewhere. But as a part of an overall professionally based tool, profiling can play a vital role in protecting the public against criminal acts.”

Denari at San Diego says technology that allows airport domain awareness is the ultimate goal. “As we begin to look at technology I think we need to shift from human factors to technology,” he says.
“The new system really needs to be detection focused. If we can detect, we can maintain situational awareness. If we can maintain situational awareness, we can maintain domain awareness. And that’s what I think we’re really working towards.”

Panelists say that turning data and information into actual usable knowledge is a key component of an updated security system.

Comments Dan Procter, VP of client solutions and consulting for the consulting firm Ross & Baruzzini, “Basically, you need to define what is knowledge for your organization first, and then once you review you organization — and not just the core security team, but all of the security partners that will make up your extended security team — once they define what knowledge is in a crisis, you need to make sure that your processes provide that information in a time of crisis,” says Dan Procter, vice president of client solutions and consulting, Ross & Baruzzini. “You need to design or plan for those security processes in a way that incorporates your processes with your technology and facilities. They cannot be done independently.”

Denari agrees. “People need to just work with data that they have, not to be inundated with things they don’t need.”

Donald Ross, senior managing consultant for IBM’s global business services division, says a holistic approach to security systems will improve the operation of the entire airport. “TSA and the airports and technology industry must manage and track assets,” he says. “It is the tracking of these assets and personnel and equipment that will ultimately lead to improved security.”

“You’ve got to have positive control over everyone in your airport. We need to know who’s on the airport and we need to know where they are.”

Amir Schechter, program manager of critical infrastructure programs for Siemens Building Technologies, says that by integrating everything from security and baggage handling to resource management to one central management system is the best approach. “We can increase our operation amount, expanding the airport operation by supporting the expansion of our entire airport processes.”

Denari at San Diego agrees. “Look at a system design and create a functionality about the system so that these pieces can work in harmony together to achieve what they’re looking for. We have to take that in and then build a kind of analytics and an optimization in how that data’s used together, come out with some performance characteristics and than push it out into an operational environment.

“The concept is to merge existing systems and integrate those with advanced technologies. We’re trying to get holistic here, to tie everything together.”

Lessons Learned at Massport
William Hall, manager of access control systems for the Massachusetts Port Authority, discussed lessons learned from a recent overhaul of technology and access control systems at Boston Logan, starting from a legacy system.

“People at Boston have a great sense of, not quite guilt, but they take it very seriously knowing that several flights from 9/11 departed from Logan,” Hall relates.

“The first thing that we did that we had to do was review our infrastructure. Logan is an old airport. It’s an expanded airport and we were in the process of building a new terminal. So we had the opportunity to do it right; we made the investment. We looked to identify floor space and wall space that we were going to need to deploy this — the power and backup power for all of this.

“Power is something that you take for granted everyday. But when you get ready to roll out a large integrated application you need a lot more power and it needs to be reliable; it needs to be backed up.

“Air conditioning and heating, that was the other big thing. When you go integrated, now we’re putting in networks, we’re putting in switches, we’re putting in servers, we’re doing all of this kind of work that had never been done before; we could bake bread in some of these rooms. So we had to immediately reevaluate each of these locations, apply the proper condition and heating needs to make that work, and make it a work environment that microprocessors can exist in.”

Hall says staying flexible is also key. For example, he started out with nine different kinds of doors and portals, but had 27 different types by the time they were through.

“You learn through this review that the doors need to be configured similarly but the operation of these doors changes. And so your technology has to be flexible and change with it.”

“You have to be flexible and realize that you’re going to learn. You’re going to learn things about your airport that you never realized; you’re going to learn things about technology that you never realized.”

Hall says once the technology is in place, training people to use it is the next step. “You can’t develop your security technology, hand it off to your security department, and say, ‘Here you go. My position is actually staffed as a manager within the IT department. Massport chose to take the technology and put it in the IT department because they knew that over time we were going to have to grow this and develop it to meet the new needs; and to do that we have to have IT working with us.”

Documentation, Hall says, is vital. “Be aware of SSI Part 49 section 1520. A lot of the data that you’re dealing with now technically becomes controlled documents. It’s not secured documents. [The referenced section] defines how you’re going to have to manage that document: If it’s paper or whether it’s electronic media. So manage it well, keep a good paper trail, and keep good log files of where you move things.

Especially with email; if you’re going to use your consultants and your vendors to transfer information about the project that you’re going to do, establish internal email accounts. Put in place policies to track the movement of that information. Conduct audits to make sure that it’s all held within.”