A US Government report on internal security at the country’s 450 airports has recommended better monitoring of staff access and accreditation protocols including the greater use of biometric identification of airside badge holders.
Airports are huge employers of people and with such large numbers and regular turnover of staff the issue of security clearance and access control to vulnerable areas is a major one.
The sheer diversity among airports in the US makes security standardisation a daunting task yet the country has one of the most federalized airport security set-ups around the globe. The costs and risks associated with potential disruptions to aviation operations by instituting new security protocols across the board therefore remains a constant worry for the airports and the regulators.
There is a vast network of approximately 450 airports in the United States that are under federal supervision and control.
In 2016, there were over 900 million domestic and international US-bound air passengers, with that number expected to continue to grow significantly on an annual basis for the foreseeable future.
However, a report from the US Homeland Security Committee published last month said that many airport employees “are able to bypass traditional screening requirements that travelers visiting the airports must endure.”
After nearly two years of oversight efforts, the committee found that the majority of airports do not have full employee screening at secure access points. According to the report, these airports are unable to demonstrate the security effectiveness of their existing employee screening efforts, which consist largely of randomized screening by TSA officers or airport law enforcement personnel. There also remains room for improvement on how access to sensitive areas of the airport can be more effectively controlled by airport badging officials. In regard to employee vetting, the Subcommittee uncovered gaps in the types of data collected, as well as the data sets TSA is granted access to by government partners in the Intelligence Community. One airport security official noted that an individual’s mandatory ten-year criminal background check could conceivably come back clean, if the person had been serving a prison sentence during that entire ten-year period. Airport authorities expressed concern about their lack of insight into the vetting process conducted by TSA and the FBI. This prevented them from making fully informed decisions when granting badge access to prospective employees, they told the DHS review team who visited them.
One of the recommendations from the report is that DHS and airports should work to identify advanced technologies for securing employee access and work to further reduce the number of employee access points.
A particular problem identified by the DHS is control and monitoring of Secure Identification Display Area (SIDA) badges which grant employees access to secure areas of an airport.
Federal regulation requires that airports issue new badges to the entire SIDA population if more than 5 percent of badges are lost or stolen. Alarmingly, an audit released on October 24, 2016, found that “some airports were misinterpreting guidance on how to determine the acceptable percentage of lost, stolen, or unaccounted for badges; as a result, some airports believed to be in compliance with TSA’s security directive had actually exceeded the 5 percent threshold.”
At one airport, 17 former employees were still listed as having active badges. Another airport had an employee listed with active credentials almost a year after termination. Three former employees at another airport were still listed as having active badges.
The report concludes: “Some confusion appears to stem from individual employers within an airport environment failing to update the badging office of employee turnover or termination, meaning that the airport operator was unaware of a need to deactivate the individual’s access badge.22 In some instances, an employee’s SIDA credential authorization exceeded the length of time the employee was legally permitted to be working in the United States. Credentials should only be authorized for a period of time commensurate to when an individual is legally permitted to work in the country, and social security numbers should be required to be provided for vetting purposes of U.S. citizens and legal permanent residents.”
One airport has recently implemented a policy of random sampling of employee SIDA information whereby it is re-vetted monthly, in order to provide better insight into potential security risks between biannual background checks. Other airports have also developed penalties for employees who fail to report misplaced credentials in a timely manner or who continually lose security credentials.
The report also found that airports vary greatly in their use of biometric solutions, number of employee access portals, as well as which security measures are in place at employee access portals. Biometrics, using either fingerprints or retina identification to match the SIDA badge being swiped for access, add an additional layer of security to airport access controls, the DHS concludes. While there still exists an insider threat posed by an individual using his or her own SIDA badge for nefarious purposes, it would at least partially stem potential problems from the hundreds of badges that go missing each year.
In the US the landscape is complicated by the role of the Transport Security Administration (TSA) and the unique makeup of American aviation security, which is heavily federalized and presents challenges when compared to most aviation security arrangements across the globe, particularly at the local level.
During the course of this investigation, the Subcommittee visited 18 airports of varying size, geographic location, and security standards to gauge overall efforts aimed at improving access controls and mitigating the insider threat to aviation. The visits demonstrated a more coordinated, engaged aviation security community than had been witnessed in the past.
TSA’s efforts to address insider threats at US airports have shown encouraging results, the report concludes. From 2014 to 2015, TSA increased the total number of physical employee screenings from 2.1 million to 12.9 million and 88 percent of domestic airports have reduced their total number of access points.
The report concludes: “The Subcommittee did observe many examples in which access points have been reduced, new perimeter security and badging enhancements have been implemented, and airport operators and air carriers have gone above and beyond minimum required security standards. One airport has even developed behavior detection training for its employees, as well as an insider threat mitigation strategy. At least two major air carriers have also taken proactive steps to enhance the screening operations of both employees and passengers at major hub airports, and TSA has begun to engage airports and air carriers on a more consistent basis. These e_orts are encouraging and airports and air carriers should continue to implement enhanced security procedures that best suit their individual operating environments.
Biometric identification technology for airport security
Morpho technology is being used at several airports including Sea-Tac, LaGuardia, Kennedy, Newark, McCarran and Charles De Gaulle. These are some of the largest and longest running airport biometric solutions in the world.
Systems being used include identity verification and access control systems for air travelers, airport employees, tenant employees, contractors and other frequent visitors to airports using fingerprint, including contactless Finger-on-the Fly and a fusion of fingerprint and finger vein called Finger VP. Morpho has also developed facial recognition and iris technologies.
Many airports maintain outdated employee identification systems with traditional access cards. These traditional cards present serious vulnerabilities at airports, particularly when they are lost or stolen.
By adding a simple biometric security layer to the existing security platform, fraud can be eliminated and security significantly improved.
The use of biometric fingerprint technology allows airport to quickly confirm who is allowed access to sensitive areas. This process eliminates the potential for counterfeit identity cards and PIN numbers.
Biometric enhanced access control ensures airport security policies are followed and decreases staff access time to SIDA-controlled zones. Biometrics reduces identity theft and the need to remember passwords or to carry documents.
Travelling with weapons
In 2016, Transportation Security Administration (TSA) officers discovered 3,391 firearms in carry-on bags at checkpoints across the US, averaging nine firearms per day, approximately a 28% increase in firearm discoveries from the total of 2,653 in 2015. Astonishingly, 83% of the guns caught in 2016 were loaded. The top five airports where TSA officers detected guns at checkpoints in 2016 were: Hartsfield-Jackson Atlanta International with 198; Dallas/Fort Worth International with 192; George Bush Intercontinental at Houston with 128; Phoenix Sky Harbor International with 101; and Denver International with 98. These same airports were in the top five for guns at checkpoints in 2014 and 2015.
Greater Rochester International Airport saw the most improvement as no travelers brought firearms to the airport’s checkpoint in 2016 compared to five that were brought to the checkpoint in 2015. On the other hand, Buffalo-Niagara International Airport saw an increase in the number of guns brought to the airport’s checkpoint, when six guns were detected in 2016 compared to just two in 2015. The Upstate New York region saw 10 firearms detected by TSA officers at checkpoints in 2015 and again in 2016. Examples of firearm detection cases include a man who was caught with a gun at Washington Dulles International Airport on January 15 after TSA officers apprehended him trying to carry a handgun past a security checkpoint. The handgun was not loaded, however his carry-on bag contained a magazine with five bullets along with five loose bullets.
Under TSA regulations, firearms, firearm parts and ammunition can be legally transported in checked bags if they are unloaded, properly packed and declared to the airline. Firearm possession laws also vary by state and locality in the US.
The “insider threat”
The DHS report quotes a number of examples in which accredited airport staff have been involved in criminal activity.
The report concludes: “There are increasing concerns that insider threats to aviation security are on the rise. In all instances, the employees in question had access to secure areas of the airport. These insider threats, and the lack of adequate access controls at airports nationwide, are of particular concern given the rise of terrorist groups bent on penetrating US airport security to commit terrorist acts and “lone wolf” attacks being inspired by terrorist groups like ISIS.”
In December 2013, 58-year-old Terry Lee Loewen from Wichita, Kansas, was arrested and charged with attempting to detonate a vehicle-bomb at Kansas Mid-Continent Airport. Loewen had worked at the airport as an avionics technician and was able to acquire the necessary wiring materials for the bomb from the airport. The FBI detected this plot before Loewen posed a serious danger.
In November 2014 three men from Minnesota who had previously worked at Minneapolis- St. Paul International Airport were recruited to fight for ISIS. One individual, Abdirahmaan Muhumed, had a Secure Identification Display Area badge, granting access to secure areas of the airport and to any plane that passed through the airport.
In January 2015, Ernest Abbott, a Federal Aviation Administration inspector was arrested at New York’s LaGuardia International Airport after a TSA screener found a firearm in the inspector’s carry-on baggage. This inspector had already traveled to New York from Atlanta where he used his SIDA badge to bypass security screening. To make matters worse, the inspector flew in the cockpit with the pilots from Atlanta to New York.
In June 2015, the DHS OIG released a report which found that 73 aviation workers who held sensitive jobs within US airports had possible ties to terrorism, which their background checks did not reveal. “Without a comprehensive background check for employees, TSA does not have the ability to vet those individuals who may harbor ill-will toward the US or have connections to individuals who do,” the report concluded.
TSA still only checks employee criminal records every two years. Only three US airports — Miami International Airport, Orlando International Airport, and Hartsfield Jackson Atlanta International Airport — have implemented full screening of employees and their property before granting access to secure areas of the airport. In addition, TSA is still working with the Federal Bureau of Investigation to deploy recurrent criminal background checks for all SIDA badge holders and vetted employees.
The report recommended airports should work to identify advanced technologies for securing employee access.