Aviation security has changed over the past ten years. New threats have emerged and existing threats have evolved, including chemicals, drones and cybersecurity. Airports now have to consider themselves a target, alongside flights themselves. The lines between safety and security are increasingly blurring, with protests and disruptions, not to mention the knock-on effect of operational challenges such as the COVID-19 pandemic, becoming a part of daily life. Social media and the internet provide an easy, anonymous way of making threats and enable groups to communicate and coordinate freely.
“…the lines between safety and security are increasingly blurring, with protests and disruptions, not to mention the knock-on effect of operational challenges such as the COVID-19 pandemic, becoming a part of
daily life…”
< This changing security picture comes against a backdrop of increasing passenger numbers, ageing populations, greater mobility, and a technological revolution. Our approach to security, however, has hardly changed at all. We have introduced automated screening checkpoints to increase efficiency, and we have found better machines to improve X-ray capability. However, in many cases, we are still focusing on protection of the aircraft, and leaving behind those who do not have the capability for expensive equipment. We are also asking a lot of our staff and screeners. They have to deal with the pressure of queues and crowds of disgruntled passengers, while trying to focus on detection of prohibited items, recognise suspicious behaviour, identify unattended articles, recognise the signs of human trafficking and wildlife trafficking, spot liquids and powders, screen bottles, shoes, and apply ETD on an increasing basis. Staff also need to adapt to changes in work practices necessitated by external factors like the COVID-19 outbreak, which could require the rapid adoption of different screening procedures. And that’s just at the checkpoint. Security staff are now having to look to the sky as well as protect the airport perimeter, and specialist information security staff are monitoring systems continuously. We all understand the political sensitivity and risk around changing regulation, removing measures or moving to a risk-based, outcome focused system of security. So, what else can be done to change our approach?
A New Approach?
When we look at where technology is heading, there would seem to be some light at the end of the tunnel. ACI’s Smart Security vision for security in 2040 looks at a “whole airport” security system.
The new vision explores macro and micro level trends affecting airports, such as traffic growth, sustainability, passenger expectations, and evolving security threats and implications for airport infrastructure. It explores the potential for shifting measures off-airport and through pre-screening, moving away from a single screening checkpoint to protect the wider element of travel, instead of just the airside and aircraft.
Key elements of Vision 2040 include the use of data and risk assessment processes, predictive technologies and behaviour analysis, automated identity management and automated detection of items. It imagines stand-off explosive detection technology that can be built into the airport terminal. Traveller risk will be well understood. Intelligent video analytics will assist in identifying threats in the landside, whether unusual behaviour or unattended items. The checkpoint will become a gateway, largely automated with intelligent threat detection.
This is perhaps the future, but will require investment, technological advancement and regulatory change. In the meantime, and for smaller airports, we need to find other ways of making security more holistic, and more efficient.
A New Old Approach
ACI’s Airport Excellence (APEX) programme in security brings together experts from around the world to peer review airports and offer their advice based on experience and expert knowledge. Over the past two years, ACI has been able to compile the findings of reviews and identify patterns of areas where airports typically need assistance. One of the key findings is that airports, security authorities and civil aviation authorities are taking a piecemeal approach to security. Some key elements are still not well understood, such as risk analysis, security culture and quality management.
A management approach to security is certainly not a new concept, but with more emphasis on this approach, we may be able to tackle some of the challenges we now face.
The effective management of security requires that airports manage the provision of security services in a systematic, business-like manner. There are seven interrelated components that are critical for a proactive, business-centric approach to security:
- Commitment from management;
- Threat and risk management;
- Resource allocation;
- Performance monitoring and measurement;
- Quality management;
- Incident management; and
- Continuous improvement, e.g. through a Security Management System (SeMS).
Management Commitment and Organisation
Managing security effectively should start from the top with an executive commitment to security. Senior management should formally acknowledge the importance of security and provide their support to it. This is the critical building block for security culture. Security needs to be seen as an asset rather than just a cost centre, and senior management need to be proud of their security standing. Regular communications to staff are needed, as well as communications to customers about security achievements.
Security managers should have clear accountabilities and be given the appropriate resources to deliver a strong security outcome. A robust, positive security culture should be part of every employee and airport worker’s values and behaviours, from top to bottom. Security organisation and policies should be recorded in a detailed written Airport Security Programme, that meets the requirements of ICAO Annex 17 and of the National Civil Aviation Security Programme (NCASP).
Threat and Risk Assessment
The way airport security is resourced, organised and delivered should be based on a thorough threat and risk assessment. Focusing on higher risk scenarios can help to make the most of resources and take some of the pressure off the security system as a whole. For example, an airport may be situated in an area that is not vulnerable to MANPADS attack but may be in close proximity to water that might facilitate unauthorised access. Working with the local authority to define and prioritise those risks will help to focus security measures, resources and spend.
There is much misunderstanding about risk. Too often, minor vulnerabilities are identified as major risks, simply because they have not been fixed over time. A formal risk assessment process that considers each scenario, its likelihood, impact and mitigations will help to better classify risk and thus focus resources. Ideally, security risk should be considered as part of a bigger risk management system, that looks holistically at safety, information security, aviation security and business risks, so that resources can be allocated appropriately across the whole organisation.
People and Performance
Of course, people are critical to good security so providing the right human resources should be a cornerstone of security management. This includes recruiting the right resources, training them, certifying them (where appropriate) and making sure they are motivated to stay in the organisation.
Once the right people are hired and trained, performance should be monitored and measured to make sure it meets the airport’s security objectives. Security performance indicators depend on the airport operator but typically fall into the three categories of security: performance; efficiency; and passenger experience. Targets, data measurement tools and reporting systems such as scorecards and dashboards should be in place to monitor the performance of the overall airport security system and improve the situation where necessary.
“…the effective management of security requires that airports manage the provision of security services in a systematic, business-like manner…”
This will help to identify poor performance, which might indicate a need for training, a mismatch of skills or simply an overload of tasks. It will help airports and authorities to prioritise and focus. A move to an approach of job-based competencies is an important part of building the most effective workforce; recognising the skills that are needed for a good screener may be completely different from those of a passenger-facing behaviour detection expert.
Quality Control and Audit
On a more formal basis, security compliance should be reviewed by conducting quality control activities on a regular basis. The airport security team should have a quality control programme in place, describing the types of quality control activities in place for security – whether it includes audits, inspections, tests, and/or exercises. Shortcomings should be recorded and lead to corrective actions. Similarly, quality control audits may identify areas where performance is not an issue. The number of audits in this area might be reduced to focus on areas of greater need.
Managing security includes being prepared to respond to security incidents when they occur. Airports should have airport emergency response plans in place that cover roles, responsibilities and procedures to adopt in case of a security incident. After their closure, incidents should be subject to a detailed debrief to identify lessons learnt. The priority should be on resuming operations as soon as it is safe to do so, communicating and maintaining staff and passengers’ confidence throughout. This can help efficiently address incidents, from minor breaches to major events. It may effectively prevent the escalation of a minor issue, avoiding costly evacuation and loss of business.
A Management Systems Approach
The seven components listed above should interact with each other to help the airport respond dynamically to changing situations. For instance, new data from quality control activities could lead to a review of the airport’s risk assessment. This would then lead to a change in the Airport Security Programme, with new mitigations being adopted. Airports may wish to focus on continuous improvement as part of their Security Programme, or they may wish to adopt a dedicated Security Management Systems (SeMS) approach, a formalised framework already used by many aviation stakeholders.
This approach to security may not be new, but it is certainly something that many airports can consider as a way of improving not only their security standing, but their costs, efficiency, customer experience and staff satisfaction.
When a system works like clockwork, it is much easier to integrate new practices, deal with new threats and maintain business continuity in the face of incidents. While we work towards a new vision, with new stand-off technologies and autonomous screening points, we can certainly make some improvements today.
ACI’s Management of Security handbook is available from https://aci.aero/publications/
Nina Brooks is Director, Security, Facilitation and IT for the Airports Council International (ACI) World based in Montréal, Québec.