This year marks the 10th Anniversary of the Security Management System (SeMS) enshrined via the IATA Operational Safety Audit (IOSA) programme (https://www.iata.org/whatwedo/safety/ audit/iosa/Pages/index.aspx). Over this period the audit programme has evolved immensely, helping airlines to bolster their safety and security management systems. Capitalising on the unique experience from its member airlines in assimilating both Safety Management System (SMS) and SeMS in an effective way, IATA, during the Second High-Level Conference on Aviation Security in November 2018, encouraged “the development of an Integrated Risk Management (IRM) approach, made up of SeMS and SMS elements, to manage cyber risk to aircraft systems.
Additionally, IATA led discussions during the last ICAO AVSEC Panel, that took place in May, which complimented and reasoned for why industry and government together must be able to adopt a true risk-based approach to security. It is commonly recognised that the aviation cyber domain is complex, both in terms of the tools used by the industry, and the international regulatory settings required to manage risk whilst at the same time enabling advanced connectivity. Whilst research is on-going to address these modern concerns of threat and vulnerability, we should not forget the basic principles of effective protective security.
One of the basic elements of SeMS is incident reporting. Currently, security incident reporting is not precisely defined through ICAO relevant documentation. A similar situation exists for industry where the idiom of comparing ‘apples-to-apples’ applies. However, industry and ICAO alike are part of the way there as IOSA standards require airlines to have a reporting system that is implemented throughout the organisation, that encourages and facilitates personnel to report security incidents and threats, identify security deficiencies, and raise security concerns.
Even though undefined, the importance of security reporting was universally recognised by ICAO through creating a new standard in Annex 17 (applicable as of November 2018) and requiring “..Each Contracting State (to) ensure that its national civil aviation security programme defines processes for the reporting of information concerning incidents of acts of unlawful interference and preparatory acts thereto, by any entity responsible for the implementation of the national civil aviation security programme in a practical and timely manner to the relevant authorities (…).”
The industry made efforts to prepare for the introduction of this standard. With the SeMS maturing over years, airlines’ desire to self-regulate and improve security management increased, thus security reporting became an IOSA requirement earlier cascading this obligation down to airlines’ subcontractors through the IATA Standard Ground Handling Agreement (SGHA), effective January 2018.
During the 2018 ICAO AVSEC Panel, IATA highlighted that “the need for harmonised, user-friendly and comprehensive security incident/occurrence reporting is becoming essential for developing a robust security culture in associating all staff performing security functions or experiencing security processes in the observation, quality assessment and knowledge sharing of their own security environment. The ‘See Something, Say Something’ concept could become reality with a simple and universal reporting tool which allows overall trends analysis and performance assessment.”
IATA’s role and mission, with support and active contribution of its member airlines, has since been to help with the implementation. This has been the purpose of the ‘See It, Report It’ (SeMS.iata.org) online micro-learning project. Video tutorials have been developed in all six official ICAO languages and many more are either already available or will be soon. All entities can benefit from these videos, incorporating them into their training curriculums.
Not only has this contributed towards the objectives of ICAO Global Aviation Security Plan (GASeP), more importantly it has showcased the modern approach to the security culture – the culture that recognises and acknowledges security is everybody’s responsibility and promotes a security attitude (what people believe about the importance of security), and the culture that then attributes how people perceive their involvement in security; overall, the culture which determines how people behave when no one is watching.
This is also why the ‘See It, Report It’ project has advanced in conjunction with another IATA initiative aimed at enhancing the quality of data used in support of the security risk assessments. Based on the industry input, and considering States’ feedback, IATA developed the security occurrences taxonomy included in the SeMS Manual Edition 2. This taxonomy is equally reflected in the IATA Incident Data Exchange Program (IDX) that will substitute the IATA STEADES (Safety Trend Evaluation, Analysis & Data Exchange) before end of the 2019. The taxonomy development aims at harmonisation of the language with the aspirational goal of helping airlines in capturing global industry security risks and for benchmarking purposes.
“…the ‘See Something, Say Something’ concept could become reality with a simple and universal reporting tool which allows overall trends analysis and performance assessment…”
In the meantime, ‘See It, Report It’ has progressed to the next phase, where IATA is working with volunteers to develop modern solutions for evidencing the acquired knowledge and the successful completion of the training. The solution being discussed should allow for direct authentication of the individual and verification of the training validity. In the course of further development, the mobile app format (iOS and Android) facilitating the onsite quality control activities while at the same time maintaining compliance with privacy protection rules (for example EU GDPR) will be developed.
Although compliance is important, IATA went the extra mile and focused not only on this element but also on promoting and enabling the development of a robust and sustainable security culture. Entities interested in joining the ‘See It, Report It’ project are encouraged to contact firstname.lastname@example.org for more details.
Matthew Vaughan, is Director, Aviation Security, International Air Transport Association (IATA).