Many organizations are working on bringing biometrics to airports but obstacles remain
By Zack Martin, Editor, Avisian Publications
How airports identify employees has been a concern since 9/11 and other incidents have shown that there are potential security vulnerabilities. It’s so important that last October’s Smart Card Alliance conference held a panel dedicated to the subject.
The Transportation Security Administration is working on a specification for airport access control systems that would use biometrics and smart cards. The specification calls for an interoperable credential that could be read at airports throughout the country.
Some airport and government officials are less than receptive to the idea of using a standard credential or being told what kind of access control system should be put in place at airports. “Airport workers know their people better than anyone else,” said Lydia Kellog, senior manager, public safety and security with the Airport Council International. “The regulations don’t need to be changed.”
But breaches happen. The incident pointed to most often when it comes to better securing credentials at airports is an incident at O’Hare International Airport in 2007. In that case 23 employees from a staff-outsourcing firm were using ID cards from employees who had quit. So instead of having new employees go through the background check they were hired and told to go through a box of badges to find one that carried a resemblance. Each of the badges in the box also had the personal identification number taped to it.
This incident emphasized the need to use biometrics to tie an individual to a credential. But airport credentialing since 9/11 has been an interesting tale. Airport workers originally were supposed to receive Transportation Worker Identification Credentials, just like seaport workers.
That didn’t happen–some industry insiders suggest the airport lobby prevented it. Now TSA officials are working on another specification. This latest spec takes some of the lessons learned from TWIC and FIPS 201 to create a standard that would work specifically for airports and potentially be issued to more than 1.5 million airport workers and hundreds of thousands of airline employees. But the future is uncertain, with a weak economy, a new administration in the White House and airports disagreeing with how it should be done. That makes it difficult to predict what’s the future of airport credentialing.
There are already a number of different projects running, creating an all-new alphabet soup. The TSA has the Airport Credential Interoperability Specification (ACIS) and the American Association of Airport Executives (AAAE) created the Biometric Airport Security Identification Consortium (BASIC). The AAAE is working with the TSA on its efforts.
Chris Runde, with the Transportation Threat Assessment and Credentialing office at TSA, has been leading the airport credentialing charge for the TSA and at the Smart Card Alliance conference he outlined the agency’s plan for the ID. To start, he stresses that ACIS would not mean universal access for airport employees. “The intent of ACIS is to have common identity verification,” he said. “The government is trying to lay the framework and then move toward biometric access control.”
The credential would be a smart card and contain identity, logical access and physical access control applications, Runde said. Physical access control systems would also have a link to the federal revocation list.
The TSA does want common identity vetting throughout the aviation community, Runde said. Using common identity vetting would enable airports to have a baseline trust, he added. For example, if an airport worker transferred from Orlando International Airport to Los Angeles International, instead of having to perform another background check the worker’s credential could be scanned, along with the biometric, and he could then be given access to the airport’s physical access control system.
As of November, the TSA was planning pilot programs for ACIS and developing technical requirements for identity vetting, Runde said. When asked for further details on ACIS, the pilots or the status of the program the TSA declined to provide additional information.
Meanwhile, airports are moving forward with a number of tests, said Carter Morris, senior vice president of Transportation Security Policy at the AAAE. “The ACIS technical spec is one of a handful of initiatives that is impacting the process,” he said.
The AAAE is working and partnering with the TSA on these projects, Morris says. The primary difference is that airport operators want to drive the initiative and not be told what to do. “We are keeping the TSA apprised of the airports’ efforts and we are seeking formal TSA endorsement,” he says.
Some have said the AAAE’s efforts are at odds with what the TSA is doing, but Carter disagrees. “The active airports and the TSA are on the same page,” he says.
The AAAE BASIC program wants to give the TSA an airport-centric view of how the technologies work and then broaden that into how all airports can use the system, Carter says. The consortium also wants to provide airports with a migration strategy and provide the framework for the information exchange that would be the backbone to a national airport credential.
“I would hope what we see is a coordinated effort toward a common biometric framework that airports can adopt locally and invest in locally in a suitable time frame,” Morris says.
Airports may also have made recent investments in physical access control systems and that needs to be taken into account, Morris says. He’s hoping that the TSA endorses the policies and standards that the industry comes up with through its pilots.
One of the issues airport operators have is that all the facilities are different. “It’s much different from a one-size-fits-all approach,” Morris says.
Working with existing systems
The fear many airports have is that they will have to tear out existing systems, says Lori Beckman, president and CEO at Aviation Security Consulting Inc. She previously was director of security at Denver International Airport. “We need to take the airports’ existing assets and build on them,” she says.
Beckman is coordinating some of the pilot projects for BASIC. The focus of these tests is putting the processes in place to use biometrics. “When people think of biometrics they think of hardware,” she says. “But there’s a lot of process work that has to go first.”
Part of the process is exchanging biometric data between airports, Beckman says. Many airports already send employee biometric data to the Transportation Security Clearinghouse for background checks, but there aren’t processes or the infrastructure in place for airports to exchange the data. BASIC has been running pilot projects to test biometric information exchanges between airports.
The biometric exchange would enable interoperability at a basic level, Beckman says. An airport worker transferring jobs could present the credential, verify the biometric and the airport would know that the employee has undergone the proper background check. “You don’t have to go through the other part of verification,” she says.
Figuring out how biometrics will affect credential enrollment at the airports is one concern, especially at smaller airports, Beckman says. ACIS is proposing one individual enroll a worker in the system and another issue the credential. For a smaller airport that maybe issues ten badges a week this would be onerous. “When you get to a smaller airport it’s one person,” she says. “We’re trying to come up with a solution that meets the needs of all airports.”
Airports are unique, like snowflakes
Mark Crosby, chief of public safety and security at the Portland International Airport and the Port of Portland, echoes that sentiment. “Each airport is different and needs something that works,” he says. “If you’ve seen one airport, you’ve seen one airport.”
Portland International is using a mag stripe card with a PIN for access to secure areas, Crosby says. In-house software developers developed the backend system but the airport knows biometrics are the future and is participating in BASIC. He estimates that will cost $5 million to $10 million to upgrade the access control system to use biometrics.
This isn’t Crosby’s first experience with biometrics either, he is overseeing TWIC deployment at the Port of Portland. “We’re still figuring out what we can and can’t do with TWIC,” he says. “We have the same staff working on the seaport that will hopefully take the positive components of TWIC and use those to design a better aviation-based access control system.”
But the airport is waiting because it doesn’t want to install something that doesn’t meet government-prescribed standards, Crosby says.
Jeanne Olivier, general manager of aviation security and technology at the Port Authority of New York and New Jersey, has tested six different types of biometric systems at the airports since 2001 and is also waiting to see what standards come about. “We want to make sure what we install is conforming to federal standards,” she says. “It doesn’t pay to be too far out ahead.”
Olivier is chairing the BASIC committee for the AAAE. Her day job also has her busy. The Port Authority of New York and New Jersey has 16 total terminals and operates two terminals at the airports. The airlines or a consortium run the others. The Port Authority Board has authorized $6 million for some initial testing of biometrics.
Over the past few years the Port Authority has piloted different types of fingerprint and iris physical access control biometrics in different weather conditions, Olivier says. Officials also have tested various different media to carry the biometric and applications beyond access control, such as starting a vehicle.
In one pilot the Port Authority fused the biometric with an intrusion detection application, Olivier says. They used it in cargo areas, which are open and sometimes difficult to secure. The system was able to detect when a worker entered a restricted area and the individual would then have to identify himself with an RFID token that had an embedded fingerprint scanner.
At LaGuardia International Airport the Port Authority is running a similar pilot for perimeter intrusion detection, Olivier says. The facility is using ground radar to detect surface movement. If something is discovered and officials don’t know what it is, instead of sending out security the tower can try communicating first. The individual confirms his identity using an RFID key fob with a fingerprint scanner.
Olivier says the standards and hardware for airports to deploy biometric systems at airports are close. “We’re about 80% of the way there for biometrics as a security solutions for airports,” she says. But it’s probably still a couple of years before wide scale deployments begin. “We’re very close and there will be significant advances in the next two years,” Olivier says.
Portland is a little less optimistic about when it will begin rolling out biometrics at airports, Crosby says. “I don’t see the economic environment turning around that drastically in 2009,” he says, adding that it may be three to five years before biometrics become widespread in airports.
BASIC will conduct some pilot tests of biometric and smart card readers at airports in 2009, Beckman says. One of the biggest issues is how to use the technology outdoors in harsh climates. “I suspect we will be doing a lot of testing in the next year,” she says.
While testing is a step in the right direction there are some who say airports are still vulnerable. And until airports operators start shoring up security it doesn’t matter how much liquid passengers are prevented from bringing on the planes.