The fatal explosion at Domodedovo International Airport at the end of January this year highlights the eternal vigilance required to keep the world's aviation hubs safe from attacks. Over the course of the full investigation into the attack, Russian authorities will no doubt be focussing on where Domodedovo's security regime failed, especially as it had undergone a costly security upgrade after the bombing of two aircraft taking off from the airport in 2004.
But what are the future technological and strategic options for an industry that is struggling to keep pace with the scope and scale of the threat? Airport Technology's Chris Lo talked to Jim Slevin, business unit manager (transport) at UK-based biometrics and analytics specialist Human Recognition Systems (HRS), about more proactive security strategies, and the technology that could facilitate them.
Chris Lo: What do you think are the most common security weaknesses at airports?
Jim Slevin: This is where the terminology gets interesting, because of what the word "weakness" implies… it's a strong word to use. It's a very difficult job to balance the security needs with customer service and cost effectiveness. What you actually have are natural effects of the security regime at airports. The first aspect is around an ever-present and changing threat. Most of the security processes and technologies deployed are through a reactive regime.
From a regulatory perspective in the main, it is highly reactive. So in other words, whatever threat has occurred previously, they try to close that door. You end up with a security model based on compliance to regulations based on previous attacks, and you have to comply with international, regional and national security models, whatever they may be. Above everything else, you have to be compliant. Then if you've got the time, energy or resources left, you can examine other modes of security.
CL: Do you think an airport security strategy should have a level of proactive intelligence built into it?
JS: The good ones do. I think the UK airports in particular have done extremely well, both with the multi-agency approach and with the more recent drive towards an outcome-based security model. However, it's a difficult concept to sell to stakeholders; that you want to spend money on something that hasn't happened, unless there is a clear threat intelligence model to show that money would be well spent.
That's part of what makes that job so difficult for the people who are delivering security in airports or other transportation hubs. You think something is going to happen, but nobody knows for sure, so what are the right gaps to close?
CL: What are the modern options for restricting access and establishing security perimeters at airports?
JS: I think most are quite well documented, in terms of de facto access control and surveillance technologies. I think what's critical is thinking about where those perimeter lines are drawn. Airports by their nature are large, wide, open spaces, and assets do need to travel around in them, not least aircraft. So they're not easy perimeters to manage, you can't harden it and tell people they're only allowed in one place and only drive through specific routes; operations and aircraft don't quite follow that notion.
So, you can widen the perimeter control and force more access control and an associated increase in screening, or you can look to harden important targets within that the perimeter. So a lot of it depends on what you're trying to stop. I think most people are thinking about what they can do to further harden the higher-risk areas - major pieces of critical infrastructure such as control towers.
CL: What can biometrics and human behaviour analytics bring to an airport's security strategy?
JS: Biometrics allows us to definitively answer who somebody is, whereas behavioural analytics permits us, when we don't know who you are, to least work out what you're doing. Biometrics is going to, over time, play an increasing role in airport security. The main reason for this is that there appears to be a real desire in the industry to change the model from a sheep dip, a one-size-fits-all security processing model, to one that's based on some threat and intelligence basis, based on individuals. If you're going to base security decisions on an individual, then you have to lock down who that individual is.
Realistically, biometrics is the only answer because tickets and other breeder documents can be swapped or falsified and are therefore fallible. Don't get me wrong, there are data protection issues and privacy concerns to be overcome with biometrics, but I believe they will be overcome if the security model and the facilitation of access is beneficial. I'd also say it's the only valid way to permit the intelligence sharing of that information. One of the things we often forget about is the people who get access to that data; there are lots of concerns over data protection and privacy of information. Biometrics can identify you as a member of staff, and says whether or not you have permission to see a particular piece of information.
CL: Can technology help security staff to track airport flows and highlight suspicious movement?
JS: The simple answer is yes. For us there are two approaches to this. One is utilising behavioural analytics, and some of the best systems will actually learn what normal behaviour is, so you can either teach the system or it will start to learn itself what is normal. Abnormal behaviour might be a threat or it might just be an incident. We use an example of a particular system we put in place to prevent backtracking at Manchester Airport's terminals for a few years now, among other deployments. One of the interesting things we found out from that particular one was some odd processes that were going on with baggage. It wasn't a security issue, but it was a customer service issue. What was happening was abnormal behaviour, so they managed to pick up a customer service issue around baggage handling as a result of having the security system.
Secondly, as biometrics increases its penetration in airports, you start to get some amazing management information back regarding passenger flow. So if you imagine a position where your biometric is your ticket and you're logged at various stages, there will be people who worry about the Big Brother aspect of that. But if you view that biometric from an anonymous perspective the system can simply know it's seen a unique passenger at points A, B, C, etc through the airport and knows what times they were there - consider that for all passengers going through and you have an enormous amount of journey measurement information upon which to make real-time operational decisions. It's maybe an output from a different security regime, and it's invaluable information in terms of what is a normal flow, so you start to see, for instance, bottlenecks if there are queues developing.
CL: How can airports balance rigorous security with a convenient airport experience for passengers?
JS: The "best balance" may change on a day-to-day basis, depending on what's happening in the world. Again, this is where experience from having worked on the client side of airport and security operations comes in to play, deeply understanding how difficult it is to strike a balance that's changing all the time.
Where technology can really help is in reducing the total cost of ownership for routine and, dare I say it, "mundane" security tasks. Replace those tasks with technology, shifting appropriate, highly skilled people to pick up the difficult job of flexing to achieve a changing "best balance". I'm a firm believer that if you've got something routine, you can automate it. You have to think about the cost-benefit analysis as not just being purely about replacing that activity, but also the opportunity that you gain by being able to put people into more difficult, complex and changing situations, for instance, where you need to put randomness into the situation.
CL: What do you think will be the major innovations in airport security that we might see in the next few years?
JS: Because we're always on a lag, we're having to deal with some of the current threats or known anticipated threats, and catch up with those such as internally detonated explosives. These threats are there, but deployable technology is still catching up to mitigate the threat. So we'll continue to see incremental screening technology improvements. I think we will see a strong shift to accepting biometric data, moving forward, though I would say that, wouldn't I! A lot of that will be driven by social acceptance of biometrics moving forward.
As banks and other institutions start to move toward biometrics, it will become more socially acceptable. In fact, from the feedback we're getting back from work on the ground, I would say it is now socially acceptable in an environment like an airport, especially if it helps facilitate people getting from A to B. As a result we can genuinely realise a ticketless environment for passengers, or indeed more robust mobility of staff from airport to airport - your biometric always travels with you.
Perhaps this is more of a personal desire than a definitive statement, but I would also say we will see an increase in randomness in the security models. I think there has been a real push over the last few years for standardisation, common security regimes across the world. I think the realisation is setting in that it can create a real problem - if anybody breaks that model, it's broken everywhere, a "class break". Therefore you've got to increase randomness.
Part of our approach is to automate some of the mundane tasks, to allow people to introduce randomness. Because people, if they're well instructed, can generally do that very well. So if we have to manage what we do today ad infinitum, then automate those tasks as much as possible to permit headroom for the new and emerging threats that technology needs time to catch up on.