Aviation Security Summit, Day Two, General Session II
Addressing the Insider Threat: Airport Access Control and Perimeter Security
Jeanne Olivier, A.A.E. Asst., Director, Aviation Security and Technology, Port Authority of New York and New Jersey
Laurie Aaron, VP, Quantum Secure
Christopher Runde, Director, Strategic Business Development, Alert Enterprise
Jeanne Olivier kicked off the session, talking about how “intelligence,” and other related information is an essential component to perimeter security, not just technology.
Ten years after 9/11, airports continue to implement both TSA mandated security measures, but also locally identified security measures.
“We’ve come to understand that different aspects of the “don’t knows,”‘ said Olivier. We now know that there are things that we don’t know. We know that there is some technology and certain processes have helped us close some security gaps.
Laurie Aaron brought some perspectives on the insider threat: can go undetected until too late; there is a higher chance of success and lower chance of being caught and can be disastrous.
National Infrastructure Advisory Council (NIAC) defined insider threat. Click here for more information: http://www.dhs.gov/xlibrary/assets/niac/niac_insider_threat_to_critical_infrastructures_study.pdf
Aaron discussed an OIG report on insider threat within aviation focuses on the badge issuance process, the failure to properly conduct background checks, airport workers using security badges to access checked baggage and secured areas of the airfield. She pointed out several past incidents where airport employees were able to smuggle guns, drugs and in one case, Mark A. Russo Long Island Macarthur Airport who not only lied to obtain an airport ID badge, but was in the position of checking the credentials of others who applied for airport ID.
Aaron defined the challenge of credentialing in being that there are hundreds of employers asking you (the airport security manager) to give hundreds of employees access to the airfield.
Aaron also discussed the phases of implementing biometric based access control:
Phase I: combine the STA and CHRC process using a secure two-way submission
Phase II: Biometric used for identity verification (useful for spot checked on the ramp)
Phase III: Biometric used on Smart Card
Phase IV: Biometric used in physical access control
Chris Runde, formerly of the TSA, added to the issue of the insider threat, is that many times the anomalies are clear after the fact, but the damage has already been done. But, Runde noted, that key to the process of effective security in credentialing, is to remove manual processes, review physical access and logical access policies and remove access upon termination of personnel who have access to the system.
Runde also noted that through security systems integration, the system can note characteristics of unauthorized access attempt irregular use patterns, and a combination of role and attempted access. As rules are applied and tested (such as use patterns) the system becomes smarter and you can refine the process to focus on specific patterns and rules that will identify the real threats.