Wednesday, October 26, 2016

Access Badge Concerns at US Airports - A Way Forward

I was interviewed by Cox Media today regarding the TSA's report on access badge problems at the airports. Their position is that because the airports are self-reporting their own data - which in some cases understates the number of lost or unaccounted for badges - that greater government oversight and controls are needed.

To understand what the TSA is looking at, you need to know how a modern US airport is secured. It's divided into several zones: public (where anyone can go), sterile (after the screening checkpoint before you get on the plane), and the secured and aircraft operations areas (the highest security zones).

The TSA's rules for access badges originated with the FAA's rule in the late 90s - predating 9/11 and much of the security technology of today. Basically it stated that any lost or unaccounted for badges should not exceed 5% for each type, otherwise you have to rebadge everyone. The concern was that a criminal or terrorist could use that badge to gain access to areas where they didn't belong.

This is a concern, don't get me wrong. But we should also understand that the most secure areas of major airports require not just a badge but at least one or even two more factors of authentication. It used to be you could swipe that badge and you're in. Now you have to swipe and enter a PIN, and sometime also a biometric like a fingerprint as well. So using a stolen or found badge will give the bad guy the appearance of access - he'll look like he belongs - but actual access is much harder to come by.

When viewed overall, the percentage of unaccounted for badges in an airport is extremely small - usually less than 1%. When you drill down and examine one area on its own, small fluctuations in badge numbers can become magnified. The biggest problem for airports is employees of the companies who work in the sterile areas: the McDonalds, the bookstore, the Starbucks, or the pretzel carts you see on your way to the gate. These are the lowest-paying jobs, and the workers are the most transient. When they leave, they will sometimes take the badge with them and never return it. Many hundreds - perhaps thousands - of old terminated badges are lying in junk drawers across America right now. Most companies will terminate a badge and pay a fine if it's not returned, but that doesn't help the airports.

The TSA holding the airport management's feet to the fire puts them in a tough position, because even if they don't self-report, the companies that operate within the airport do. Also, the ones in the sterile area are small businesses with fewer internal controls and less strict personnel policies. The airlines and tenants that operate in the most secure areas do not have the badge loss problems these smaller companies do. So instead of more regulation, I think airports need three things:

1. More training and better communication between company management and airport management.

2. Sharing of best practices between airports and guidance from aviation industry groups like the National Safe Skies Alliance, a non-profit (funded by the FAA) which acts as a resource for airport operators.

3. Better use and reporting of access control data captured in the course of everyday system use. Software is capable of detecting anomalies in badge use and can alert both the airport and company automatically within an appropriate timeframe for badge collection, or if an employee is possibly an insider threat. It can also notify stakeholders when unaccounted badge counts get too high, so that action plans can be implemented.

Ultimately the airports themselves will have to demonstrate the effectiveness of their programs in order to avoid greater scrutiny by the TSA. 


No comments:

Post a Comment