Aviation Security is often perceived as consistently dealing with new threats and the technology needed to detect them, but there is much work ongoing on the issue of a threat that is all too familiar – a person within your organisation. Following the publication of special guidelines on Insider Threat last year, a special conference on the subject was held in April. By Jérôme Morandière
The well-known saying “Protect me from my friends, I can take care of my enemies…” demonstrates that the insider threat is not a new concern as such. If anything, it illustrates all too well the complexity and reality of the fact that a trusted collaborator can sometimes make more damage than a potential known attacker. Although this risk is not new, it is nevertheless garnering more and more attention, a growing concern for organisations and airports today, in particular those that have historically been attractive targets, such as aviation. And some lessons from the past have already taught us that we often give our enemies the means for our own “destruction”.
The insider threat remains one of the main potential risks to airport security, as airports can be vulnerable to criminal and terrorist attacks by airport employees, contractors and other entities working on the airport site.
It is a threat that comes in many shapes and forms at airports, but the perpetrator is often the same: an airport employee or contractor. In a malevolent attack, this employee will mislead an employer into thinking the employee can be trusted, sometimes with control over an entire physical security system. In an unintentional attack, it is an employee who threatens the critical infrastructure of an organisation, often via human error or plain recklessness.
Insider threat can be defined as one “posed by unauthorised access, use or disclosure of privileged information, techniques, technology, assets or premises by an individual with legitimate or indirect access, which may cause harm or damage.”
In 2017, to help address the issue ACI EUROPE developed best practice guidelines aimed at better understanding the challenges and identifying possible actions and solutions to mitigate this risk.
The resulting ACI EUROPE Insider Threat Best Practices Guidelines cover inter alia: background checks, recruitment and continuous supervision, prevention (training, protection of documents, sensitive information, PC passwords etc.), access controls – for example how many people need access to the baggage make-up area or the critical IT systems, ID card management (lost and stolen, removal, change of job internally, cancelled badges etc), SeMS type management systems, balancing risk and response, security culture.
Good management practices include: strengthen the security culture through all levels; reporting procedures should include both anonymous and open reporting options; good cooperation with relevant authorities and airport partners with regard to information exchange; SeMS type management system; managing poor performance; resources for internal investigations and for checking of open social media (local legislation permitting); systematic quality and audit programme focused on all companies at the airport with airport ID-badges; and performance appraisals should be open and honest.
Some of the challenges faced by airports are inter alia: legislation; that many different entities work within the airport ecosystem; intelligence and information sharing; knowing when to intervene; sometimes limited security culture; the enforcement of rules; access controls; or low pay of the work force with privileged access.
ACI EUROPE together with Airpol (Airport Police Federation) recently invited police from the EU member states and airports to a two-day on Insider Threats Conference on 18-19 April in Brussels. The conference included a number of presentations on the threat from insiders, followed by a number of exercises where Airport Police and Airport Security staff worked together to better address how threats from within can be minimised. There were 28 participants representing 23 European airports and including an equal number of representatives for airport police. A great deal of experience was exchanged and important connections between airport police and airport staff was made.
It was announced at the last ICAO AVSEC Panel in March 2018 that there will be an ICAO High Level Conference on Aviation Security in November 2018; the focus will likely be the Insider Threat and GASeP implementation.
As a continuous effort to help its members, ACI EUROPE and Airpol agreed to organise another conference in 2019, to continue to promote knowledge exchange and to further explore the challenges of the insider threat that persist.
Jérôme Morandière is Aviation Security Manager at ACI EUROPE.