Faced with a growing number of travelers around the world, airports are evolving their operations and business models. As part of this process, they’ve upgraded their physical security infrastructure, increasing automation to enhance efficiency and meet traveler’s needs and expectations. But any change can have unintended consequences. Adjustments to airports’ physical security systems and processes can have a substantial impact on the airport threat landscape.
This blog post describes how airport physical security has transformed in recent years and the potential repercussions on airport security overall.
From manual surveillance to sophisticated technology
Airports long ago augmented their approach from only having security guards to adding surveillance cameras. They are now adding sophisticated recognition technology to make sense of recorded footage. Artificial intelligence-based video management software identifies suspected terrorists on worldwide watch lists, detects unattended bags, passengers attempting to access restricted areas and employees or contractors entering zones without the proper credentials. Data privacy regulations, however, have not kept pace with these advances. While the U.S. and Europe have strict data privacy laws, many other nations have no such requirements. In those locales, there could be potential misuse of the recorded data in ways that infringe into passenger’s privacy and compromise passengers’ perceptions about airport security, potentially causing them to choose other airports.
From manual processes to automation
Twenty-five years ago, airports relied on manual processes. Now, passengers can do everything from obtaining boarding passes to checking in bags to boarding flights in an automated, self-service manner. Airports have also added a plethora of devices to streamline internal airport operations, including RFID tags, bar code scanners, radios, tablets and even beacons to help individuals find their way to their gate, restaurants or other locations. Every time system providers install another device, they concentrate on making it work. Rarely do they concern themselves with whether these devices are exposed or how they will impact overall security.
Discrete IT and OT systems converge
Once strictly operational, many OT systems now include IT or integrate with the airport’s IT infrastructure. For example, baggage handling systems that once simply moved baggage now have an IT component that interfaces with airport systems to share destination, flight arrival and departure data. But while these IT and OT systems have integrated functions, airports may not secure them in an integrated manner, leaving security gaps. For example, when baggage systems are connected, and baggage check kiosks are exposed to passengers and staff, an attacker could use them to hack into the network. Thus, when airports have complex integrations, they should consider security holistically and consider all the ways IT/OT systems could be misused or hacked.
Growing airport staff and other personnel with greater access to airport systems
To accommodate growing numbers of passengers, airports employ greater numbers of staff, contractors and partners. Many airports have areas beyond security checkpoints that require special access credentials for anyone to enter. Most airports give staff an ID card or utilize IT-driven recognition systems that require passwords to allow staff or contractors to go into secure areas. With any of these systems, unauthorized individuals can potentially steal a password or badge to enter the restricted zone. Airports thus become vulnerable to rogue employees’ intent, for example, on damaging an aircraft. The more staff/contractors the greater the risk of attacks or misuse of privileged access for personal gain.
As airport IT and OT systems evolve and become more complex, airports can no longer view individual security solutions in a vacuum. They must understand the impact each addition has on the overall threat landscape and develop comprehensive solutions that ensure end-to-end security.