I had the pleasure of recently conducting a panel on risk-based security and the removal of the LAGS ban in the UK, with esteemed aviation security colleagues (Matthew Vaughan, IATA; Wendy Reiter, SEA; Peter Drissell, UK CAA; Leen van Duijn, KLM; Ken Mann, Rapiscan) at Passenger Terminal Expo (PTE) in the Netherlands. We had a great chat prior to the event, and I summarized the nuggets from our call. Voila, I thought I’d share this aviation security goodness with the broader community. Enjoy.
Anne Marie Pellerin, Managing Partner, LAM LHA
Summary – Risk-Based Security & Removing Measures Once in Place
- Risk-Based Security is part and parcel to how we have always delivered security, and aviation security is inherently a risk-averse business. Politicians will not remove a measure or leave things as they are post-incident unless they believe that the level of risk is acceptable.
- When we are thinking through risk-mitigation measures and deploying new capabilities and approaches, it’s important to keep an eye on unintended consequences of our actions. As an example, new measures that create crowding on the public side of an airport is moving risk, not mitigating it. As well, technologies that are deployed to increase security but which lead to 30-50% false alarm rates may not have positive security impact.
- If/as you evolve capabilities, there’s a need to also evolve the regulation. E.g. Heathrow has deployed AIT and CT@checkpoint and the UK has evolved the regulation to support the deployments.
- The length of time required to remove a measure once it’s been put in place is linked to two primary conditions:
– The threat goes away or is reduced; or
– Tech or processes evolve in a way that they provide a credible mitigation to the risk.
- Tech manufacturers require three things to enable the development and deployment of equipment that may enable a measure to be removed:
1) requirements (what to detect/CONOPs)
2) testing that allows demonstration of performance and approval
3) regulation that requires or at least allows the equipment to be used.
- We need to create an environment that continues to incentivize airports to be first-movers in rolling out new capabilities. If, for example, airports buy a newly qualified system only to be told months later that it’s no longer qualified and that they will need to rip and replace, no airports will “go first” in the future (e.g. backscatter in Europe).
- To enhance risk-mitigation, there’s an opportunity to focus on spreading out the screening process across the passenger journey. Off-airport processing is an emerging theme, and an area where we can evolve approaches in the years ahead. Critical infrastructure is too valuable to shove everything into the checkpoint, which represents a single point of failure.
- Our approaches as an industry must be balanced. Why do we have complex certification processes when there is little focus on configuration change management for fielded equipment? Cyber is becoming a major theme in aviation security, and cyber risk mitigation is top of mind. Should cyber certification initiatives be more robust?
- Certain airlines have noted an interest in removing screening measures altogether, noting that they have a segment of the population keen on giving up screening/security assurances for lower priced tickets. This is a non-starter for most as our job is to protect those on the ground, as well as those in the air.
- There is a general interest in having security more closely resemble safety in how safety practices are imbedded in day-to-day operations. The development of Security Management Systems (SeMS) is a good way to buy-down risk, and gaining momentum.
- Passenger differentiation programs are less likely to take hold in the future given a reluctance to lower baseline screening for a population of passengers. There is no need at this point to enhance screening for higher risk passengers given everyone is screened to a higher level now given advancements in aviation security detection equipment.