Airport Infrastructure Security Towards Global Security

raviolicharientismInternet and Web Development

Oct 31, 2013 (3 years and 8 months ago)

103 views

Airport Infrastructure Security
Towards Global Security
A Holistic Security Risk Management Approach
www.thalesgroup.com/security-services
Thiswhitepaperdiscussescurrentsecurityissues
inairportinfrastructures(new,existing,expanding,
commercialpassenger,generalaviation,majorcargo
ormulti-modal)andsuggestsaholisticsecurityrisk
managementapproachtomanagesecurityrisksto
an acceptable level whilst optimizing financial
investment.
Thales proposes to followthis approach during
airportprojectslikeplanning,design,construction,
renovationandassessment.Inclusionof airport
securityexpertiseearlyintheplanningprocesswill
result in a better-coordinated and more cost-
effectiveapproachtosecurity.
Threats Upon Commercial Aviation
The security and economic prosperity of a country depend significantly
upon the secure operation of its aviation system and use of the world’s
airspace by the country,its international partners,and legitimate
commercial interests.But a weak security could pose a threat to the
safety of the aircraft or those who board it.
Terrorists,criminals,and hostile nation-states have long viewed aviation
as a target for attack and exploitation.These types of attacks,which are
increasing around the world,considerably have altered the views of the
countries on how to secure and protect their population,borders,and
critical assets;they have also considerably have highlighted the need to
take immediate actions to reduce the likelihood and impact of future
attacks.
Successful attacks in an airport can inflict mass casualties and grave
economic damage,and attract significant public attention because of the
impact on the modern transportation system.As a result,threats on
airports are becoming more probable,and their impacts are increasing.
Airport security forces are nowfacing newunconventional opponents such
as terrorists (international and national),activists,pressure groups,
single-issue zealots,insurgents,disgruntled employees,or criminals,
whether white collar,cyber hackers,organized or opportunists.These
opponents are using different attack means including car suicide
bombing,man-portable air-defense systems (MANPADS),improvised
explosive devices (IED),ambushes,hijacking,kidnapping or hostage
taking,attack with armed hands,hacking and information warfare.
Airport Infrastructure Security
Towards Global Security
3
These attacks can be complex and coordinated and can exploit a
combination of physical,logical (information technology),
environmental,organizational and human weaknesses.
Most probable threats on airports are:
• Panic creation technologies (noise,smoke,fire crackers,etc.).
• High-yield vehicle bomb near passenger terminal (VIED).
• Lower-yield explosive device in passenger terminal.
• Armed hijacking,hostage,or barricade situation in passenger
terminal.
• Chemical or biological or radiological agents release in passenger
terminal.
• CBRN agent release in,or going through,the cargo terminal.
• Dirty bomb or nuclear materials hidden in freight cargo.
• Theft of passenger properties.
• Incendiary materials.
• Ballistic attacks
against aircraft
landing or taking off.
• Cyber attacks.
• Insider sabotage.
• Equipment sabotage
(Including airplanes).
• Infrastructure sabotage.
• Improvised explosives devices (IED) detonated in or near fuel
facilities.
• Improvised explosives devices near or in Operations Control
Center.
• Improvised explosives devices put on an aircraft.
• Sabotage of vehicles.
• Sabotage of utilities or maintenance facility.
• Sabotage of aircrafts.
• Illegal immigrations.
• Traffic of unauthorized materials (drugs,arms,ammunitions).
• Aircraft hijacking.
• Man Portable Air Defense systems.
• Taking hostages in airport terminal (raising the fear and tension
of families and those watching through the media,and then
ending in destruction,which is all filmed).
While it is not possible to expect to eliminate all threats upon
commercial aviation,there are some possible solutions that can be
implemented to reduce aviation-related vulnerabilities and enhance
the layers of defense directly exploited by criminals and terrorists.
A baseline security doctrine is formalized in different regulations that
are followed internationally.
>>
National and International Regulations
In Airport Infrastructures
Airport infrastructures’ security is governed by local regulations,
which are inspired by national and international standards:
• On the international level, the International Civil Aviation
Organization (ICAO) has produced an international standard and
recommended practices related to security i.e. Annex 17
“Security - Safeguarding International Civil Aviation against Acts
of Unlawful Interference” and Annex 9 “Facilitation”. In addition
the International Air Transport Association (IATA) defines rules
for airlines to ensure that new and enhanced security measures
are effective and internationally harmonized, and minimize
disruption to passengers and shippers.
• On the European level, the European Civil Aviation Conference
(ECAC) is in charge of refining international level rules into a
more detailed standard and to organize the inspection of
airports to check their conformance to the ECAC standards.
• At the US level, the Transportation Security Administration (TSA)
has produced multiple security codes and procedures (Code of
Federal Regulations, CFR) in collaboration with the Department
of Homeland Security (DHS).
• On the national level, each country has to implement the
international standards, taking into account national laws. In
practice, it introduces another level of refinement, which makes
the rules more precise and more constrained, and guides the
design and processes of the airports.
• On the airport level, national and international regulations are
put into practice, taking into account the specificities of each
airport, which is formalized in the “Airport Security Master Plan”.
4
5
These international conventions and regional standards (ICAO, IATA,
EU, US, etc.) define the security controls that should be implemented,
including:
• Security organization.
• Aircraft safety (ICAO, EUROCONTROL, CANSO).
• Airport security standards, operational audit and compliance
(ICAO, ECAC, EC).
• Technical standards and recommended practices (ITU, ISO, IEEE,
IETF, EIA, CITT, NEBS).
The regulations recommend securing the critical assets of the
airport but they are not listed explicitly.
Airport Critical Assets
The potential threats are directed against the whole airport but will
have more impact when they target their critical and strategic assets.
Some assets are obvious targets to attackers:
• Passengers and visitors.
• Aircrafts (with or without passengers aboard).
• Passenger and VIP terminals.
• Cargo and mail terminals.
• Airport traffic control tower.
• Parking garages.
• Fuel Facilities.
• Airlines buildings.
• Airport information systems.
• Power supply facilities.
P
repared and aware attackers could target building component
assets that are critical to the continuous operations or to emergency
operations:
• People like employees, contractors, vendors, nearby community
members, and others who come into contact with the airport.
• Aircraft rescue and fire fighting facilities (fire station and sub-fire
stations).
• Airfield support lighting.
• Runways.
• Fuel storage and fuel delivery systems for aircraft.
• Air traffic support facilities (tower, radar, weather station,
communications).
• Airport Management Center.
• Security Management Center with command and control rooms.
• Airport Emergency Command Post or Crisis Management Center.
• Emergency generators, including fuel systems, day tank, fire
sprinkler, and water supply.
• Water source and drainage systems.
• Critical distribution feeders for emergency power.
• Electrical substations including both external services and
on-airport generation and distribution systems.
• UPS systems controlling critical functions.
• Heating, ventilation and cooling (HVAC) for passenger terminal
and facilities.
• Main refrigeration systems that are critical to building operations.
• Elevator machinery and controls.
• Shafts for stairs, elevators, and utilities.
• Navigational and communications equipment.
• Main switchgear.
• Telephone distribution.
• Telecommunications (voice, video, data) including external wired
and wireless services as well as on-airport networks and
trunked radio systems used for public safety functions.
• Belly cargo facility.
• All-Cargo Area.
• Passenger’s baggage.
• Landside parking garages.
• Catering.
• Airport personnel offices.
• Airlines offices.
• Emergency access and roads.
• Railway, roadway or vehicle access way and surrounding
waterways or intermodal transportation facilities.
Therefore, the security measures of these critical assets should be
adapted to the threat level and so to the security risk level of the
airport.
6
Threat And Risk Assessments
A threat is an action, which may cause harm in the form of death,
injury, destruction, disclosure, interruption of operations, or denial
of services.
Threat assessment defines the level of the threats against critical
assets by evaluating the types, means and possible tactics of those
who may carry them out. In a threat assessment it is important to
be aware of national threats and to identify the threats specific to the
airport and to the airlines serving it. For in-depth analysis, it is also
interesting to identify the history of criminal or disruptive incidents
in the area surrounding the airport, but not primarily directed
toward the airport operations.
A risk is a combination between the probability of the threat and its
potential impact on a critical asset. In order to define a defense
strategy the security risks need to be assessed.
Risk assessment starts with the identification in the airport of the
threats, the critical assets and the vulnerabilities. Then security risks
are prioritized.
For each major security risk that needs to be managed security
objectives are defined to support the security doctrine: to detect, to
delay and to intercept. Security solutions are then implemented.
This is a complex task and therefore a holistic security risk
management methodology is required to enable all security risks
levels to be identified, whilst also evaluating the existing technology
(which should cover logical, physical and environmental issues),
organization and human factors security solutions.
>>
Holistic Security Risk Management
The objective is to define a security program based on a collective
effort that seeks to reduce the likelihood that passengers, airport
personnel, facilities and materials shall be subject to any kind of
attack, and to be prepared to respond to the consequences of such
attacks should they occur.
This section describes the security management process to
mitigate the risks and to develop a security program.
The first step is to set up the internal organization to pilot the risk
management process and to define the scope and objectives of the
Security Committee and the Security Working Groups.
The organization should be based on:
• Security Committee, the SC includes top management that
develops security strategy, provides guidance, direction and
cooperation.
• Security Working Groups, the SWG take actions, provide inputs
and feedbacks. They develop and recommend policies, prepare
planning documents, conduct risk assessments.
One of the SWG is the Threat WG, which consists in
Counterintelligence representative, Law Enforcement representative,
Information Operations representative and the Chemical, Biological,
Radiological, Nuclear and High Yield Explosive (CBRNE) representative.
Larger installations may include additional personnel as assigned by
the SC.
The objective of the security organization is to make sure that the
quality of the security management process is maintained using the
PDCA model:
• Plan: Establish or update the Security Master Plan to improve
security.
• Do: Implement and operate the actions defined in the SMP.
• Check: Monitor, review the actions and report the results to
decision makers.
• Act: Maintain and improve the actions.
The management of security risks includes
evaluating risks, developing solutions,
making decisions, implementing solutions,
supervising and improving the security level.
These are essential follow-through actions
of the risk management process.
Based on interviews, site surveys and
documentation, the following areas have to
be addressed:
• Threat Assessment i.e. Define alert
levels, identify the threats and evaluate
probability.
• Criticality Assessment i.e. Identify
critical assets and define asset criticality
levels.
• Vulnerability Assessment i.e. Identify
vulnerabilities and evaluate criticality.
This includes manpower and security
force protection assessments.
• Risk Assessment i.e. Identify and
evaluate the risks based on previous
assessments conclusions.
Whenever a risk is identified, the management
analyses and decides whether the risk
should be controlled, ignored, insured or
accepted.
A careful review of the prevalent security
r
isk environment and consideration of
minimum applicable security measures prior
to final decision will help to determine an
airport’s most appropriate security strategy
a
nd so the operational concept to put in
place.
If the decision is to mitigate the risk,
security objectives are defined. Then the
security solutions (based on technology,
organization or human factors) should be
provided (based on risk priority and
objectives).
Those solutions are categorized as prevention,
detection, response and recovery.
• Prevention: All measures to be put in
place by the organization to limit the
probability that a security incident will
take place. This should aim to define the
risk context of the airport, the policy
framework, the expected communication
and operational loop, the level of control
desired and the implementation plan.
• Detection: All measures to be put in
place to detect an incident. The priority is
the implementation of intrusion detection
systems, the logging infringement on
airport infrastructure and the daily
monitoring of security activities.
• Response: All measures to be followed
to minimize the impact once an incident is
detected. These measures aim at
a
nalyzing alerts, follow-up response
procedures and form a crisis management
cell as required by the severity of
incidents.
• Recovery: All measures to be taken into
c
onsideration to restore the damaged
system to its normal operating status
(the system prior to the incident). The
recovery is essential to ensure the
b
usiness continuity of the operations.
Appropriate security solutions should be
implemented through a series of actions
including:
• Prioritization of recommended security
solutions.
• Planning implementation and funding of
security solutions.
A suitable airport security system should:
• Rely on multiple security measures.
• Guaranty effectiveness in all airport
areas.
• Be deterrent to prevent any unauthori-
zed activity.
• Be regularly checked and maintained.
• Be proactive to be unpredictable.
• Log activity.
After identifying and implementing additional
countermeasures or mitigation efforts, it is
essential to recalculate the risks. A risk
management scorecard is appreciated.
A yearly complete risk assessment is
recommended.
7
8
Airport Layout
The general layout of an airport consists of three areas, generally
referred to as airside, landside and terminal, which have their own
special requirements. Though there are other important areas in the
airport infrastructure (i.e. all-cargo area, general aviation, etc.) they
are not detailed in this section.
The airside of an airport is where the operations of the aircrafts take
place. Typically, the airside is beyond the screening checkpoints and
restricting perimeters (fencing, walls) and includes runways,
taxiways, aprons, aircraft parking and most facilities which service
and maintain aircraft.
Airside security relies on physical barriers, identification and
access control systems, surveillance or detection equipment, the
implementation of security procedures, and efficient use of
resources. These security measures prevent risks of unauthorized
access to, attacks on, or the introduction of dangerous devices
aboard, passenger aircraft.
>>
T
he landside of an airport is the area where there is no specific
restriction of access. Typically, the landside facilities include public
parking areas, public access roadways, rental car facilities, taxi and
ground transportation staging areas, and any on-airport hotel
f
acilities.
Some critical assets, clear areas and communication requirements
needs particular security measures implemented in the landside,
such as an airside fence, aircraft approach glide slopes,
communications and navigational equipment locations and non-
interference areas, and heightened security in some buildings.
Landside monitoring areas should include terminal curbside areas,
parking garages, public transportation areas, loading docks and
service tunnels. Life safety measures could include duress alarms,
emergency phones and medical equipment.
An airport terminal is designed to accommodate the enplaning and
deplaning activities of passengers. The terminal is typically the area
of the airport with the most security, safety and operational
requirements.
Airport Security Objectives
Airport security should be based on
applicable national and international
regulations and policies to ensure the
protection of the general public, airport and
airlines personnel, and assets (including
physical and information systems and data).
This baseline security should be completed
b
y a holistic security risk analysis to adapt
the security level to the local threat
environment.
As stated by ICAO, high priority should be
placed on protection of the aircraft from
the unlawful introduction of weapons,
explosives, or other threatening articles.
From a business airport manager point of
view, all the critical assets of the airport
need increased security should an attack
occurs.
As a consequence, the airport security
objectives derive from the results of the risk
analysis and the regulations.
This section describes common airport
security objectives but should not be limited
as all airports have different missions and
layout.
Examples of security objectives include:
• An airport security organization shall be
defined and organizational procedures
shall be formalized.
• Site layout shall be based on operational
and security requirements.
• Airport location shall be chosen so that
surrounding airport areas shall not be a
potential danger due to cascading effect.
• Location of all critical assets of the
airport shall be analyzed.
• All critical assets shall ensure physical
resistance to blast effects (blast
mitigation, standoff distance, placement
of screening checkpoint).
• All terminals shall have CBRNE detection
and HVAC protection. Areas for
quarantine, detox, chem-bio screening of
people and vehicles shall be defined.
• A security boundary shall be implemented
between public and secured areas
(physical barriers, patrols, surveillance /
CCTV, sensors)
• The access to airside and secure areas
shall be controlled (people, vehicle,
deliveries, etc.) and unauthorized
access detected.
• The perimeters of airside and other
s
ecured areas shall use common
security technologies based on physical
protection (to delay), intrusion detection
system (IDS), video surveillance (CCTV),
t
racking of people, vehicles for
interception, and patrol roads.
Moreover, it shall include gate
monitoring (controlling people and
goods) with CBRNE detection, analysis
and recovery disposal, and should be
reinforced with unmanned vehicles; all
these measures supervised from a
command and control room with tactical
situation display.
• Airside roads shall have restricted
access to authorized vehicles. The
airside perimeter roads shall provide
unobstructed views of the fence and
maintain fencing clear area, positioning
of roads shall consider patrols,
maintenance access, emergency access
and routes.
• The aircraft shall be protected against
sabotage, intrusion of explosive or any
unauthorized material.
• Landside roads shall include pre-
terminal screening capability, CCTV
monitoring for security and safety, and
minimize proximity to airside.
• Natural barriers may provide “time and
distance” protection like bodies of water,
expanses of trees, swampland, dense
foliage, cliffs, and other areas difficult to
traverse.
• Contingency plans shall be evaluated
from an infrastructure interdependencies
perspective and enhance coordination
with other infrastructure providers (e.g.
electric power, telecommunications,
water, transportation).
• According to their roles and responsibi-
lities airport and airlines personnel shall
be aware of security risks, be trained to
respond to incidents (i.e. trained to
detect weapons, explosives and CBRN
products) and educated to analyze
complex situations (i.e. Psychological
profiling through cameras and covert
observation at different areas of the
airport).
• A security awareness program shall be
developed for airport employees.
• Background investigations shall be
c
onducted for new hires and periodic
updates for current employees (specially
for those with access to planes
and secure areas.). A hiring policy
s
hall be defined. Structured security
requirements for critical suppliers and
partners shall be implemented.
• Security policies and procedures shall be
formalized and communicated to airport
a
nd airlines personnel.
• “Gate-Keepers” shall have fast online
updates on current threats.
• Fast response teams shall have the right
equipment, be stationed in critical areas
and provide both visual and covert
security protection.
• In the event of a terrorist act of any kind,
emergency evacuation and protection
system shall be in place together with
trained personnel to assist the innocent
crowd.
• ID management for all airport and
airlines personnel shall be implemented
to efficiently manage both the issuance
and cancellation of ID access cards. This
includes the access right management
(level of security-zoning-person authorized)
and its connection to the HR database
(new or leaving employees, employees
changing jobs that require a different
access to security zones, etc.). As such,
access control needs to provide different
levels of security for staff, authorized
personnel and visitors.
• An efficient security screening of
baggage, passengers, cargo, mail and
catering shall be provided.
• The screening of personnel and supplies
entering secure areas and airside shall
be conducted.
• Facilitation shall be improved and
queuing time for the screening process
shall be minimized.
• A real time communication system shall
be provided to all the security personnel.
• The information systems and network
architecture shall be secured against
unauthorized use or access.
• Critical information shall be secured
according to the needs of confidentiality,
integrity and availability.
9
10
Recommended Security Solutions
The security solutions should conform to the security objectives. Key
security concerns focus on the protection of the critical assets.
Security solutions are based on organization, human factors and
technology.
The Airport Security Working Groups should include the affected
aircraft operators and tenants, local emergency response agencies,
aviation security and any other regulatory officials.
The organization of a security program should include cooperation
between:
• Airport Law Enforcement (Customs, Police, Intelligence, Military).
• Emergency Response Agencies.
• Safety authorization agencies (fire,
building).
• Operations and Maintenance Personnel.
• Freight and mail operators.
• Catering suppliers.
• Other End-Users.
The application of physical security equipment and structures
(barriers, access control, screening, and detection equipment) is
fully effective only if supported by similarly effective human
procedures. These include access and identification (ID) media
systems, personnel security training and procedures, maintenance
training and procedures, as well as constant supervision and
vigilance.
The local police (or the military) departments may collect and
compile information about criminal activity on or against property
under the control of the airport, provide crime prevention
information programs and intelligence, and conduct crime
prevention assessments in cooperation with appropriate law
enforcement agencies.
Security measures are supported by employees’ motivation and
skills. As a result awareness, training and education are airport
security concerns. These programs could be used not only to
improve levels of security but could assist employees to progress in
their careers and be recognized in the aviation industry.
The purpose of awareness presentations is simply to focus attention
on security. Security awareness training should be provided to all
people working on the airport. Awareness is a key ingredient in the
management of security risks. The security awareness program
objectives are:
>>

To give employees who are relatively new to the field of aviation
security a general overview of the
current trends and issues in security and
best practices for managing these
issues.
• To ensure a strong understanding of the
current security landscape.
• To inform managers who are not directly
concerned with security issues (those
who are in legal or finance departments
for instance).
Security training should be provided to the security professional
employees. The objective is to produce relevant and needed security
skills and competency by practitioners of functional specialties. The
training program should make sure that:
• Each professional employee has the appropriate and up-to-date
security knowledge, technical skills, and abilities specific to the
individual’s roles and responsibilities.
• They have the foundation of key security terms and concepts.
• Employees know how to mitigate common security risks i.e. to
have the correct response in case of an unusual event.
• They follow the Airport Security Master Plan rules and procedures
and attend specific training courses.
Security education should be provided to the security expert
employees (for example for some supervisors and all security
managers). The “Education” level integrates all of the security skills
and competencies of the various functional specialties into a common
body of knowledge, adds a multi-disciplinary study of concepts,
issues, and principles (technological and social), and strives to
produce security specialists and professionals capable of vision and
proactive response. The education program should make sure that:
• Each professional expert is focused on developing the ability and
vision to perform complex multi-disciplinary activities and the
skills needed to further the security profession and to keep pace
with threat and technology changes.
• They understand complex threat situations.
• Each expert is able to response to any type of unusual and
complex events (known as Holistic risks) with efficient and
effective measures.
• Each expert understands international and national
regulations.
• Each expert attends specialists’ courses on security issues
(political, legal, social, technology).
11
At last, technology is one of the key factors of security solutions.
Based on a good organization and trained people, technology can
ease risk mitigation.
Technology choice factors include:
• Security risk mitigation factor.
• Equipment cost.
• Installation cost.
• Maintenance cost.
• Effectiveness.
• Functionality.
• Space requirements.
Technology security solutions could include:
• CBRNE detection in landside and HVAC terminal.
• Equipment for biological and chemical attacks.
• Explosive and trace detection.
• Biometric and contactless smart badges access controls.
• Airside vehicle localization and tracking.
• Airside surface conflict alert.
• Physical perimeter sensors like optical fiber, microphonic,
seismic, electromagnetic and pressure sensors and taut wire to
detect vibrations and sound, infrared and microwave barriers (i.e.
a smart fence system).
• Baggage Screening.
• Passengers screening.
• X-ray and microwave screening.
• Boarding control.
• Duress alarms.
• Radar and long-range IR camera.
• Scanning sonar and hydrophones.
• Day/night CCTV cameras for motion detection and target tracking.
• Intelligent CCTV systems that automatically raise alerts regarding
unusual or suspicious behavior.
• Vehicle licence plate recognition in parking.
• IT LAN security with firewalls and anti-virus.
• Secured WLAN network.
• Secured public Web sites.
• Data encryption.
• ID management information system.
• Secured communications for portable mobile radio (TETRA).
• UAV.
• Non-lethal weapons.
12
>>
The original step is to define the perimeter of the SOW.
Thales considers the following actions:
• Meet senior management.
• Understand the business objectives.
• Set up a Security Working Group to review and validate the in-
termediate results during this SOW.
• Define the scope of the System that will be concerned by the
SOW i.e. one section of the airport or the complete airport envi-
ronment.
Outputs:
• Definition of the Security Working Group.
• Formalization of the scope of the System.
• Formalization of the planning of the SOW.
The original step is to define the perimeter of the SOW.
Thales considers the following actions:
• Meet senior management.
• Understand the business objectives.
• Set up a Security Working Group to review and validate the
intermediate results during this SOW.
• Define the scope of the System that will be concerned by the
SOW i.e. one section of the airport or the complete airport
environment.
Outputs:
• Definition of the Security Working Group.
• Formalization of the scope of the System.
• Formalization of the planning of the SOW.
The next step is to analyze the security risks existing in the System.
Thales considers the following actions:
• Visit the System.
• Undertake the threat assessment, the criticality assessment and
the vulnerability assessments.
• Do the risk assessment.
• Select risks to accept, to ignore, to control or to insure.
• Propose security objectives.
• Recommend mitigation security measures.
Outputs:
• Security risk analysis results report.
Typical Thales Scope Of Work
Thales can assist airport organizations to start a risk management
process and to formalize or to update the Airport Security Master
Plan.
To do so, Thales has defined a Scope Of Work based on the security
risk management process. This SOW is scheduled in five steps, as
described in the figure below:
13
Based on the decisions of the SWG, a strategy is decided and a
Security Master Plan is formalized to define the security doctrine
and the operational concept.
Thales considers the following actions:
• Define a security doctrine and an operational concept.
• Formalize the Security Master Plan.
• Plan implementation of security solutions.
• Calculate the return on security investment (ROSI).
Outputs:
• Security Risk Management Methodology document (adapted to
the organization).
• Security Master Plan document.
• Security doctrine and operational concept document.
• Implementation plan report.
• Return on security investment report.
The last step is the design and the implementation of the actions
described in the Security Master Plan.
Thales considers the following actions:
• Define a new security organization including the Security
Committee and one or more Security Working Groups.
• Develop operational security procedures including crisis
management, incident and antiterrorism responses.
• Design security control rooms.
• Define a training policy and develop a training program i.e.
operational and technical.
• Implement physical security i.e. barriers, video surveillance,
intrusion detection systems, access controls, etc.
• Implement information technology security i.e. LAN and WAN
network, Information system architecture, server hardening, etc.
• Implement communications security i.e. confidentiality, anti-
jamming, resilience, etc.
• Implement individual protective measures including personal
protection measures for personnel and family members.
• Develop specific software to produce daily scorecard of the risk
situation (with geographic information system support).
• Develop resilience solutions based on technology and organization
• Maintain the solutions participating in the Do-Check-Act process.
Outputs:
• Implementation and maintenance of the security solutions.
To support this SOW, Thales has developed a specific software
CASRIM i.e. Critical Asset Security RIsk Management. CASRIM
helps Thales engineers to analyze the situation and produces
graphical outputs of the risk analysis.
14
Benefits
Determining the risk is essential since the management must
understand the threats, what assets are most important to protect,
and which of these assets are most vulnerable. Assessing security
risk provides the criticality of an asset in relation to the threats and
the vulnerabilities associated with it. This helps the management
balance threats to vulnerabilities and the degree of risk that the
management is willing to accept by not correcting, or perhaps being
unable to correct, a vulnerability. For any threat, the management
shall manage risk by developing a strategy to prevent incidents,
employ countermeasures, detect suspicious activity, response to
alerts, mitigate the effects of an incident, and recover from an
incident.
The result of using a holistic methodology of this type ensures that
minimum appropriate investments are directed into security
solutions to reduce identified risks. In addition, as the security
technology, the organizations’ objectives and the processes are all
linked, efficiencies can be gained whilst still remaining secure.
Security features that have been factored into initial airport facility
design are more likely to be cost-effective, better integrated and
more operationally useful than those superimposed on existing
structures through add-ons or change orders. Likewise, security
features which have been coordinated early in the planning and
design process with the airport architects and other concerned
regulatory bodies, as well as with airport organizations (airport
tenants and aircraft and airport operators) and end-users (law
enforcement, public safety and regulatory agencies, and airport
operations and maintenance personnel) are more likely to be well
received and accepted, and thus more widely used and successful.
>>
15
Conclusion
By implementing a holistic security risk management methodology,
security solutions can be adapted to the changes in threats and
security risks, and the levels of investment can be adjusted in
accordance to the protection required.
The airport infrastructure is highly complex, with countless potential
weak links that are subject to security breakdowns. Airport security
should reflect the risk status and financial resources of an airport.
Smaller airports have limited funding and have to plan their security
projects with an eye toward simplicity and manageable cost.
The methodology developed in this white paper is scalable and can cover
from one single area to the entire airport infrastructure starting with the
passenger terminal, the cargo and mail terminals, the facilities then on
to the complete airside and landside.
Philippe Bouvier
Security Consulting
Thales - Security Solutions & Services Division
Airport Infrastructure Security
Towards Global Security
Organizations from around the world are already benefiting
from the use of this methodology including national airport
authorities, energy and water companies, military organizations,
financial institutions and transportation companies.
Thales brings together decades of experience in the aviation
industry and significant depth of knowledge of security
systems from its core competencies in defense and civil
businesses.
Thales is an unrivalled security risk analyst for the airport
industry.
If your organization would also like to reduce overall security
costs, improve the efficiency of security investment and
measurably reduce security risks then please contact your
local THALES representative for more information.
Thales
Security Solutions & Services Division
Security Systems
20-22 rue Grange Dame Rose
CS 80518
78141 Vélizy Cedex - France
Tel: +33 (0)1 73 32 00 00
January 2008 - Photos: Thales, GettyImages