Getting Back to BASIC Airport Security

Sept. 29, 2009
Airport consortium works on developing industry standard for biometric access control

In an attempt to prevent the Transportation Security Administration (TSA) from imposing government-mandated access control standards, the airline industry has decided to form the Biometric Airport Security Identification Consortium, or BASIC.
The goal of the consortium is to create a framework from which the nation’s airports can adopt a biometric-enabled access control system for its employees.

What initially began as a six-airport pilot project in the spring of 2008 has transformed into a major industry initiative that now encompasses nearly 40 airports, ranging from small local operations to some of the largest and busiest airports in the nation.
According to Lori Beckman, former director of security for Denver International Airport and founder of Aviation Security Consulting, the TSA was discussing implementing biometric standards for airports in late 2007, which was a concern for her and other airport security officials, given that they had imposed requirements for the current access control systems being used by airports during the ’90s.

“The way that it was promulgated was just horrible for airports — it was expensive,” Beckman says. “The service providers were not ready to roll out what the TSA wanted and it was just really messy. A lot of (systems) had to be replaced in a few years and we didn’t want to go down that road again.”

This time around, Beckman says that airports wanted to try and work with their existing access control equipment and build on that without having to completely reconfigure their systems.

According to Carter Morris, senior vice president for transportation policy at the American Association of Airport Executives (AAAE), working with legacy access control systems is the one of the biggest reasons airports have decided to take part in the BASIC program.

“It’s absolutely critical because airports have already made investments in these (access control) systems. It doesn’t need to be a whole new system; the goal is what can we add incrementally that accomplishes the same thing,” Morris says. “Those are the types of issues airports are keeping an eye on. We don’t want to create a framework that throws a whole bunch of good stuff away just so you can put in an incremental piece of technology.”

Morris adds that implementing technology that is “future proof” is a big part of the BASIC program given the current state of the economy and lack of resources by many airports to be able to voluntarily install new access control systems.

Despite the fact that implementing biometric hardware for an access control system may be the most important step in the BASIC process, Beckman says that it is the last phase of the pilot and that many other things have to be taken into account before it can be accomplished — including the compiling of biographical information in an acceptable format to the government, exchanging biometric information and trying to determine what type of biometric to use. “We’re trying to pull all those processes together and make them more functional,” she says.

Interoperable Credentials

Another consideration that BASIC coordinators are taking into account is the TSA’s idea to create the Airport Credential Interoperability Specification (ACIS). The goal of ACIS is to create a credential for airport workers that would be interoperable at airports across the country using contactless RFID technology. Following an outcry from the airline industry, the program was shelved by the TSA; and instead the agency and the security industry is now working together on the BASIC pilot. To satisfy some of the goals the TSA had in creating ASIC, however, Beckman says that BASIC is incorporating some of the ideas from ASIC at its pilot locations.

With more than a year of work already put in on the pilot project, Beckman, who characterizes the process as “tedious,” says that the program is still ongoing and indicated that airports are choosing their own path to get to the standard end-state, which is the issuance of a biometric credential based on an employee’s fingerprint. Most airports, according to Beckman, are still in the initial phases of the pilot.

“The thing that is really unique about this program is individual airports are picking their own paths; so how one airport does it might not be the way another airport does it,” Beckman says. “The other piece that’s really important is the size of the airport. The bigger airports obviously have more assets and more people. When you get to some smaller airports, the same person that plows the snow and picks the dead bird off the runway is the same person who issues the badge and there’s no one else to do it. We’re still trying to work out those issues — how to keep consistency without hurting the smaller airports that don’t have the extra people to carry out these processes.”

Since airports already take fingerprints as a part of the vetting process prior to a person’s employment, there have not been any issues with BASIC as it pertains to the vetting of employees. All of the work is essentially being done on taking those fingerprints and turning them into a credential that can meet the standards of both airport security and the TSA.

Establishing a Benchmark
Morris adds that one of the benefits of the BASIC program is that it allows all participating airports, regardless of size, to communicate with each other and see what types of biometric access control systems are working best at different facilities.
“I think that there is a varying degree of implementation or planning for biometric use in the airport environment,” he says. “One of the biggest values of the BASIC consortium is that these airports can share best practices with each other and gain a better understanding of what works and what doesn’t. Part of the value of (BASIC) is that it covers that broad spectrum (of airports) and allows those who have already gone through it to share those lessons learned with those who haven’t yet; and for those who have gone through it to baseline their type of operations to a common approach with others who are in a similar phase of implementation.”

Though neither the BASIC committee nor the TSA has established any type of hard deadline on when airports should have a biometric framework in place, Morris says that it will probably be the next step in the process. Given the variety in size of the airports involved in the pilot, Beckman says that no timetable has been set on when a standard biometric framework should be in place at the participating locations.

“We’re moving forward and creating the paths to get there. I think you will see the bigger airports online sooner than a small airport that maybe doesn’t have the resources to get to that point,” Beckman says.

Though the TSA declined to discuss any details related to the BASIC program, the agency did say in a statement that it “encourages” airports to be proactive in implementing biometric access control and credentialing systems.

Government Mandates

Despite the advancements being made in credentialing security through BASIC, Richard Duncan, CPP, aviation security director for Hartsfield-Jackson International Airport in Atlanta, believes that government mandates may be required for many airports to jump on board with the installation of new access control systems, especially considering the current economic climate in the country.
“I know the (BASIC) group has been working for quite some time,” Duncan says. “We have representatives on the BASIC working group, but it will still require some type of proposed rule making (by the government) before it can be implemented at the airports because of the costs associated with securing the materials for that program.”

Duncan says that getting airports to voluntarily install this equipment would be a tough sell unless they could obtain federal grants. He added that it is also too early to tell what kind of impact BASIC will have on the airport industry as a whole. “I think it’s too early to even begin to say how it will effect (airport security) because the program has not really been developed to the point where we know how it’s going to be applied at the airports,” he says.

The costs of implementing a biometric access control system will also give many airport pause, according to Duncan: “If you’re talking about implementing a biometric type of access control system at an airport, then that will be very costly to do because you would have to redo your access control system,” he says. “But if you’re just looking at using your FIPS-201 cards as part of your access control system, then that is not that difficult for some airports.

“Biometrics will give you another level of security that will clearly identify the user of the (ID) badge and control who has use of the badge,” Duncan continues. “Currently, most airports use a badge plus a PIN number, which if a person maintains control of the PIN, no one else will be able to use it. Biometrics takes it one step further — unless you have the biometric, you can’t gain access, but that is just one layer of security at airports.”

Lessons Learned
Going forward, both Morris and Beckman say that the industry can take solace in the vast amount of knowledge that has already been gained from this pilot project — especially the need to further reinforce internal security measures.
“I think a number of things have been learned (during this pilot project),” Morris says. “The importance of the alignment of TSA technical process with airport processes is absolutely key. The development and deployment of these types of technologies at airports is complex and almost completely facility-independent. A common framework that is facilitated by an industry group is absolutely essential to the success of biometric deployment at airports.

“Simply said, each airport fundamentally does the same thing, but they do it in a different way. The main goal is base-lining that ­— standardizing in a way that can comply with TSA data requirements and regulations but still maintain flexibility for them to deploy these systems in way that makes sense and is most efficient,” Morris adds.

Beckman says that she is encouraged by the number of airports that are already using biometrics when it comes to access control: “There are a lot of very good practices out there and we are able to take lessons learned from them. If somebody has already deployed biometrics — and there a lot of airports that do — some of them have had them for years and they may not meet some of the same criteria that the TSA uses in its badging standards, but they can be converted,” she says. “We are spending a lot of time talking with those facilities on how they got to where they’re at and what some of their lessons learned were so that as a group, we can take advantage of those lessons and not go down a path that causes problems.”

Once a proper biometric framework is in place and the airports have installed the necessary equipment, Morris says the benefit to security will be tremendous.

“I think the value is that you have a higher assurance of identity on the people who need to be the most trusted in the system, which are the workers that have badged access to sensitive areas of the airports,” he says. “We want to continue to increase security, but we also want to increase efficiency as the system continues to grow and the threats that we are addressing continue to evolve.
“Really, we need to strengthen the ways that we look for bad people,” Morris concludes. “If you add a biometric to a credential, you are tightening the assurance that the person who is using that badge is exactly who they should be — and that’s valuable. It saves money in the long run and makes the system more secure.”

Joel Griffin is assistant editor of SecurityInfoWatch.com.