Andy Blackwell and John Wood of 3DAssurance discuss how to build a holistic solution to protect passengers at the airport and the surrounding public areas.

Introduction

Aviation security is not a simple process of guarding by security officers: passenger – and public – protection is made up of a wide-ranging set of actions and responsibilities on the part of a wide range of people. The best airports co-ordinate these into a holistic ‘system’ of people, processes, behaviours and technologies: the Security Management System (SeMS).

In fact, all airports have a SeMS, although they may not call it that: as we will see later, they have the majority of the SeMS components and need only to enhance or exploit them to make it a comprehensive and effective SeMS.

The US Government 9/11 Commission reported that

“We believe the 9/11 attacks revealed four kinds of failures: in imagination, policy, capabilities and management”.

These findings of the 9/11 Commission remain as relevant today as they were then, and the focus of passenger protection through the SeMS should be elimination of those blind spots.

Threat landscape

The magnitude and frequency of disruptive events impacting civil aviation since 2016 highlights the unhealthy fascination terrorists and other bad actors retain in civil aviation. In 2021 Anti-terrorist police in Kenya warned that al Shabaab, a deadly affiliate of al Qaeda, had embarked on training pilots for an international aviation attack, as a way of avenging airstrikes against them in Somalia. 2021 also saw 20 Mai-Mai militants being arrested in connection with an alleged plot to attack Beni-Mavivi Airport in the Democratic Republic of the Congo.  A woman was arrested in Belgium (in 2021) on suspicion of gathering intelligence on Israeli targets at Brussels Airport. 

Aviation remains an iconic terrorist target.  The incidents to follow show some notable attacks against the sector:

2016      Pudong International Airport, China. A man detonated a homemade explosive device at Shanghai’s Pudong International Airport, injuring 5 people, including himself. The blast occurred at 2:20 pm in the check-in area of Terminal 2. Police reported that the man took homemade explosive materials in a beer bottle out of his backpack and threw it at the ticket counter. After the bottle exploded, the man took out a knife and slashed his neck, inflicting serious injuries. The suspect was said to be mired in gambling debts.

2016     Atatürk Airport, Turkey.  Gunmen armed with automatic weapons and explosive belts staged a simultaneous attack at the international Terminal 2 of Istanbul’s Atatürk Airport. 48 fatalities, including the 3 perpetrators, and over 230 people injured. Turkish authorities reported that the attackers were acting on behalf of the Islamic State of Iraq and Levant.

2016     Zaventem Airport, Belgium. Coordinated suicide bomb attacks in the landside area of Zaventem Airport near Brussels, killing 34 (including those at the Metro Station). The Islamic State of Iraq and Levant claimed responsibility for the attacks.

2017      Fort Lauderdale Airport, USA. A mass shooting by a lone gunman, using a semi-automatic pistol, near the baggage claim in Terminal 2 at Fort Lauderdale Airport resulted in the death of 5 people, and 6 others being injured.  36 people were also injured in the ensuing panic. The gunman was said to be suffering from mental health issues and the attack was not classified as a terrorist incident.

2017     Sydney Airport, Australia. An Islamic State plot targeting an Etihad aircraft at Sydney Airport using a viable IED concealed in a meat grinder. The plot was thwarted by security agencies.

2018     Intercontinental Hotel, Afghanistan. 35 Kam Air employees were at the Intercontinental Hotel in Kabul, Afghanistan when Taliban gunmen opened fire on guests and employees, killing at least 20 people including 9 Kam Air staff.

2021 –  Hamid Karzai International Airport, Afghanistan. A deadly suicide bombing outside Kabul’s Hamid Karzai International Airport resulted in over 185 casualties including 13 US service personnel. The terrorist group ISIS-K claimed responsibility for the attack.

2021 –  Camilo Daza International Airport, Colombia. Two bomb blasts killed at least 3 people at Cúcuta’s Camilo Daza International Airport. The first blast occurred at around 0530 hours as an individual, carrying an IED attempted to climb over the airport’s perimeter fence, triggering the device’s detonation.  The explosion killed the perpetrator.  A suitcase then exploded at around 0650 hours, killing 2 police officers as they examined it.  The Colombian Defence Minister intimated that the terrorist acts were likely committed by Colombian rebels based in Venezuela.

2021 –  Aden International Airport, Yemen. 25 people were killed and 110 injured when an explosive-laden vehicle detonated near the main gate of Aden International Airport.  Yemen’s Supreme Security Committee said that the attack was carried out by a Houthi-backed terrorist cell.

2021 – Khwaja Abdullah Ansari International Airport, Afghanistan. A passenger passing through security screening at Herat’s Khwaja Abdullah Ansari International Airport, was found in possession of a viable improvised explosive device concealed in a musical instrument (Rubab). The passenger, an Afghan National, planned to detonate the device on a domestic flight between Herat and Kabul.  The device consisted of a grenade, RDX material and chemicals.

In addition to terrorists’ interest in civil aviation, airports are often the transit points for drug trafficking and transnational organised crime.  Airports also attract local criminal activity.

According to the United Nations Office on Drugs and Crime (UNODC), such illicit flows have a direct impact on city safety. In this context, the Airport Communication Project (AIRCOP), a UNODC, World Customs Organisation (WCO) and the International Police Organisation (INTERPOL) initiative aims to enhance the capacity of international airports in the detection and interdiction of illicit trafficking and suspicious passengers in origin, transit and destination countries.

Although reported crime rates at airports are low, it is important not to be complacent, as not all crimes get reported to the police. Due to difficulties in determining the actual location of crime, many baggage thefts are recorded as losses and dealt with by way of insurance claims. The same is true of air cargo theft/losses.

Media reporting in 2018 suggested that crime at or in the vicinity of UK airports had doubled – with vehicle crime and weapons among the types of crime to have increased. The increase in weapons crime was largely due to all police forces having to adhere to a change in the way they recorded the seizure of CS sprays, small knives, air soft weapons and air rifles under the National Crime Recording Standards.   The rise in vehicle crime was partly due to some car parks away from the airport perimeter being included, and the growth in popularity of keyless technology, making it easier for thieves to access and steal vehicles quickly. 

Although acquisitional crime is often discussed, more significant for travellers perhaps is crimes against the person. In May 2022 two women reported attempted sexual assaults at one of Detroit Metro Airport’s car parks.  Police investigations continue and patrols have been stepped up in the area.

Attack methodologies

Terrorists

Since its very formation, the aviation sector has been subject to a wide range of terrorist attacks.  Some of the more notable ones include: the 9-11 attacks where aircraft were used as weapons and targets; suicide attacks involving person-borne improvised explosive devices, bombs cleverly concealed in underpants, printer cartridges, a musical instrument and a meat grinder; placed items, and shootings. Perpetrators have used high-tech and low-tech approaches, and the ingenuity of the attack method is limited only by the imagination of the perpetrators.

Organised crime

In 2021, a member of the United Nations gang was killed in a shooting outside the domestic departure building at Vancouver International Airport in Canada.  Sources reported that those involved in organised crime arrange meetings at the airport as it was considered safe territory. Organised Crime Groups (OCGs) are involved in the trafficking of people, and smuggling weapons, drugs and other prohibited and restricted commodities through airports.

Baggage thieves and pickpockets

Airports provide rich pickings for baggage thieves and pickpockets, with many teams travelling internationally to operate. The situational awareness of travellers is often reduced when they are in the stressful environment of airports, making them easy targets for professional criminals.  Congestion at airports, as is currently being experienced due staff shortages, can also create an easier environment for thieves to operate. Thieves often access and egress the airport via public rail/metro networks. 

Assaults, robberies and offences against the person

A study in the US revealed that although airports may feel safe to travellers due to the presence of police and security personnel, surrounding neighbourhoods are often poor or deprived with a higher likelihood of crime including thefts, assaults and robberies. 

In fact the chances of being robbed or assaulted on the way to and from the airport exceed the national average. The risk of becoming a crime victim outside 28 of 29 airports located in the largest metro areas in the US is four times greater than the national average.

Insider threat – increasing threat and disgruntled staff/financial distress

People can be an organisation’s greatest asset or weakest link, and the impacts of the pandemic on mental health and wellbeing have presented both risks and opportunities.  The increase in strikes and protests affecting the sector highlights the importance of maintaining harmonious industrial relations to reduce the risk of disgruntled staff, which can often be a trigger for hostile insider activities. Criminal gangs target insiders in airports seeking to exploit their knowledge and access.

Protecting passengers – the challenges reported by clients

A major part of protecting travellers is preparing and equipping them to help themselves and we see the same challenges time and time again.

First, it is not easy to establish a positive security culture – people’s attitudes and behaviours – so that everyone recognises the part they have to play in protecting themselves and others around them.

Then there is the issue of acquiring knowledge of the threat picture and managing the risk with a robust process that is proportionate and timely and avoids creating unintended consequences, such as panic and injuries in an evacuation.

The third challenge is information gathering and sharing: prompt communication to keep travellers informed and to receive information from them without creating undue alarm or overloading them with information. This includes maintaining dynamic knowledge of travellers’ itineraries to make it possible to account for them when a threat or incident occurs.

All of this assumes of course that the basic security arrangements on which passenger protection is to be built are themselves sound, so the fourth challenge is to ensure the security management system is robust.

Responsibilities for protecting passengers and public

Several groups of people at the airport have responsibilities for protecting passengers and public.

First, the direct accountability for effective security is held by the board and directors, with the responsibilities delegated to security managers and the security teams including physical and cyber security.

The next group is responsible for directly supporting the security team. These are the providers of equipment, supplies and services including contractors. The corporate office, (HR, legal/procurement, finance, business planning, risk management et cetera) can also be thought of as providers of services to the security team. Also in this group are people who have their own frontline role but coordinate with security: some airport staff, airline staff, the police, border and customs officers. A good example is Project Servator – a policing tactic that aims to disrupt a range of criminal activity, including terrorism, while providing a reassuring presence for the public.

There is another specialised group of providers whose job is to build the future of the business: the strategy managers, project sponsors and project personnel including designers and specifiers of systems, and project managers. This group is required to “design for security”, making sure that their initiatives take account of security requirements – for example the design of a new terminal.

The last, but very definitely not least, group is everyone including for example cleaners, retail staff, bus drivers and other transport staff, “meet and greeters” and any other members of the public on site. It also involves all airport staff, including those who may be in one of the groups above, the managers, the planners and the corporate office. This group must maintain awareness and vigilance at all times to protect themselves and others. The “See it, say it, sorted” mantra is often used to remind this group of its role.

Protecting passengers: the Solution

The Critical Success Factors

In our experience, there are several key requirements for the protection of passengers, which any solution must fulfil. The foundation should be constant monitoring of the threat landscape. Intelligence can be gathered from government and industry sources and the wealth of open-source information, obviously with the need to qualify and corroborate.

In turn, this enables the organisation to make informed judgements about threat and risk to feed an effective risk management mechanism.

The third key requirement is governance, supported by education and leadership. The governance mechanism determines the security objectives, defines accountabilities and allocates responsibilities for security. Education and leadership promotes security awareness and the required behaviours – the security culture.

The next factor is a set of resources including pre-travel communication, post travel and instant debriefing and in country support through systems and tools such as location tracking, alerts and emergency communications.

The fifth requirement is an incident response mechanism to deal with emergencies including repatriation where necessary. We call this “preparing for the perfectly probable”.

The final requirement is quality assurance and audit/inspection of in country locations and services such as hotels, car hire or medical facilities.

Laying the foundations: the Security Management System (SeMS)

Those Critical Success Factors illustrate the breadth of activity required to achieve true passenger protection. The threats and the challenges are so diverse and fluid that there is no simple fix, no one procedure or piece of technology: the solution is a fully rounded collection of processes – in other words a Security Management System or SeMS.

All airports have a security management system, although they may not see it as a SeMS: they have the majority of the components (Figure 1 below) and need only to enhance or coordinate them effectively.

The SeMS protects travellers and the public by not only addressing the obvious threats but also actively anticipating potential new threats. It meets what could be called the 9/11 “requirements” – energising imagination, policy, capabilities and management. The SeMS generates imagination in searching out potential new threats; it establishes well thought out security policies; it provides the resources and capabilities needed; and it facilitates active management and effective governance.

The SeMS does this by developing the Security Culture and Corporate Assurance (Figure 1). Culture is a much-misused word but it really means nurturing good behaviours and practice. Corporate Assurance is certainty of the state of security and level of security risk.

The “good behaviours and practice” of Security Culture are not just about the security team. The whole organisation and everybody else at the airport have a security responsibility, whether it be a direct role in screening or a general responsibility to maintain vigilance and report anything out of the ordinary.

In fact, engaging “everybody at the airport” has become a key element of threat and risk management: the most forward-looking airports engage partners and third parties in their risk assessment groups, but that subject deserves an article of its own.

The SeMS has three themes.

What is Expected of Me?

It reinforces personal accountability for security so people know what is expected of them. This involves management demonstrating its commitment to security, clearly defined roles and responsibilities, provision of education in SEMS principles, and continued communication from management to keep the importance of security front and centre.

How Do I Do That?

The SEMS also establishes robust procedures so people know how to do what’s expected of them. The right resources of the right quality (people, services and equipment) are in place, changes are managed so that security is not compromised inadvertently, and there is a continuous improvement process to take advantage of improvement opportunities.

Are We Secure?

With the accountability, governance and procedures in place, risks and security performance can be managed proactively so people know how effective security really is. Security managers find it difficult to give a meaningful answer when a director asks the question “are we secure”? But where directors are familiar with their organisation’s SeMS they don’t need to ask: they have the answer in front of them.  Threat and risk management (the heart of the SeMS) is robust and agile, a confidential reporting system enables people to raise any security concerns, and the incident response process deals with any issues that threaten security.

For more detail on the SeMS, its themes and components, see our previous articles in the TPSO magazine – “A Football Lesson for Security” and “Reap what you sow” which can be found at www.3dassurance.com/tpso.

The Traveller Protection Project: 10 steps to personal security

With the foundations in place – the SeMS working effectively – we can make use of its processes to take the “ten steps to personal security”. For planning purposes, we find it helps to group the steps into the same three themes shown in Figure 1.

Reinforce governance and communicate accountability

1. Establish and publish a staff travel policy and ensure people understand and adhere to it.
2. Develop and provide security awareness training to supplement the policy and equip people to be vigilant. A useful reminder of the meaning and importance of vigilance is our TPSO magazine article “Situational Awareness: Oblivious or Aware?” which can be found at www.3dassurance.com/tpso.
3. Provide pre-travel briefings.
4. Maintain regular security communications to give a global security overview, monitor the global threat situation and send targeted alerts when incidents occur.

Establish robust procedures

• The operational procedures must include booking facility to ensure people do not bypass the company system. This is essential if the organisation is to be certain of the itineraries of its people, and able to track their location.
• Develop an incident response mechanism if it does not already exist and conduct exercises to confirm its readiness for traveller-related incidents. In particular the agility to invoke the response quickly should be tested.
• The business continuity procedures should be extended to include contingency plans in the event of incidents or emergencies in the locations of its travellers.
• A debrief capability is required to gather information as soon as possible after an incident or any relevant travel, and apply the lessons learnt.

Manage risk and performance

• Establish an active information and intelligence gathering mechanism to acquire global and local intelligence worldwide.
• Extend the threat and risk management process to include global risk monitoring and communication, making use of individuals’ local risk awareness.

Conclusion

“Fully trained and well led people are an organisation’s greatest asset, but if neglected they rapidly become the weakest link.  Responsible organisations grow positive security cultures and use safety and security management systems to provide their organisations with resilience, assurance and peace of mind.”

Travel Assist Group

Protection of passengers is a messy, multi-dimensional network of many responsibilities, activities, behaviours and technology, not individually perfect and not usually marching in step.

Engaging the entire organisation in the importance of security and what each individual can do to maintain security requires more than motivational posters and management edicts. Like finance, safety and quality, the many strands must be organised, co-ordinated and controlled, and the proven way to achieve that is with a SeMS.  

New threats and risks emerge regularly, and the SeMS Framework has been designed to manage these in a uniform way rather than having to respond with new defences each time. There is no better way to protect travellers.

About 3DAssurance

3DAssurance is an independent advisory company specialising in management systems for providing assurance that corporate risks are under control. We provide ready-made and tailored solutions to the corporate challenges in areas such as security, quality and safety assurance. Our team combines many years of practical experience and unique expertise including:

• Authors and pioneers of the UK SeMS framework (CAP1223) recognised as global best practice
• Active research and development of the SeMS methodologies
• Work with airports, airlines, air traffic management, maritime, rail and other critical national infrastructure operators
• UK Government confidants
• Pro-bono support for operators, universities and associations

Andy Blackwell – Director, 3DAssurance

Andy is widely acknowledged as a SeMS and aviation security expert. As Head of Security at Virgin Atlantic, he was the first to implement the SeMS Framework.  Now a leading SeMS exponent, Andy has authored numerous articles on SeMS and security, and speaks regularly at international security events

John Wood – Director, 3DAssurance

John was responsible at the UK CAA for developing the SeMS framework, working with and guiding many industry stakeholders. Experienced in design and implementation of effective strategic change in public and private sectors, John has been a lead designer of numerous governance, risk and compliance systems