Protecting the Zone
Print Issue: January 2004
More than 1,600 employees and 1.7 million passengers passed through London City Airport in 2002, making it one of the United Kingdom’s busiest airports for business travel. Two events in 2001 and 2002 led the airport to conduct a full-scale review of its security procedures and policies. The first was the horrific 9-11 attacks in the United States. Second, two robberies unrelated to terrorism at Heathrow Airport targeted security vans within the airport’s Restricted Zone (RZ) in early 2002. The robberies and the terrorist threat led the Metropolitan Police to call for tighter aviation security, with an emphasis on CCTV coverage and access control.
The airport identified the entry points to the RZ as being the top priority for an access control upgrade. London City Airport’s RZ includes passenger departure areas in the airport’s Jet Centre (a corporate aviation facility) and Terminal Building, baggage claim areas, cargo sheds, and mail centers—all of which are collectively referred to as airside areas. Airside cleaning and catering premises are also in the RZ. Only persons and vehicles authorized by the airport manager can enter the zone, including passengers intending to depart from the airport, who are subject to search, as is their baggage. This article focuses on employee access to the RZ.
Before the security upgrade, airport security staffed the entry/exit points to the RZ, visually inspecting the photograph on an employee’s identification pass to confirm its validity. The airport realized through threat assessments and discussions with other practitioners that although no known breaches had occurred, this method created the potential for someone to enter the RZ with a forged pass.
Selecting biometrics. In January 2002, London City Airport began assessing technology solutions that could satisfy its need for enhanced security. As part of this effort, the airport identified a number of key requirements for any potential solution: It had to be cost-effective and flexible, user-friendly, secure and robust, compatible with existing access control systems, and able to comply with industry regulations. These regulations included the Aviation Security Act of 1982, which authorizes the Secretary of State for Transport to issue directives relating to aviation security.
Early in this assessment process, the airport decided that adding a biometric solution to the ID pass system was the strongest option. The use of biometric technology would definitively answer the question “Is this person who he or she claims to be?” Based on data derived from direct measurement of a part of the human body (such as fingerprints, iris, hand, or face), this method would allow London City Airport to create a unique identifier that could be electronically stored and retrieved for positive identification of any employee seeking access.
The author, who is operations director for the airport, along with other members of the security team, carried out an extensive technology assessment process that included research into each biometric technology’s effectiveness. The team found a report from the U.S. General Accounting Office on the application of biometrics in border security sites to be especially useful for their purposes. In addition, they talked directly with manufacturers and users.
After many months of assessing various available technologies, the airport selected Daon, a biometric identity-management company headquartered in Dublin, Ireland, as its biometric provider. London City Airport’s security team then worked closely with Daon to design a system that would incorporate the company’s biometric authentication engine into the airport’s existing infrastructure to avoid the cost of installing new equipment and cable.
Daon’s system offers a range of authentication methods, including fingerprint, iris, and facial recognition. Fingerprints were chosen as best suited for London City Airport.
Installation. To ensure a successful deployment of the system, the airport coordinated partnerships on several fronts. For instance, to handle implementation and maintenance of the new system, the airport set up a group that included the airport’s security staff, the identification room staff, IT administrators, Daon, and other third-party contractors. Daon was responsible for implementing its own biometric access systems, while the other contractors were responsible for deploying and maintaining the airport’s physical access infrastructure, including the photo ID cards.
As a part of the project, three IBM eServer xSeries servers running Microsoft Windows 2000 Advanced Server were deployed to host the new security solution. These servers host the database, application, and connector functions of the biometric system. At each of the locations being secured—the three entry points to the RZ, the exit gate from the Jet Centre, and access points to the first floor of City Aviation House (a separate building where the airport’s administrative offices are located)—new Bioscrypt V-Prox proximity card readers, which incorporate a capacitance biometric fingerprint reader, were installed for use as the primary fingerprint reader. These readers were interconnected via a fiber communications backbone with local Ethernet-to-serial bridging.
Steering committee. At the start of the project, the airport assembled a steering committee composed of airport executives—including the director of operations; security, operations, and technology managers; and legal, human resources, and public relations staff. The formation of the committee would prove to be a key decision, as it led to a smooth installation process with good communications and coordination among all internal and external parties, as well as minimal interruptions to ongoing airport operations.
Project plan. One of the first tasks for the steering committee was the preparation of a project plan that included both a budget and financial controls. Once that was completed, regular project progress meetings were conducted at the airport, and weekly communications between the project manager and other participants kept the effort focused and on track.
User education. Vital to the successful acceptance of the new system was user education. The airport wanted to handle this step in a proactive fashion and thus invited representatives from all of the organizations employing some 1,600 staff members who would ultimately use the access control system, along with other interested parties, to a briefing. At the meeting, airport management discussed the technology and the implementation plan. The staff also received an e-mail about the project that attempted to address anticipated questions. Following the meeting, all staff members received a further e-mail updating them about the proposed security changes and including a list of frequently asked questions.
In addition, the airport’s security protocol and standard operating procedures were updated to include the new access control issues, and they were made available to all staff members. The data protection declaration for the airport was also updated and provided to staff: An acceptance and permission form was prepared, which outlined how the system operates and how the data are stored. Each staff member was required to sign this form before being enrolled in the system.
Test run. A trial of the biometric system was conducted at City Aviation House so that staff had an opportunity to see a standalone device in operation and to volunteer for enrollment and verification exercises. This test helped demystify the technology before the final communication meetings and enrollment took place.
Government notification. In addition to keeping employees fully apprised of the access control changes, London City Airport also had to communicate externally to meet government mandates. All airports in the United Kingdom are required to notify the Department for Transport whenever a new security system is installed.
In this case, the Department for Transport already had a biometrics working group in place, and London City Airport informed the Department for Transport’s principal officer of its intention to deploy this technology. Because the system would be part of the infrastructure that restricts access to the airport’s RZ, the Department for Transport would have to grant approval before the complete rollout of the system could take place.
To this end, the airport, Daon, and the implementation project manager gave a formal presentation before the Department for Transport’s representative in November 2002, explaining the proposed project and answering any operational or security questions. The Department for Transport approved but asked to be kept informed about the project’s progress.
Additionally, the airport took advantage of existing relationships with the various control authorities (Customs, Immigration, Metropolitan Police, Special Branch, and Port Health). Regular meetings were held to discuss topics of interest and to brief each other on new initiatives, requirements, and other issues. The new biometric physical access system was of particular interest to these authorities because it raised a number of privacy, security, and identity protection questions.
Enrollment. In February 2003, all employees eligible to access the RZ were required to enroll their fingerprint templates into a biometric database, which is maintained separately from the existing security-pass database. The only information stored in the biometric database is the employee’s name, ID pass number, and fingerprint template.
During the enrollment process, the airport’s identification room staff took templates of four different fingers for each enrollee, to allow flexibility in access. The process took approximately five minutes per person and occurred during the weeks leading up to the switchover to the new system. All of the organizations within the airport that require access to the RZ—including airline flight crews, handling agents, janitors, maintenance technicians, and retail and catering staff—were allocated time slots to enroll their employees.
When eligible employees try to access the RZ now, the new card reader requires them to present their ID passes to the proximity reader. The system reads the card and looks for the pass number. Employees then place one of their four enrolled fingers onto the biometric scanner. A separate message is sent to the biometric database, requesting that it compare the ID pass number and the stored fingerprint templates against the finger scanned by the reader. The biometric database confirms whether there is a valid match, and the reader displays either a green (approved) or red (rejected) light. This process takes approximately two seconds.
The reasons why a pass might be rejected go beyond discrepancies between the fingerprint and the ID card or poorly enrolled fingerprint templates; for instance, an ID pass might have expired. Also, training that must be attended on an annual basis (such as ramp safety, fire awareness, or security awareness) is linked to the system. Failure to attend a refresher course within a specified period results in the suspension of an employee’s ID pass and a revocation of his or her authority to enter the RZ.
Privacy protections. Access to the biometric database information is restricted to designated personnel within the airport’s security and IT departments (for maintenance). The biometric database, which stores only the employee’s name, ID pass number, and fingerprint template, is installed at the airport and is not accessible from any other network. Additionally, this biometric information is encrypted using the U.S. Government’s FIPS-140 Level 4 standard.
London City Airport is also required to ensure that the biometric database as well as the security ID pass database be operated in accordance with the principles set out in the United Kingdom Data Protection Act of 1998. The act distinguishes between personal data and sensitive personal data and sets tighter conditions for processing the latter. Sensitive personal data includes information such as racial or ethnic origin, political opinions, religious beliefs, union membership, health, or criminal history.
London City Airport’s biometric system is a closed application and does not exchange information with other systems or organizations. Specifically, it is not linked to police or government databases (such links might be added if legislation were to change). In addition, a Code of Practice for the system—which discusses what the information is used for and to whom it might potentially be made available—is issued to each employee enrolled in the system and may be viewed by any member of the airport staff at the ID pass office during normal working hours. Furthermore, to ensure that no unauthorized changes are made to the central database, electronic signatures are used to guarantee data integrity; each transaction requires the enrolling officer to confirm his or her identity through the biometric scanner.
Future plans. The airport now plans to examine other uses for the biometric technology to further assist in preventing unauthorized access to the airport properties. Using the existing identity management infrastructure, for example, London City Airport intends to introduce biometric logons for all desktop systems in the airport and integrate the system with common-use platforms at the airport, such as check-in systems and x-ray screening machines.
The airport also plans to participate in registered traveler trials, such as those aimed at frequent fliers or preferred travelers, for border entry management. It also hopes to participate in general passenger-processing border control and entry/exit projects for the United Kingdom.
The Department for Transport is monitoring trials of biometric systems at other airports. Meanwhile, the European Commission is considering financial support for some border-control projects that would use iris and facial recognition technology.
Lessons learned. The airport has been generally pleased with how the biometric technology works. Some staff have encountered problems with access, but this has been linked to poor enrollment data or the failure to present a finger properly. The ability to match fingerprints depends crucially on the quality of the original fingerprint taken, and the electronic scanners used require staff to be trained to ensure that fingerprints are properly scanned.
Initially, London City Airport experienced some problems with the quality of the enrollment data, and many staff members who enrolled at the beginning of the process have had to return for rescanning. The airport now realizes that the staff who do the enrolling should be well trained up front.
The system has increased the level of security controlling access to the RZ at the airport, reduced the risk of identity fraud, and enhanced user confidence in security. These immediate goals are ones that should be kept in mind when enhancing the security procedures, policies, and practices at any airport around the world.
Alan Medlock is the operations director for London City Airport. He was responsible for the project to assess and deploy biometric technologies at the airport in 2003.