Airport Security Week: Interview with Matt Shreeve, Helios

As part of Airport Security week looking ahead to Airport IT & Security that lands at London Heathrow on the 27th-28th September, International Airport Review will be looking in detail at all things security, inarguably one of the industry’s hottest topics at the moment.

Follow us throughout the week as we discuss news stories, issues and challenges facing airports with exclusive commentary from industry experts…

What are the main issues facing airport security at present?  

Operating in an ever more complex and uncertain world: safe, secure and efficient operations needs increasing numbers of stakeholders to work together, using shared or connected systems, so that the ‘chain of trust’ is long with attackers seeking to exploit the weakest link. At the same time, the range of potential attackers (physical and cyber) seems to be increasing, with new means of attack, so uncertainty and volatility makes risk management harder. Complexity and uncertainty is a formidable challenge.

What can airports do to improve their security systems and policy? 

A Security Management System is the core of a response. This needs to have effective security governance (i.e. Board level sponsorship). However, policy is insufficient – day-to-day practices on the ground need to be compliant, and there is often a mismatch between policy and practice. Therefore, a rolling programme of audits and tests is also crucial to avoid complacency. Whilst difficult, being open to external scrutiny is a great way to build confidence.

 Are airport security improvement and IT solutions inherently connected in the 21st Century, in your opinion?

Yes – physical security and cyber-security are inherently connected. Scanners, cameras, etc are increasingly networked. This applies to traditional IT, but also simple Programmable Logic Controllers (PLCs) that control physical processes. There are hundreds of thousands of PLCs at every airport, but they are often ‘invisible’ because they are stand-alone components controlling everything from power distribution through air-conditioning and baggage handling. Increasingly they are being networked together, but, as simple devices, they do not have, for example, intrusion detection or logging functionality required for secure operation. Another example is the revocation of airside passes – IT systems that track current staff feed who gets authorised physical access. The answer is a holistic approach is needed that appropriately addresses all threats, vulnerabilities and risks.

Could you tell us a bit about the importance of balancing potential benefits, costs and risks in complex and uncertain situations at airports?

Security is a cost of doing business, and strong security can be costly in terms of both direct financial cost and inconvenience to passengers and staff.  Therefore a minimal level is necessary, but too much is detrimental. Getting the balance right between security and other objectives is critically importance, and a key reason why security should be a board level concern. The risks remaining after mitigations – so-called residual risk – needs to be accepted by a representative from the business. This is all made harder by the fluid and volatile nature of security – in the cyber-world you can wake up one morning to find a previously secure system now wide open to attack, or a physical-attack in another country can overnight change your threat level. Resilience, speedy responses and flexibility to changing situations are crucial.