The Security Series: An airline’s perspective on crisis management
Former Security Manager, easyJet, David Henson, considers whether our procedures could have prevented the recent attacks against airports…
Welcome to our last feature in the ‘The Security Series’ from International Airport Review, that has reflected upon matters of aviation and airport security with interviews and opinion pieces from key industry leaders and experts…
Crisis management is, in many ways, about managing threats and vulnerabilities through sound procedures using both technology and human intervention. Aviation Security Consultant and former Aviation Security Manager at easyJet, David Henson, considers whether our existing procedures could have prevented the recent attacks against airports and aircraft.
The scale and variety of attacks against aviation over the last three years has been remarkable. Ranging from the loss of Malaysia Airlines flight MH17 shot down over the Ukraine in July 2014, to the Germanwings pilot who purposely flew into a mountain in March 2015, to the bomb attacks at Brussels and Istanbul Airports in 2016. These events happened over very short timescales, but have a significant long-term impact.
As events occur, the speed and detail broadcast on both mainstream and social media can overwhelm us. The public’s thirst for information invites the media to make educated guesses and ‘expert’ speculation on the flimsiest of evidence. This can lead to a confused and inaccurate picture. Eye witnesses struggle to keep to facts, particularly where an event is shocking and their recollection is based on a mix of what actually happened, overheard witness accounts and their expectation of what probably happened.
When a new threat emerges, or in the event of an attack, our first task is to decipher what actually happened and the nature of the new threat. The initial picture is frequently gained from open source media and cross-checking different media outlets. However, it can take several days before more formal and verified updates are provided. In cases where the event occurs in countries without open reporting structures, what actually happened and any lessons learnt may never be disclosed.
The loss of the MetroJet aircraft in North Sinai, Egypt, in October 2015 is suspected to be an act of terrorism and probably the result of insider action, yet a year later we still have little information to assess and use to take action.
The security management challenge in dealing with a crisis following an attack or an emerging threat is to resist the demand from media, government and company executives for an immediate implementation of further security layers. It is essential to first understand why the existing measures did not prevent an attack and, if further measures are deemed necessary for a new or emerging threat, a clear understanding of the proposed aims of these new measures is required.
In considering new measures, we need to reflect on proportionality, benefit and cost. We must also review whether there could be any unintended consequences; bearing in mind that once implemented such measures are incredibly difficult to repeal.
In aviation security we now find ourselves in a position where none of the security measures are 100% effective, but are layered in order to deter, disrupt or detect attacks. The measures are frequently based on action taken after an attack, yet layers have become so complex and intertwined that it is now nearly impossible to understand what each measure is intended to achieve.
“Both Brussels and Istanbul were able to quickly recover operations and the risk to airports…”
Following the Germanwings crash, media, commentators and politicians demanded immediate action. Some airlines did take action by mandating the ‘four eye’ rule – a European Commission recommendation which stipulates that in the case of the Captain or First Officer leaving the cockpit, a member of the crew should be present in the cockpit with the remaining pilot – but this policy ended up being very controversial with many airline security professionals. The concern being that placing a cabin crew member in the cockpit, alone with the remaining pilot, could create a new vulnerability that may be a higher risk than the status quo.
Some cabin crew asked for flying instruction on how to land the aircraft and self-defence classes so they could disable the remaining pilot should they show ‘suicidal tendencies’. Some airlines have, however, adopted the rule and developed the policy to address these areas of concern.
The 2016 attacks in Brussels and Istanbul Airports demonstrate the vulnerability of public spaces to attacks. It is reasoned that the international publicity and financial impact on a country is significantly greater at airports than other transport hubs or public places. Both Brussels and Istanbul were able to quickly recover operations and the risk to airports.
Brussels and Istanbul operate significantly different levels of access control to terminals. The assailants in Brussels were able to carry out the attack unarmed and had time to select the point of attack. Conversely, all persons entering the airport at Istanbul are screened. The attackers were quickly compromised by the police, resulting in one of the bombs being detonated in the car park, saving further significant loss of life.
Following the attack in Brussels, the call for immediate action needed to be carefully considered, rejecting calls for entry-type screening. Whilst screening on entry to the airport terminal does help protect the terminal, it can create an even more crowded place outside the terminal, essentially just moving the area of vulnerability. The way forward is probably to improve the efficiency of central search to reduce dwell times and move people past the screening point.
“As events occur, the speed and detail broadcast on both mainstream and social media can overwhelm us…”
The loss of MetroJet, referenced earlier, is probably far more significant than we first thought. Whilst all ICAO member states will have security programmes that, on paper, reflect the requirements, there are doubts about operational effectiveness. Airlines are not permitted to audit airport security, particularly where the security function is undertaken by the police, yet they probably have more varied experience of auditing airports than the state regulator or airport security. Airlines, instead, are required to trust that state, ICAO or EU audit programmes are effective. However, as airlines fly into such a wide range of airports and countries, it quickly becomes obvious from casual observation that the standards in some countries are particularly poor.
Under European Regulation, airlines are required to carry out quality assurance audits on the level of compliance by their staff and contractors with regard to the security regulations. However, on hearing an airline is going to undertake a security audit of its own security operations and procedures, some states and airports will raise objections. As part of their due diligence, airlines are required to understand the levels of vulnerability to their operation, yet audits of airport security are very unwelcome.
ICAO standards are a baseline and in many cases these levels are not appropriate to the threat within the country. Some countries are not even able to meet the baseline standard. This creates a vulnerability that airlines may have to accept without fully understanding whether the level of risk is tolerable.
A positive step forward is the United Nations adopting resolution 2309 (2016) to ensure that its international security standards are reviewed to address the threat posed by terrorists to civil aviation.
Of particular importance is the need to strengthen and promote the effective applications of ICAO standards and recommended practices.The Council called on all States to carry out the following:
- Ensure effective, risk-based measures are in place at the airports within their jurisdiction
- Take all necessary steps to ensure that such measures are effectively implemented on the ground on a continuing and sustainable basis
- Ensure that such measures take into account the potential role of those with privileged access to areas, knowledge or information that may assist terrorists in planning or conducting attacks
- Urgently address any gaps or vulnerabilities that may be highlighted by ICAO or national self-risk assessment or audit processes.
To meet new and emerging threats and deal with vulnerabilities of inadequate security, countries that are unable to deliver ICAO baseline measures to an acceptable standard will need to seek and be given help.
It is essential that a trusting and working relationship between industry and the government exists. Experience has shown that where this relationship is strong, industry is willing to implement additional measures and bear the costs, and much can be gained from airline security managers’ experience.
Perhaps one lesson learnt from airline safety is the measurable change in safety culture. Where there are clear safety issues, there is an expectation that staff will take action, whether dealing with it themselves or reporting the issue. Yet our security culture is a long way from this standard. We all make mistakes and sometimes things go wrong. In the safety world we learn from these errors or mistakes, but frequently security vulnerabilities are ignored in fear that reporting will lead to reprisals.
Technology is always improving and, fundamentally, when correctly implemented our security measures do mitigate determined attacks.
Crisis management is about managing threats and vulnerabilities. In answer to the question; could our existing processes have prevented MetroJet or Germanwings? Possibly not, but an improved security culture may well have made a difference. To manage future threats, we need to encourage and develop a security culture. Staff need to be empowered to report security issues in the same way they report safety issues and those reports have to be dealt with in a positive environment.
And that concludes International Airport Review’s ‘Security Series’. We hope you’ve enjoyed the series and found each article interesting and informative.
David Henson is an Aviation Security Consultant based in London, UK. David recently left easyJet, where he was Aviation Security Manager and has previously served in similar roles for Thomson Airways and Virgin Atlantic. David has also served in the Metropolitan Police where he was on the Senior Management Team responsible for both Heathrow and London City Airports.
The Security Series