Inside & OutAviation Lessons Learned on

Technology Solutions to Enhance Security

Panel Discussion: Don Zoufal; Shayne Bates; Bill McAteer; Richard Duncan; Andrew Velasquez; & Ramon Grado

ModeratorDonald R. Zoufal, C.P.P., ICAO AVSEC PM,J.D., M.A. Homeland Security, M.A. Public Administration

Independent Safety and Security Industry Consultant,CrowZnest Consulting, Inc.don@crowZnestconsulting.comdzoufal@gmail.com

Lecturer,University of Chicagodzoufal@uchicago.edu

Richard L. Duncan, CPP, IAPPrincipal

RL Duncan Consulting, LLC

Former Assistant General Manager, Public Safety and Security

Hartsfield-Jackson Atlanta International Airport

Aviation Lessons Learned on Identity Management and Access Control Systems

Hartsfield-Jackson Atlanta International Airport at a Glance

• World’s busiest and most efficient airport, served 107.4 million passengers in 2018.

• Economic jewel of Georgia, generating $34.8 billion per year.

• State of Georgia’s largest employment site with over 63,000 employees.

• Global gateway to the world with non-stop flights to over 150 domestic and 70 international destinations.

• Small footprint of 3700 acres: • Five runways• 6.8 million square foot central passenger

terminal complex• 30,000 on airport parking spaces • Rail connection to Atlanta central business

district

Logic and Physical Security Convergence

• Challenges • System ownership

• System maintenance responsibilities

• Shared local area networks

• Business

• Security

• Commercial

• Solutions• Determine who owns the system; i.e. IT, Security or

others

• Consider network demands, prefer separate security local area network

• Establish service level agreements between IT, Security and Operations and Maintenance Team

People

ProcessesTechnology

Security System

Airport Identity Management System

• Verifying Identity

• Confirming right to work

• Vetting employees’ background - criminal history records checks and security threat assessments

• Issuing credentials

• Managing credentials’ database

• Ensuring life-cycle credential management

• Other tasks may include:

• Conducting training

• Collecting fees

• Issuing vehicle access permits

Airport Identity Management System

• Challenges• Managing functional stand-alone systems

• Using multi data entry points

• Maintaining separate databases

• Sharing data between systems, manually

• Solutions• Employer representatives’ enrollment

entry point

• Shared databases

• Electronic payment system

• Integrated Identity Management System

Airport Access Control System

• Purpose• Control access to facilities

• Detect unauthorized use attempts

• Monitor usage and movement

• Provide historical records

• Components• Automated Access Control System

• Security staff

• Lock and key control system

• Integrated Identity Management System

Airport Access Control System

• Challenges• Ensuring compliance with life safety codes

• Ensuring compliance with federal security requirements

• Avoiding human factors’ failures

• Securing technical support

• Solutions• Integrate with building management system

• Security compliance and training program

• Service level agreements with IT and service providers

• Integrated Identity Management and Access Control System

Shayne Bates, CPPPrincipal Consultant Stratum Knowledge LLC.

ESRM & Risk Based

Divestment

PartnershipCloud

Connectedness

Business Value Compliance

LeadersAI, Big Data, ML &

Digital Transformation

Increased

Momentum

● Increasing insider threats

● Frequency and complexity of cyber attacks

CYBER SECURITY

PHYSICAL SECURITY

● Terrorism concerns

● Increasing perimeter protection

● Greater Recognition of Insider Threat

PROCESS AUTOMATION

CONTINUOUS ASSURANCE

● Reduction in employee expenses

● Improved resource productivity

● Enabling Extended Security models

PRIVACY ● Maintaining intellectual property integrity

COMPLIANCE ● Satisfying increasing regulatory requirements

● Special requirements in Aviation & Airports

SAFETY ● Protection of people, assets and reputation

COMMERCIAL BENEFITS ● Automated contract administration and compliance

● Mitigating risk of litigation

2005 2015 2016 2017 2018

Security industry starts

replication of functions

of security from

analog to digital.

Process Automation &

Continuous Assurance is

gains momentum in safety,

security and compliance

programs.

IDC prediction:

2 out of 3 CEOs have

Digital Transformation

at the heart of their

corporate strategy.

More than 85% of

organizations have

already started Digital

Transformation projects.

Innovation

decade

ahead

One Decade of Replication to Digital Security Platforms

2019

Where is Your Org?

2014 2019

FBI Delivers

NGI

2015

Airports Targeted

for Rap BACK

Four Years of Delivery and Refinement

2013 2014 20192015

• NGI – Next Gen Identification

• Target Agencies Served

• Record of Arrest and Prosecutions Rap BACK

• New Technology Utilization

• Subsequent Activity Tracking

• Cost Reduction

• Continuous Assurance

Enables

Andrew Velasquez IIIChief Operations & Security Officer

City of Chicago Department of Aviation

Chicago Department of Aviation and the Use of Video Surveillance

Chicago International O’Hare Airport Facts and Figures

• World’s busiest airport--with highest number of aircraft operations 903,747 in 2018.

• Third busiest US Airport in passenger traffic (sixth in the world) over 80,000,000 in 2018

• Four Terminals, Nine Concourses, 191 Gates

• Over 200 Concessionaire locations (restaurants and Shops)

• Seven runways

• Over 22,500 parking spaces

• Light rail station-connection to the City

• 7,225 acres total (1420-acre airfield)

• Over 45,000 badged personnel

Technology -- Integrated Safety, Security & Operations Command and Control Systems

Integrated Safety, Security and Operations Command and Control Systems (ISSOCCS) primarily consists of the following integrated systems:

• Access Control System

• ID Badging System

• Video Management System

• Computer Aided Dispatch System

The OCC Facility

• 30,000 emergency calls, 70,000 non-emergency calls annually

• 40,000 dispatches annually

• Access over 1200 doors, portals, jet ways

• Management of a comprehensive video system

Communications Dispatch Center (CDC)

A dedicated Security Operation Center is currently in development

Video Management System

• Administer and control over 3,000 video surveillance and access control cameras

• Integrates and monitors additional cameras

• TSA (Checkpoints /Baggage)

• UAL (T-1)

• AAL (T-3)

• CICA TEC (T-5)

• ATS (Platforms and cars)

State-of-the-art digital network-based video system

Software-based system

Fiber network

All cameras simultaneously available

All video recorded and stored

Video viewable by any authorized network PC

Video System Growth (Size and Complexity)2005

• 1000+ Cameras

• Analog Control

• Mostly Unrecorded

Present (2019)

• 3000+ Cameras

• Integration between ORD & MDW

• Digital VMS (Verint migrating to Genetec)

• High Resolution Mega Pixel Cameras

• Multiple Stakeholder Access

• Video Request Portal

• Password Reset Tool

• Firetide/Fluidmesh Wireless Backhaul

• Active Directory (users)

Video System Growth (Utilization)

Video Utilization• Exponential increase in Video

Usage• Request from Internal and

External Sources• Security and Non-Security Related

Inquiries• Growing Pressure on Employee

and Contract Staff for Video Content

Current Analytic SolutionsAutomated License Plate Recognition

• Location: Access to core area

• Cameras on access ways real-time plate reads

• Linked to Chicago Police database for wants and warrants

• Programmable to add vehicles of interest

Video Analytics

• Intelligent, alarm-based video

• Tripwire, loitering, and queuing analysis

• Locations: Checkpoints, Approach Roadways & Ticketing Lobbies

Future Analytic Solutions

Facial / Object Recognition Solutions• Looking at general surveillance solutions

• Real-time capabilities

• Forensic capabilities to address data search requests

• Legal and ethical challenges

• Availability of comparative data

• Public concerns over “Big Brother”

Summary

A Complex Environment Multiple Stakeholders

Physical Screening of Employees

Bill McAteer ACE, CPP

Account Executive

Evolv Technology

bmcateer@evolvtechnology.com

425.449.2692 cell

GSX Booth 786

The Threat

• Hartsfield-Jackson Atlanta International Airport Gun Smuggling Incident – 2014• More than 153 guns recovered • Employee bypassed TSA checkpoint entering via

employee portal

• Fort Lauderdale International Airport – 2019• Contract maintenance worker hid gun in ceiling• According to the complaint, Homeland Security says

there's probable cause to believe he "knowingly and intentionally" avoided the Transportation Security Administration's airport screening and security protocols.

Employee Screening

• No mandate by TSA for physical screening of employees

• TSA deploys ATLAS (Advanced Threat & Local Allocation Strategy) Teams to conduct enhanced screening

• Several airports have voluntarily instituted screening• Random

• TSA-like

• Advanced Technology

• Risk Based Security (RBS) approach

The Old Way of Screening

• Old Technology – slow, burdensome & demeaning

• Need to Divest

• Can’t screen bags

• Not consistent with RBS Principles

• Adversely affects guard performance “white noise”

The Future of Screening• Combining multiple sensors –

Millimeter Wave, Metal Detection

• Integrated Facial Recognition

• No need to divest - Focused on real threats

• High Throughput Capabilities –Just walk through

• Smart Technology leveraging Artificial Intelligence (AI) and Machine Learning (ML)

Ramon Grado, CPP, MIB

Ramon.grado@rightcrowd.com

(817) 917-2578

Developing a Security Culture through the Unified Application of Technology, People and Processes

Executive Summary• Information Security is modeled on Confidentiality, Integrity and Availability

• Physical Security is modeled on Deter, Detect, Deny, Delay, and Defend

✓ Both rely on the mix of Technology, People, and Processes

✓ Both share a focus on controlling ACCESS and AWARENESS

✓ Both succeed only by developing a SECURITY CULTURE

• Today there are more options than ever to help you enhance your Security Culture. The key is to improving your Security Culture is to increase the visibility and enhance the management of people entering your airport or place of work. Consider the emerging application of Presence Control.

Security Models – Complementary or not?

Detect

Deter

Deny

Delay

Defend

Access as a function of the Three-Legged Stool

People

ProcessesTechnology

Is it available?Is it user-friendly?Is it flexible?Is it compatible?Does it eliminate human error or exacerbate it?Does it provide an ROI?

Are they known?Are they trusted?Are they authorized to have access?Are they trained/accredited?Are they accounted for at all times?

Are they known (available)?Are they legal/compliant?Are they current or outdated?Are they respected?Are they helping you grow the Security Culture you want?

Are your people, technology and processes valued?

Values are essential to developing a Security Culture

Source: ESRM Guideline, ASIS international, 2019

What can we learn from the move to the cloud?

Source: 2019 Cloud Security Report sponsored by (ISC)²

Compliance is a problem

What can we do to help drive compliance?

1. Make security everyone’s responsibility

2. Focus on Awareness

3. Increase use of visual cues (“See something, Say Something”)

4. Regularly review your processes

5. Enhance data management by eliminating silos

6. Consider the use of Presence Control

How does Presence Control help drive compliance?

PEOPLE

PROCESSES

TECHNOLOGY

Presence Control = Real Time Awareness and Visibility

Use visual cues to support Awareness and SSSS programs

Presence Control increases your “Defense in Depth”

Considerations:

• Flexibility: change happens

• Cost: leverage your existing infrastructure & PACS

• Communication: two-way is better than one-way

• Visibility: active badges, tethering, security wearables

• Management: ease of use

Secure architectureActiva

tio

n &

Tra

ckin

g

APPLICATION

No

tifica

tio

ns &

Au

the

ntica

tio

n

CORE

Manage users and presence

rights

Manage settings

PACS

Presence Control is flexible, cost-effective and easy to deploy/use

Presence Control provides Real Time Awareness and Visibility

Thank You & Questions!