article

The BASIC approach to biometrics at U.S. airports

Posted: 1 August 2008 | Colleen Chamberlain, AAAE Staff Vice President, Transportation Security Policy | No comments yet

Biometrics are coming to U.S. airports. Specifically, the U.S. Department of Homeland Security (DHS) and the Transportation Security Administration (TSA) are seriously considering how to implement biometric identifier systems as part of aviation worker credentialing and access control systems at U.S. airports. In addition, the U.S. House of Representatives just passed legislation requiring TSA to work with industry to study ways to speed deployment of such systems for use by aviation workers.

Biometrics are coming to U.S. airports. Specifically, the U.S. Department of Homeland Security (DHS) and the Transportation Security Administration (TSA) are seriously considering how to implement biometric identifier systems as part of aviation worker credentialing and access control systems at U.S. airports. In addition, the U.S. House of Representatives just passed legislation requiring TSA to work with industry to study ways to speed deployment of such systems for use by aviation workers.

In response, a growing group of airports, along with the American Association of Airport Executives (AAAE), are leading an industry effort known as the Biometric Airport Security Identification Consortium (BASIC) to work with TSA to determine how, and when, biometric-based systems can be deployed at airports. In particular, BASIC’s primary objective is to ensure that any requirements and standards for biometric systems at airports not only meet TSA’s security demands but also preserve local control and flexibility, build off existing processes and resources, and protect existing capital investments.

Unlike other industries and modes of transportation, U.S. airports have a long history of credentialing and access control experience. Airport access control systems are tied to badges issued by airport operators, who have long had local badging authority delegated from the federal government. Since shortly after the September 11, 2001 terrorist attacks, airport operators have conducted fingerprint-based Criminal History Record Background Checks (CHRCs) on all employees with access to restricted and security sensitive areas of the airport. Airports must also submit additional biographical information to TSA for name-based checks against terrorist and other federal government watch lists before issuing badges to individuals in all areas of the airport. Airport access control systems must meet standards outlined in federal regulations that, when the rules were first issued, forced airport operators to implement costly and often proprietary systems in a very short timeframe.

Given this experience, the airports involved in BASIC are working to ensure that the mistakes made with other industries and modes of transportation are not repeated with the aviation industry. For example, for the maritime industry, TSA has implemented the Transportation Worker Identification Credential (TWIC). The TWIC card is a biometric smart card that is used, at this stage, primarily for identity verification of maritime port workers. The TWIC process, from enrolment to card issuance, is controlled entirely by the federal government. Standardised TWIC cards are issued to individuals by the federal government in an average of four weeks at a cost of approximately USD 140 per card. In contrast, after conducting the TSA required background checks, airports issue badges locally with unique topography (for visual security challenges) usually within two days and at approximately one-fourth of the cost of a TWIC card.

“I have seen firsthand the challenges associated with the TWIC program,” said Mark Crosby, the Chief of Public Safety and Security at the Port of Portland and a founding member of the BASIC group. “I firmly believe that airport operators can provide a higher level of security by retaining control of the badging and access control processes. It is not necessary or efficient for the federal government to control the process from start to finish. We have already proven that we can successfully partner with the federal government on background checks, but airport operators know best who should be granted access to their airports.”

In the BASIC Concept of Operations, which is the document that the BASIC airport members are creating to outline their vision for a successful migration to biometric-based credentials and access control systems, there is a limited role for the federal government. Under the BASIC Concept of Operations, TSA would be responsible for setting the security standards, conducting the required background checks and related vetting and for ensuring compliance, which are all inherently governmental responsibilities. Airport operators would be responsible for enrolment, badge issuance and design, adjudication and determination of local access control privileges.

In addition to their robust experience with credentialing and access control systems, airports are also increasingly familiar with the deployment of biometric systems at their facilities. According to a recent survey conducted by AAAE, more than 40 per cent of airports that responded had or planned to have biometric systems in place at their facilities. Of those that had biometric systems in place, 75 per cent relied on fingerprint technology. Others had successfully deployed systems using iris, hand geometry or other biometric features. As a result, the BASIC airports are seeking to work with TSA to construct a solution that protects existing capital investments in biometric systems at airports, allowing airports to use multiple biometric options (not just fingerprints) and to choose the appropriate biometric and access control infrastructure for their facility. Airport managers stress that protecting existing capital investments is especially important at this critical time, when airports have limited resources and airlines are struggling with increasing fuel prices.

“San Francisco International Airport has successfully deployed hand geometry as part of our access control system for decades,” explained Kim Dickie, Assistant Deputy Airport Director for San Francisco International Airport and another founding member of BASIC. “We want to be able to build upon our existing access control systems moving forward. That is why we are interested in piloting the BASIC Concept of Operations – to test how we can continue to use hand geometry in a technically interoperable system.”

There are several airports like San Francisco International that are interested in piloting the concepts and solutions outlined by BASIC. The pilot programs will focus on integrating technical interoperability into existing airport badging and access control systems, including the use of reference and operational biometrics.

The industry-led BASIC group is working closely with TSA to coordinate efforts and both TSA and BASIC are committed to a cooperative approach to the next generation of aviation credentialing and access control systems. After reviewing a draft of a technical specification for TSA’s internally crafted approach, referred to as the Aviation Credential Interoperability Solution (ACIS) and provided to the airport industry at the request of AAAE, it is clear that the objectives of ACIS and BASIC are very similar. Both ACIS and BASIC are aimed at providing biometric verification of the identity of aviation workers, enabling the interoperable validation of background check information, and limiting the number and need for redundant credentials and vetting procedures. However, important differences remain, especially concerning the role of the federal government and the specific technical processes needed to reach the shared objectives of BASIC and ACIS.

“The solution is not just about technology,” explained Jeanne Olivier, General Manager of Aviation Security and Technology at the Port Authority of New York and New Jersey and the Chair of BASIC. “In an environment of limited resources and around-the-clock real time operations, as airport operators we look at not only what is technically feasible but also what is reasonable and can be easily integrated into existing systems and processes to minimise operational impacts. Therefore, it is important to build on existing relationships and the good work that has already been done on various standards related to biometrics and access control.”

“There is no need to reinvent the wheel,” added Carter Morris, Senior Vice President of Transportation Security Policy for AAAE. “There are secure, proven and cost-effective credentialing and access control systems already in place at airports today. Only select business processes and, in some cases, a biometric component need to be added to advance the security and policy objectives of both TSA and airport operators.”

Airports continue to join this industry-led effort to define and ultimately implement a reasonable, cost-efficient and phased migration to biometric-based credentialing and access control systems. Airports also continue to volunteer to proactively pilot the solutions outlined in the BASIC Concept of Operations, which is evolving based on feedback from airports and the BASIC Technical Advisory Committee. The Technical Advisory Committee was recently established to draw on the knowledge and expertise of information technology professionals at airports, as well as representatives from companies and organisations experienced in biometrics, identity management and access control, among other areas. The Technical Advisory Committee will help inform the ‘nuts and bolts’ of the BASIC solution as well as help continue the on-going dialogue with TSA.

By outlining the key principles important to airports and by taking a proactive approach to piloting solutions based on these key principles, BASIC and the airport industry will hopefully avoid a mandated government-run system for biometric credentials and access control. A regulation or law that mandates a single nationwide solution is not in the best interest of airports or TSA as it would represent a step back from local implementation and approval of security measures and, by its very nature, force a one-size-fits all approach to very technical and facility-specific issues. Fortunately, the BASIC effort has already resulted in a productive dialogue with TSA regarding standards-based solutions, which combined with BASIC pilot programs already underway, can serve as a quick and sound foundation for moving biometric-based credential and access control systems in airports forward.

Send this to a friend