The October 31 crash of a Russian airliner over Egypt's Sinai Peninsula, brought down by an explosive device placed on board, highlights the difficulty of protecting civil aviation against deadly acts of violence.

The director of Russia's Federal Security Service, Aleksandr Bortnikov, confirmed on November 17 than an explosive device, rather than mechanical failure, caused the crash. The investigation may be able to establish whether the device found its way to the aircraft through inadequate technical security measures (including staff shortcomings) or a deliberate human action. The latter possibility is currently seen as the most likely.

All-Inclusive Enterprise

The International Electrotechnical Commission (IEC) develops many international standards for technical systems and actions that enhance security for the air transport industry.

Safeguarding the air transport industry against a wide range of risks and threats is an all-inclusive enterprise aimed at protecting passengers, staff and critical assets both on the ground and in the air.

The technical side of this task can only be achieved if the multiple stakeholders involved adhere to sets of practices, regulations and international standards prepared by the industry, organizations and relevant authorities.

Law enforcement officer screens a passenger at the Vladivostok international airport in Russia. Image source:  WikipediaLaw enforcement officer screens a passenger at the Vladivostok international airport in Russia. Image source: WikipediaThe civil aviation sector is of critical importance to most countries in terms of its economic, human and security aspects. According to data from the International Air Transport Association (IATA), the trade association of the world’s airlines, the total revenues of the industry reached $733 billion in 2014, as some 3,327 million passengers and 51.5 million tonnes of freight were transported by air that year.

The international standards and regulations necessary for ensuring safe, regular, efficient and economical air transport are set by the International Civil Aviation Organization (ICAO). ICAO is a United Nations specialized agency created by the Convention on International Civil Aviation (Chicago Convention) that was signed in December 1944.

ICAO works with the Convention’s member states and global aviation organizations to develop international Standards and Recommended Practices (SARPs), contained in 19 Annexes to the Chicago Convention. ICAO member states reference these when developing their own legally enforceable national civil aviation regulations.

Growing Threats to Safety

Given the international nature of air transport, any act that has an adverse effect on its safety—be it aimed at aircraft or airports—results in the widespread disruption of flights worldwide and may even affect a country's economic prospects.

Aircraft hijacking (namely, the unlawful seizure of an aircraft by armed individuals) emerged as a threat in the late 1960s and early 1970s when dozens of aircraft were seized mainly for political reasons (terrorism, flight for political asylum) or criminal objectives (extortion). Sometimes deaths and the loss of aircraft were the outcomes.

A succession of attacks against U.S. aircraft in 1972, including two violent hijackings and a bomb scare, led to an emergency Federal Aviation Administration (FAA) rule that introduced metal detection screening portals for passengers and X-ray inspection systems for carry-on baggage at U.S. airports. Similar measures, if not already in use, were soon widely adopted in other countries.

Managing Risk Through International Regulations

Two ICAO Annexes contain SARPs directly relevant to air transport security.

  • Annex 9: Facilitation, first adopted in 1949, contains SARPs derived from several provisions of the Chicago Convention that, among other provisions, oblige each contracting state to adopt all practicable measures to facilitate and expedite navigation by aircraft between the territories of contracting states, and to prevent unnecessary delays to aircraft, crews, passengers and cargo. These SARPS also establish customs and immigration procedures affecting international air navigation in accordance with the practices established or recommended in the Convention.
  • Annex 17: Security: Safeguarding International Civil Aviation against Acts of Unlawful Interference, was adopted in March 1974 following an increase in violent acts, which adversely affected the safety of civil aviation. This annex sets out the basis for the ICAO security program and seeks to safeguard civil aviation and its facilities against acts of unlawful interference. Experts from ICAO member states as well as from international organizations such as the Airports Council International (ACI), the International Air Transport Association (IATA), the International Federation of Airlines Pilots Association (IFALPA) and the International Criminal Police Organization (ICPO-INTERPOL) work to keep Annex 17 under constant review. ICAO also seeks to coordinate the activities of those involved in security programs, such as states, airport and airline operators.

International Standards Matter

The implementation of ICAO SARPS on Facilitation and Security rests to a significant extent on technical solutions relying on special equipment and systems. These must meet international standards, many of which are developed by Technical Committees (TCs) and Subcommittees (SCs) of the IEC and by subcommittees of ISO/IEC JTC 1, a Joint Technical Committee on Information Technology set up by the IEC and the International Organization for Standardization (ISO).

Facilitation implies traveller identification and border controls. The days are long gone when passengers could travel with passports whose details were often entered by hand or typewriter and where photos were stapled to the document.

Countries now issue machine readable travel documents (MRTDs), which are standardized in ICAO Document 9303: Machine Readable Travel Documents. These MRTDs enable faster processing of arriving passengers by immigration officials and are more reliable and more difficult to forge than the documents that preceded them.

ICAO 9303 was endorsed by ISO/IEC JTC 1/SC 17: Cards and personal identification, as ISO/IEC 7501, a three-part International Standard, which covers machine readable passports, machine readable visas and machine readable official travel documents.

In addition to coordinating with ICAO, the special IEC/ISO JTC 1/SC 17 Working Group (WG 3) on MRTDs works extensively with international organizations such as INTERPOL, the International Organization for Migration (IOM) and the Organization for Security and Co-operation in Europe (OSCE).

Some MRTDs contain a chip; these eMRTDs can be read electronically and contain biometric data.

IEC/ISO JTC 1/SC 37: Biometrics develops standards for "generic biometric technologies pertaining to human beings to support interoperability and data interchange among applications and systems." Such technologies are used in eMRTDs.

IEC/ISO JTC 1/SC 37 also developed ISO/IEC 24713-2, a specific international standard covering "biometric profiles for interoperability and data interchange" specific to "Physical access control for employees at airports." This standard covers the basic biometric functions of enrolment, verification and identification and includes a database interface.

Controlling Access to Critical Assets

What sparked the introduction of screening portals for passengers and X-ray inspection systems for carry-on baggage was the large number of violent acts against aircraft, crew and passengers by individuals bringing weapons into aircraft.

SARPs contained in ICAO Annex 17 are adopted by national and regional organizations and bodies such as the FAA and the European Civil Aviation Conference (ECAC), which sometimes add even more rigorous measures.

A tightening of measures such as the reunion of baggage with passengers, controls over items left behind on the aircraft by disembarking passengers, security controls for commercial courier services and controls over cargo and mail under certain situations have been added over the years to reduce the risk of sabotage.

Two identification technologies are important for the proper and safe tracking, dispatch of hold baggage, freight and other uses—the barcoding and radio frequency identification devices (RFIDs).

Thermal paper bag tags are the main means of tracking hold luggage. Over the past year alone, the aviation industry has issued approximately 3.3 billion thermal paper bag tags, a complex composite of chemicals, paper and plastic that is wasted after each trip. Standard bar code tags may be misread when damaged or crumpled, forcing bags to be hand-sorted and increasing the likelihood of problems. Some airlines and airports have started using bag tags containing embedded RFID chips. Use of these tags can result in read rates in excess of 99%.

International standards for bar coding and RFID are prepared by ISO/IEC JTC 1/SC 31: Automatic identification and data capture techniques. Standards for bar coding, cover coding and also specifications for all equipment used to mark, identify or interpret the various types of bar codes, as well as the more recent quick response (QR) codes that are used increasingly frequently to produce electronic boarding passes sent by airlines to passengers’ mobile devices.

International Standards for RFID in the ISO/IEC 18000 series cover a variety of topics from syntax for high-capacity automatic data capture media to RFID for item management, or automatic identification and data capture techniques (AIDC).

Going Electronic

A number of airlines have started testing so-called electronic bag tags that are particularly convenient for frequent travellers. They feature an integrated RFID chip and a custom built e-paper display showing an optimized barcode. These electronic tags can last several years, are not limited to a single airline and allow remote baggage check-in and a faster baggage drop-off process. With a combination of bar code and RFID, they can already be used at almost any airport. Future electronic tags will also rely on International Standards for e-paper prepared by WG 7: Electronic paper display, of IEC TC 110: Electronic display devices.

Passengers are well aware of screening as they and their carry-on luggage must go through various scanning devices. However, they may not be aware that the suitcases or bags they drop off when checking in also are screened in special areas on their way to aircraft holds.

The screening of passengers, carry-on and hold baggage depends on electrotechnical equipment. Although the IEC develops international standards for medical imaging equipment using X-ray or computed tomography (CT) scan, it does not do so for this specific type of screening system.

Electronic bag tags feature an integrated RFID chip and a custom built e-paper display.Electronic bag tags feature an integrated RFID chip and a custom built e-paper display. However, experts from IEC SC 45B: Radiation protection instrumentation, are currently developing two international standards relevant for baggage screening. One concerns the evaluation of the image quality of X-ray CT security-screening systems, the other focuses on bottle/can liquid X-ray inspection system—two areas of significant importance for air transport security.

IEC SC 45B has also developed a number of international standards for radiation monitors for the detection of radioactive and special nuclear materials at national borders, and for personal radiation devices (PRD) for the detection of illicit trafficking of radioactive material.

As first and last lines of defense, critical installations rely on electronic security systems. This is the case for airports where such systems alert staff to potential risks of intrusion and also block access to restricted areas by unauthorized individuals. IEC TC 79: Alarm and electronic security systems, prepares "International Standards for the protection of buildings, persons, areas and properties against fraudulent actions having the purpose to enter in a place or to take or to use something without permission and other threat related to persons."

Cyberthreats

One area that is often neglected as technology advances is the risk of cyberattacks on critical infrastructure. As such, the air transport sector is seen as a potential target of such attacks, as some recent incidents show.

In January 2015, the U.S. Government Accountability Office (GAO) issued a report calling on the FAA to take additional steps to better protect its air traffic control systems from cyber-based and other threats. The GAO identified a number of "weaknesses in controls intended to prevent, limit and detect unauthorized access to computer resources, such as controls for protecting system boundaries, identifying and authenticating users, authorizing users to access systems, encrypting sensitive data and auditing and monitoring activity on FAA's system."

Such weaknesses threatened "the agency's ability to ensure the safe and uninterrupted operation of the national airspace system," the GAO says.

In late June 2015, hackers mounted a Distributed Denial of Service (DDoS) attack on Warsaw Chopin Airport's computers that are responsible for issuing flight plans. Dozens of flights from Poland's national carrier LOT were delayed as a result.

"This is an industry problem on a much wider scale, and for sure we have to give it more attention", according to LOT chief executive Sebastian Mikosz, quoted by the Reuters news agency at the time.

During the first half of 2015, at least five airlines, two airport operators and one civil aviation authority were publicly reported as victims of online attacks, according to a recent IATA analysis.

Important International Standards in the field of IT security techniques are developed by ISO/IEC JTC 1/SC 27: IT security techniques, which prepared ISO/IEC 27001, Information technology—Security techniques—Information security management systems—Requirements. The second edition, published in 2013, "specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization."

Eliminating the Weakest Link

What has clearly emerged as the weakest link in the air transport security chain is the human factor, as the crash of the Russian airliner and recent instances in the U.S. show.

  • In March 2015, NBC News reported that an estimated 1,400 badges, which allow airport workers access to secured areas, had been lost or stolen at Atlanta International Airport between 2012 and 2014.
  • The U.S. Transportation Security Administration (TSA) announced in August 2015 that it had discovered 1,386 firearms in passenger carry-ons, many of these weapons loaded, in the first six months of 2015.
  • An undercover investigation carried out by the U.S. Department of Homeland Security (DHS) revealed that TSA's airport checks had failed to detect 67 out of 70 tests (96%) when DHS undercover agents posing as airline passengers went through TSA control carrying fake explosive devices or banned weapons.

These examples from a country at the origin of many security measures for civil aviation, as well as the bombing of the Russian airliner are sober reminders that absolute security in the sector is still impossible to achieve.

Guidelines and SARPs may be strict, international standards detailed, security measures rigorous and technical equipment sophisticated, but the human dimension will remain the weakest link for the foreseeable future. Ensuring this changes is the next major challenge for the industry.

(This article was updated on November 17 to reflect new information about the bombing of the Russian airliner.)

More Resources:

IHS Standards Library