Security assessment of DXB airport

Security assessment of DXB airport Lalitya Dhavala | Airport and Airline Security Operations | March 17, 2014 CONTENTS Chapter 1 : INTRODUCTION .......................................................................................... 2 Chapter 2 : SECURITY ANALYSIS ................................................................................. 4 Security Analysis of Emirates Group as a stand-alone unit:............................................. 5 Security Risk Management:............................................................................................. 6 PHASE 1: INTELLIGENCE .......................................................................................... 7 PHASE 2: AT TERMINAL 3, CHECK-IN PROCEDURES............................................. 8 PHASE 3: BOARDING ............................................................................................... 10 PHASE 4: RAMP AND RUNWAY .............................................................................. 11 Cyber-threats: ............................................................................................................... 12 Comparison with the best we know, the world’s most secure airport, Tel Aviv: .............. 13 Chapter 3 : CONCLUSION ............................................................................................ 15 REFERENCES.............................................................................................................. 16 PAGE 1 LIST OF ABBREVIATIONS MANPADS LAG API/ APIS MAN Portable Air Defence Systems Liquids Aerosols Gels Advance Passenger Information System FIDS Flight Information Display Systems EDS Explosive Detection Systems BHS Baggage Hold Systems WTMD Walk Through Metal Detectors HHMD Hand Held Metal Detectors TDS Trace Detection Systems SLTD Stolen and Lost Travel Database TIP Threat Image Projection CTS Computerised Tomography Scanners RWY Runway LDG Landing R.A. Restricted Area KPI Key Performance Indicators CPDLC Controller Pilot Data Link Communications LIST OF FIGURES Figure 1: Different threats to a flight operation ................................................................. 4 Figure 2: Emirates Terminal 3, Concourse view .............................................................. 8 Figure 3: Multiple levels clearly providing no focal point to attack .................................... 9 Figure 4: Mapping threats to goals for ICT security ....................................................... 13 Figure 5: Ideal secure environment, highlighting need for coordination between various parties ........................................................................................................................... 15 PAGE 2 Chapter 1 INTRODUCTION The Emirates Group is one of the world’s most rapidly expanding travel and tourism conglomerate and Emirates Airlines, its core business, is the world’s best airline 2013. Emirates Airlines carried 39,391,000 passengers (16% increase over the last financial year) and 2 million tonnes of cargo during 2012-13. Generating 3.1% profit in a depressing economic environment is a feat indeed. Its 1.5 million fans on Facebook highlight the brand’s popularity on social media. However, aviation is a high-risk business and any damaging safety or security accident can have immediate effects on an airline’s financial strength. A recent case in point is of the Malaysia Airlines Flight MH370, which undermined its share price and ticket sales, though it has a very good record of safety. Thus, it is important for Emirates Airlines to continuously dedicate resources and effort towards ensuring security on all its flights. Surrounded by a region of conflict and instability, characterized by the Arab Spring, the probability of a terrorist attack or instability in the UAE may appear to be high. However the stability in the government of the UAE, its economy and continuous investment in security are deterrents to such activity. The majority of the nationals are patriotic, making the environment for internal insurgency weak. This report is an assessment of Dubai International Airport in terms of security. The report first discusses the importance of DXB to Emirates Airlines and the security of the Emirates Group as a stand-alone unit. Then, the security technology available in the airport, the operational procedures in use are evaluated and the potential for improvement is discussed. PAGE 3 Chapter 2 : SECURITY ANALYSIS Figure 1: Different threats to a flight operation The complex nature of the airport business opens up several ways in which a particular flight operation can be vulnerable to threats of hostile intent. As seen in Figure 1, undesirable objects can be carried to the flight through flight crew carry-on bags, passenger carry-on bags, checked baggage, courier cargo, transfer baggage, cargo, mail; people intending to cause harm to the aircraft may travel as flight crew or passengers, may come into the terminal as catering and cleaning personnel or ground crew. A large scale orchestrated terrorist attack may even use shoulder-fire missiles such as MANPADS or other surface-to-air missiles or conduct electronic warfare. There are two prevalent approaches to aviation security, attacker-centric and assetcentric. The attacker-centric approach was widely used in the industry till recently and focused on preventing ‘bad’ things and ‘bad’ people from reaching the aircraft. It is largely reactive with the ‘shoe-bomber’ incident requiring passengers to take off shoes through security checks and ‘liquid-explosion’ imposing restrictions on LAGs in cabin baggage. It patches a known vulnerability in the system. The asset-centric approach focuses on protecting the important assets to the organization and focuses on discouraging an attack on those assets. This provides protection from a wider range of attacks, including the ‘unknown unknowns’. This is achieved through two specific ways: PAGE 4 1. Reducing the attractiveness of the target to an attacker 2. Increasing the risk of being caught before successful attack to an attacker The asset-centric approach is clearly necessary in the current scenario as attackers become more innovative in their approach and as seen by the attempted bombing using shoes, liquids and underwear, these ‘unknown unknowns’ bring the element of surprise in the industry. Security Analysis of Emirates Group as a stand-alone unit: EK follows a ‘hub and spoke’ business model with DXB being the central node through which it serves more than 140 destinations. The hub and spoke model is unfavourable to security as the hub represents the single node of failure. A major security event at Terminal 3 has the potential to collapse the entire EK network. However, the management of security is easier with this model. A centralised system for security and operations is advantageous because it is easier and resource saving to spend on one hub rather than many important nodes. Terminal 3 presently caters to EK and Qantas operations. All codeshare flights are however operated from Terminal 1. Emirates doesn’t need to provide security services to those flights. However it needs to ensure that the codeshare partner meets or exceeds the security standards of EK. This is because, a security event on a codeshare flight still affects the reputation of EK airlines. The affected passenger may have bought the ticket under Emirates Airlines. One may consider shifting all code-sharing operations to Terminal 3 as well. However, this increases the attractiveness of Terminal 3 as a target, not only due to increased operations, but also higher concentration of people at that area. Considering that all terminals of Dubai Airports deploy the same level of security, it is wiser to let it be, providing convenience to passengers and airport authorities alike. Emirates Group has a dedicated Transguard Security Services under its wing for providing services internally. Transguard is fully compliant with ISO standards and even has an in-house training program for security studies in collaboration with leading universities. Transguard offers services for secure transport of valuable goods through customs, through land and air, and personal security services to VIPs and diplomatic cargo. This protects the brand of Emirates Airlines as a premium airline which can cater to all the needs of business travellers and international diplomats. This in-house capability provides for increasing the risk of exposure to an attacker, who has to deal with both airport and Transguard security, if he plans to attack a VIP or an important consignment. The collaboration with external universities and agencies provides for the ‘devil’s advocate’ view in the evaluation of their services. Transguard also supports Dubai Airports in implementation of API in the airport, by providing document verification services and investigates all cases of document theft, fraud. This is advantageous as compared to Dubai Airports doing it independently, because the airline will have more information about a person who has booked a ticket PAGE 5 with falsified documents internally. Thus, if a security breach occurs, airport authorities may have information about the concerned party faster. Also, knowledge that falsified travel documents can be easily traced back deters this activity by potential attackers. Security Risk Management: An organization defines its risk appetite by identifying its critical assets and defining their relative importance. The risk management process then seeks to address vulnerabilities according to the following repetitive cycle:     Risk identification Risk assessment Risk response Risk monitoring The passengers flying by Emirates and its fleet are the most critical assets to Emirates Airlines. Other critical assets to be protected are its employees, IT equipment, passenger details, customer reservation credit card details, flight plans, crew contracts, employee centres, support lists and business plans. The unavailability of services, destruction of multi-million dollar aircrafts, disclosure and damage to the public image of the airline are the possible consequences that Emirates wishes to avoid. Different phases of security operations, for which the airport is responsible, are identified below. The security risk assessment of the airport shall be described according to the below phases: • Intelligence • Airport terminal, check-in procedures • Boarding • Ramp and runways PAGE 6 PHASE 1: INTELLIGENCE 1 Security Phase Intelligence 2 Generic hazard Insufficient information available Specific Hazard(s) Inefficient sharing of information between different parties, false information regarding a specific threat Worst credible Scenario Surprise attack against the airport, or a surprise attempt to hijack or otherwise harm the aircraft. 3 Analysis of potential Accident Scenario 3.1 Triggering event 3.2 Undesirable Operational State Insufficient advance information regarding a threat 4 Surprise attack against the airport 4.1 To avoid the UOS 3.3 Accident Outcome Damage to the reputation of the airport and airline, injury to passengers; Catastrophic accident 4.2 To recover before the Accident Barriers in place Technological defences : None Procedural defences: Excellent intelligence network, clear line of command in an emergency, good cooperation between UAE and neighbouring countries to facilitate sharing of information Armed patrol and duty officers in the airport terminal, security checkpoints within the terminal, CCTV monitoring 5 Risk Assessment The estimated frequency of The barriers will fail in AVOIDING the triggering event (per the UOS... flight sectors) is: The barriers will fail in RECOVERING the situation before the ACCIDENT... The accident severity would be... Major About every 1000 sectors Once in 100 000 times Once in 10M times 1.E-03 1.E-05 1.E-07 6 Result UOS frequency: Mean Accident frequency: 1.E-08 1.E-15 1.E-08 6.1 Resulting risk class Accept Accept 1.E-02 Table 1: Risk assessment for intelligence phase security operations Recommendations for improvement: Promote sharing of information internally as well to ensure coordination between Emirates and Dubai Airports. It is important to ensure that PAGE 7 the security officer of Emirates Airlines and the government share information about threats to be well-prepared. PHASE 2: AT TERMINAL 3, CHECK-IN PROCEDURES Generic hazard: Unidentified baggage, Undesirable persons checking in for a flight Specific components of the hazard: Explosive devices contained within baggage, people with intentions of sabotage or hijacking the flight Hazard related consequences: The worst credible scenario that can occur at Terminal 3 is an explosion within the terminal building or a potential attacker flying on a particular leg from DXB Figure 2: Emirates Terminal 3, Concourse view Existing defences against this hazard:  Technological defences: o Car plate number recognition at entry points to airport o 24/7 CCTV monitoring with excellent picture clarity and zoom-in ability of up to 16x, 7000 advanced cameras, Video over IP security systems o FIDS units at multiple locations warning passengers to report any unidentified baggage lying around o Total built out area of 528,000 sq.m. for EK, multi-layered building PAGE 8 Figure 3: Multiple levels clearly providing no focal point to attack o o o o o  Premium class lounges covering 29,000 sq.m; 3 conference rooms; 3 business centres 20 A380 gates Around a total of 200 counters including self-service kiosks, dedicated premium class counters, dedicated Skywards members counters Electronic supply chain manifests for secure freight movement into and out of the terminal 2. Dedicated internet links to transfer confidential air cargo information and data Use of API to identify undesirable passengers The large space and multiple number of counters, conference rooms etc. makes it virtually impossible for an attacker to attack a specific crowd and decreases the attractiveness of the target as there are no large congregations of people. The use of API being the latest industry standard also increases the risk of being caught to a potential attacker. Procedural defences: 4000 Patrol airport security officers, both uniformed and plain-clothed are on duty to observe and deal with unidentified baggage as quickly as possible. All officers are trained in behavioural detection to identify a potential assailant. This raises the risk of pre-attack identification to an unattractive level for an attacker. Airport perimeter patrol officers look out for cars that are parked at the curb for long periods of time, repeatedly urging them to leave. Barriers that can hold an undesirable event from escalating into a major/ catastrophic event: Armed patrol and duty officers in the airport terminal, bomb detection and k-9 squad on stand-by, security check-points within the terminal, border control. PAGE 9 Resulting risk level: ‘To Secure’ for the risk of unidentified baggage, Acceptable for the hazard of undesirable people; Mean accident frequency1: 1x10-9 Recommendations for improvement: Though there are patrol officers on duty, the resource allocation should be such that there is continuous monitoring of sensitive areas such as washrooms; an attacker may take advantage by planting an explosive in a deliberately forgotten purse at the ladies’. Even lower-level support staff like janitors and cleaners must be given awareness courses in airport security. Also, the entry point to Dubai International is relatively insecure, being in the centre of the city making it a potential target for ‘parking-lot’ attacks. This calls for ensuring that no arms are prevalently used in the city by the government. PHASE 3: BOARDING Generic hazard: Undesirable people or objects on-board the flight Specific components of the hazard: Potential hijackers/ terrorists on-board, Explosives on-board, Sabotage of aircraft Hazard related consequences: The worst credible scenarios that can occur are explosion of the aircraft, injury to passengers, hijacking. Existing defences against this hazard:  Technological defences: o Dual x-ray and screening systems for the inspection of freight pallets and cargo prior to arrival to the terminal 2, for cargo operations Fully automated 6 MeV linac generator x-ray systems2, integrated with a five-layered approach EDS for BHS o Multiple security check-points equipped with WTMD, HHMD, TDS, X-ray screening for hand baggage, Liquid Explosives Detection Systems o Smart E-GATE in full implementation now for border control Procedural defences: o Border control connected to Interpol databases to identify criminals or other dangerous people, with UAE searching SLTD more than 50 million times, i.e. almost every passenger o Colour coded immigration counters for residents and non-residents shortening waiting times at immigration queues, thereby avoiding large crowds o  1 Mean accident frequency derived from calculation similar to Table 1 2 In less than 30 seconds, a densely loaded 20-foot container of up to 11 tons can be scanned to form a three dimensional map of the material inside the container. These systems are powerful enough to penetrate 14 inches of steel and immediately yield clear high-resolution images for excellent object discrimination. PAGE 10 o o o o o o o Clear line of command in identifying and isolating suspicious pieces of baggage from the hold area 100% screening of all transfer baggage directly from the hold Random screening of security staff, use of ‘TIP’ to keep security officers alert and monitor their performance, regular assessment of screening officers Implementation of convenient shifts so that the officers are not fatigued Behavioural detection officers and undercover policemen at security check points CCTV monitoring and regulation of all dangerous materials such as knives available at the dining outlets after the security check-points Maintenance and support staff entry and exit strictly controlled by dutytime specific access cards Barriers that can hold an undesirable event from escalating into a major/ catastrophic event: Trained cabin crew on-board to identify suspicious passengers and objects before take-off. Resulting risk level: Acceptable though the barriers after an undesirable event may fail often; Mean accident frequency: 1x10-12 Recommendations for improvement: Border control must implement biometric measures at least to the level of facial recognition, as present systems (other than E-GATE) rely on comparing the person to a photo ID. The use of plastic cutlery instead of glass and restricting the use of large knives is recommended. However, its impact on the perceived luxury of the airport should be taken into account as Emirates Airlines mostly focuses on premium customers. The Secure Registered Traveller System using automated carry-on scanning, automatic biological pathogen detection, millimetre-wave full body scanning and a quadruple resonance carpet that would detect threats in shoes without having to take them off is being developed by General Electric. The SRT program also works with smartcard technology along with fingerprint technology to help verify passengers. The fingerprint scanner also detects for explosive material traces on the person's fingers. Also newer technology like Analogic’s COBRA CTS system which can allow laptops and liquids to stay in the baggage should be embraced, in order to expedite security checking and allow for the rapid growth that EK and DXB are facing. PHASE 4: RAMP AND RUNWAY Generic hazard: Obstruction to normal take-off and landing, Aircraft sabotage Specific components of the hazard: RWY debris and inflammable materials, undesirable people tampering with the aircraft Hazard related consequences: The worst credible scenarios that can occur are hazardous T/O or LDG, rejected T/O or go-arounds, explosion of the aircraft. PAGE 11 Existing defences against this hazard:   Technological defences: o R.A. ID cards o CCTV at all ramp areas and all entry/ exit points to airside, with ability to lock gates from the control room o Fibre optic perimeter intrusion detection systems which can relay information immediately to all concerned parties Procedural defences: o Thorough background checks for all ground staff o Preliminary security check for all staff entering the airside o Pre-flight precautions and security search on the aircraft prior to boarding of the passengers Barriers that can hold an undesirable event from escalating into a major/ catastrophic event: Patrol cars along the ramp areas, CCTV monitoring, ground surveillance radar coverage from ATC TWR Resulting risk level: Acceptable; Mean accident frequency: 1x10-12 Recommendations for improvement: Implementation of bio-metric systems for R.A. access should be done. Cyber-threats: Airlines have to deal with the airports such that they do not solely focus on their aircrafts but weaker and more vulnerable links such as ATC towers and communication links. Cyber security is paramount, probably more than physical security today. Especially with Emirates using up to 100 e-enabled aircraft such as the A380s in the future, deploying information security is imperative. The consequences of a cyber-attack from the airport may be as severe as physical destruction and outage of flight computers. One of the first reported instances of this occurring was the crash of Spanair flight JK5022 which crashed on August 20, 2008. It has been reported that a security vulnerability in the maintenance computers hampered the efforts of the maintenance crew and contributed to an unsafe aircraft departing. The three goals of ensuring ICT security in Dubai Airports are: 1. Confidentiality: Ensuring that information access is only available to those who require it and are authorized to have access 2. Integrity: Safeguarding the accuracy and consistency of information; ensuring non manipulation (alternation, corruption) of information 3. Availability: Making sure information is available to those who need it and that they can use the information when appropriate. Typical threats are masquerading, eavesdropping, authorization violation, loss or modification of information, denial of communication acts, forgery of information, and PAGE 12 sabotage. These are all specific threats between ATC and pilot communications and may prove to be crucial for the management of T/Os and landings at Dubai International. Figure 4: Mapping threats to goals for ICT security Though cyber-attacks directly from a passenger in the cabin to the cockpit systems may be considered to be an airline responsibility, the vulnerability of a hack in the check-in systems, unsupervised self-check in kiosks, other information systems and ATC communication links is very crucial to Dubai Airports. Ensuring separation of the public WiFi and any of the airport systems has to be done. Also important to ensure is the protection of passenger information stored for the API and the screening images to relieve the public mind and encourage implementation of this system. The Data Loss Prevention Scheme initiative by Dubai Airports has to be monitored and updated regularly. Comparison with the best we know, the world’s most secure airport, Tel Aviv: Ben Gurion international airport has the reputation of being the world’s most secure airport, despite the region being a high potential target for terrorism. This has been achieved through a series of complex measures taken by the airport authorities. Keeping in mind that aviation security does not follow a ‘one-size-fits-all’ policy, we compare the security procedures at DXB(66 million PAX) to Tel Aviv(14.2 million PAX), to identify if any lessons can be learnt. 1. Preliminary security checkpoint of all vehicles before entering the airport compound, armed guards spot checking all vehicles entering: DXB does not have such measures in place as firstly the security threat to the airport is not as significant as Tel Aviv; it is intrusive to the tourist passengers who are the main source of business to Dubai. Also ammunition entering and exiting the country is strictly controlled by the customs authorities and Transguard services .Therefore, the probability of a common man attacking the airport with personal arms or MANPADS is quite low. However, as seen in the ‘parking lot’ bombing incidents, DXB should implement an additional security measure at the parking token PAGE 13 2. 3. 4. 5. 6. 7. 8. 9. issuing counter so that the vulnerability posed by an airport in the heart of the city is lessened. Armed security agents at the terminal gates in Israel: DXB does not have uniformed officers at the gates but continuous patrolling of armed plain-clothed officers makes tourists less wary of their surroundings. Also CCTV monitoring is efficient around the terminal entry and exits. Plain-clothed and uniformed officers patrolling at Israel: Also present in DXB. Detailed Interviewing of all passengers: This is very intrusive to tourists and business travellers who form the crux of the airport passengers at DXB. As seen in the risk assessment above, the present security threat doesn’t warrant its necessity in DXB. Pre-check in screening of baggage through x-ray machines in Israel: old technology that is replaced by the 100% screened baggage screening integrated with the BHS in DXB. All checked-in baggage put in a pressure chamber to trigger any explosives: Dubai International airport handles 62 million bags per year and 90,000 bags daily. Emirates has a policy of maintaining fixed minimum connection time of 75 minutes for transfer flights, which form 75 % of baggage. Mishandled bags per 1000 is the most important KPI for Emirates, which has a figure of below 1.5, far below the IATA standard of 8.99. This brings out an important factor in the implementation of BHS. Within this time frame it is difficult to have all the baggage pressured through an explosion chamber. The procedure of identifying high-risk baggage through a five-layer system and subjecting only high-risk baggage to a pressure chamber is more beneficial to the operations of DXB. Personal security, X RAY for hand luggage, metal detectors, additional pat-down checking, Hand Held Metal Detectors are all used at DXB as well. Rechecking of passport and boarding card at the gate is also done at DXB. Questioning of passengers by passport control for incoming flights also present at DXB, though it is more selective. PAGE 14 Chapter 3 : CONCLUSION Traditionally aviation security has focused on preventing unwanted incidents but the focus must also be on addressing the security risks through-out the incident lifecycle. This calls for well-developed emergency response plans that are communicated to all people involved in the operations. Dubai Airports has some of the best security features that help to deter terrorist activities in the present but going in to the future, Dubai Airports should focus on ensuring cybersecurity even as cases of possible ‘cyber-hijacking’ are being discovered. The weak links in the chain such as ATC towers, CPDLC messages have to be secured to ensure that they are not tampered with. Cyber threats may not be so high-level, a hack of the FIDS at the airport, displaying messages that a bomb is set to go off in the airport, may be enough to create chaos and pandemonium in the terminal, allowing the terminal to be a potential target for a terrorist. In the era of increasing inter-connectedness, making aviation a more complex system than it already is, it becomes mandatory to ensure airport and airline co-operation. While this is more or less achieved in safety, security seems to be an after-thought. However it is important to realise that though the methods in safety or security are different, the harm that comes to an aircraft overlaps very quickly when there is an undesirable event. Figure 5: Ideal secure environment, highlighting need for coordination between various parties PAGE 15 REFERENCES Airport Business, 2012. Developing the 2020 airport model. [Online] Available at: http://www.airport-business.com/2012/11/developing-the-2020-airportsecurity-model/ [Accessed 5 March 2014]. dubai Airports, 2012. Process and governance. [Online] Available at: dubaiairportsreview.com/people/process-governance/ [Accessed 4 March 2014]. Dubai Airports, 2013. Connect. [Online] Available at: http://www.dubaiairportsconnect.com/uncategorized/easing-the-way-forour-passengers/ [Accessed 27 February 2014]. Dubai Chronicle, 2010. Dnata opens new lounge to provide special assistance to passengers at Dubai International. [Online] Available at: http://www.dubaichronicle.com/2010/09/07/dnata-opens-new-lounge-toprovide-special-assistance-to-passengers-at-dubai-international/ [Accessed 16 March 2014]. Elliott, R., n.d. Dubai: Terrorist Target?. [Online] Available at: http://www.securitymanagement.com/article/dubai-terrorist-target [Accessed 4 March 2014]. Johanson, M., 2014. Malaysia airlines flight MH370 exposes aviation industry's passport problem. [Online] Available at: http://www.ibtimes.com/malaysia-airlines-flight-mh370-disappearanceexposes-aviation-industrys-passport-problem-1560355 [Accessed 10 March 2014]. Michael L.Olive, R. T. S. A., 2005. Commercial aircraft information security-an overview of ARINC report 811, s.l.: s.n. Rainer Kolle, G. M. A. T., 2011. Aviation Security Engineering. Norwood: Artech House. Ron, R., n.d. Man versus Machine. Newsweek, p. 12. Skytrax, 2013. World Airline Awards. [Online] Available at: http://www.worldairlineawards.com/Awards_2013/Airline2013.htm [Accessed 15 March 2014]. PAGE 16