Unaccounted-For Credentials Flying Under the Radar

Oct. 11, 2022
How airports are addressing badging requirements, physical access audits and TSA’s 5% rule using innovative automation solutions.
RightCrowd
Brian C. McIlravey, President & Chief Operating Officer, RightCrowd
Brian C. McIlravey, President & Chief Operating Officer, RightCrowd

Airports face a far higher level of oversight than most other organizations when it comes to physical security – and for good reason. With high numbers of transitory workers, a large percentage of non-employee personnel coming and going, and up to hundreds of thousands of passengers traveling daily, managing physical access within an airport is a continuous challenge.

Airport security is particularly critical in security identification display areas (SIDAs), the most sensitive parts of airport facilities. It is within these SIDAs where the risk of an insider threat attack looms largest. Reports show that terrorist organizations have used aviation sector insiders to carry out attacks, leading the TSA to enforce a number of mandates regarding physical access to SIDAs.

Even with TSA and FBI-led efforts such as the Aviation Worker Vetting Program and Rap Back Program, much of the burden relating to SIDA credentialing falls to the airports themselves. Current TSA regulations require airports to perform regular audits of identification badges in circulation. Should the percentage of unaccounted-for credentials for SIDAs exceed 5 percent, the entire airport must be rebadged. The Security Act of 2016 further tightened these measures, requiring TSA to notify congressional committees of any Category X airport (the largest and busiest airports in the country) that cannot account for 3 percent of their SIDA badges.

With approximately 1.4 million aviation workers across the United States who have access to SIDAs, managing and maintaining active badges poses a significant challenge, compounded by aging infrastructure and lingering effects of the COVID-19 pandemic. Declines in air travel during the pandemic resulted in many airport employees being laid off and airport construction projects being postponed. Many of the badges issued to employees and contractors pre-pandemic may now be unaccounted for, and with fewer security personnel available to assist with the already overwhelming task of credential management, many airports are finding themselves on the brink of a physical security nightmare.

Failure to comply with TSA’s 5 percent rule could result in the costly and time-consuming task of rebadging thousands of employees. In 2018, Daniel K. Inouye International Airport, the largest airport in Hawaii, was forced to rebadge 23,000 employees due to such an infraction. The TSA also warned that failure to address the badging concerns would result in a fine of $13,066 per violation, with complete inaction resulting in close to $25 million in fines. And while no additional fines were levied, the laborious and expensive task of rebadging their entire staff cost the airport close to a hundred thousand dollars in material costs. The airport cited conducting more re-audits as a way to ensure compliance in the future.

Beyond conducting more self-audits, cutting-edge automation tools now offer airports a new, better way to proactively manage credentialing and TSA compliance. These smart software solutions can automatically discover every inappropriate, missing or incorrect access permission across the entire physical access control system, while mapping, measuring, and monitoring credentials on an ongoing basis.

Advanced analytics software can assess data from disparate systems, including Human Resources (HR), Active Directory (AD), Enterprise Resource Planning (ERP), and Access Control Systems (PACS) solutions. The software further identifies any unescorted access worker credentials from PACS using information from payroll extracts, including those from tenants, concessionaires, vendors, and contractors. This kind of solution wraps all relevant contextual data around each identity so security administrators can accurately validate whether identities are in sync and access rights are set correctly.

Airports can then measure success by automating daily worker policy checks for employees and tenants. These checks provide insight into inactive people with active access, thus identifying people with active badges that have not recently or have never accessed a SIDA. Finally, the active monitoring of credentials is made easy by automating and streamlining credentialing audits. Automation tools allow internal audits to be conducted automatically within seconds to demonstrate due diligence and compliance with airport standards. Administrators can see current employment status and PACS status in a single view, making compliance tasks easy prior to or during required TSA audits.

Think of these analytic software solutions as the latest ‘best practice’ in monitoring airport credentials and access. By automating many labor-intensive tasks related to credentialing, such solutions offer operational efficiencies and accuracy to an already overworked security department. And while maintaining accurate credentials in an airport environment is a complex and fast-changing challenge, now airports can automatically map what needs to be tracked and measure it continually, ensuring they are always audit-ready and more secure for all who enter.

Brian C. McIlravey is an experienced and established Senior Business leader with C level experience with 30+ years in public and private sector security with extensive experience in security and the technology that drives it. Frequent industry speaker and recognized SME in physical security software.

About the Author

Brian McIlravey | President & Chief Operating Officer

Brian C. McIlravey is an experienced and established Senior Business leader with C level experience with 30+ years in public and private sector security with extensive experience in security and the technology that drives it. Frequent industry speaker and recognized SME in physical security software.