Category: Aviation

Now more than ever, computers are an effective, affordable option for training airport/transport security personnel. But what is the actual state-of-the-art in computer-based training these days? And how well can this training approach provide the security industry with the qualified personnel it needs in a timely manner?

To find out, Transport Security International (TSI) magazine sat down with three leaders in computer-based training: The Center for Adaptive Security Research and Applications (CASRA); e-Lectio, a part of ICTS Europe group; and STI Security Training International GmbH. Here is what they told us.

What They Have to Offer

We began by asking these three companies about their products/services in computer-based training for airport/transport X-ray screeners and others in aviation/transport security screening areas.

At CASRA, “we do security research and applications with the objective to strengthen security and increase facilitation in X-ray screening,” said Sara Bracceschi, head of consulting and services for customs. This means that CASRA’s software, methods and procedures are built upon scientific research, and are being constantly improved through close collaboration with government organizations, research institutes, and end users. In all, CASRA’s software and applications have been installed in over 50 countries and at more than 900 airports around the world.

As for CASRA’s products for airport/transport security personnel? “Our computer-based training and assessment platform, X-Ray Tutor 4 (XRT4), is the result of studies and scientific investigations carried out over more than 20 years with the focus on cognitive abilities and visual knowledge of the human operator who analyzes X-ray images,” Bracceschi replied. “XRT4 was created to provide an easy-to-use training software that enables X-ray screeners to detect prohibited items quickly and reliably, and increases their visual knowledge about X-ray image interpretation.”

For its part, “E-Lectio is dedicated to the development and delivery of online training solutions to customers in the aviation security sector worldwide,” said Nimrod Matan, the company’s Commercial Director, E-Lectio. Its computer-based training for airport/transport security personnel is delivered through Eagle7, a state-of-the-art Learning Management System (LMS).

“Our e-Learning course catalog covers all training topics required by civil aviation regulations and in particular EU and UK, including (but not limited to) x-ray screeners’ training for cabin, hold baggage, air-cargo and mail,” Matan noted. “Our customer base includes international and regional airports, civil aviation authorities, security companies, police forces, training centers, as well as non-aviation employers of x-ray screeners, in the maritime, government and corporate sectors.”

In order to keep transport security professionals apprised of actual security threats, e-Lectio maintains a massive image library of “threat items”, which grows yearly to reflect recent events and regulation changes. “All of our images are manually created by experts using real-life threat items and real-life luggage, cargo and mail,” said Matan.

Meanwhile, STI has been specializing in image interpretation-based X-ray training since 2001. The company’s training activities are mostly in aviation, but not only,” said Axel Stefan, CEO of STI Security Training. “More and more security checks are also performed in civilian life during sports events, at schools, hospitals, and cultural locations.”

“To [address] these increasing security needs, STI has been continuously developing its own innovative image interpretation CBT (computer-based training) for X-ray screeners,” he added. “Airports, airlines, transporters, supply chain, logistics companies contact us to help them meet their national requirements.”

How These Computer-Based Training Programs Work

X-Ray screening is a complex and important element of airport security. Not everyone has an aptitude for this kind of demanding work, nor the people skills necessary to minimize and manage issues. Therefore, “it is advisable to apply scientifically proven selection tests, such as the X-Ray Object Recognition Test (X-Ray ORT), as part of pre-employment assessment procedures,” said Dr. Adrian Schwaninger, CASRA’s chair. “Not every person has the potential to become a good X-ray screener because certain specific aptitudes and abilities are prerequisites to succeed at this job.”

After candidates have passed this CASRA screening process, “individually adaptive computer-based training (CBT) like XRT4 is a very powerful tool for achieving and maintaining a good X-ray image interpretation competency,” he told TSI. This is because XRT4 trains airport/transport security officers to recognize both common and rare objects seen during X-ray screening. It also trains them to make sense of objects placed in a wide range of positions — both alone and mixed in with other items — viewed in X-ray images of different resolutions and complexities.

Worth noting: CASRA updates their computer-based training content as new threats become reality. “We have an in-house systematic threat assessment team that systematically searches for potential threat scenarios through different sources such as the surface web, deep web, social media, and radical propaganda magazines,” said Schwaninger. “Subsequently, these threat scenarios are evaluated and assessed with regard to feasibility, damage potential and possible mitigation measures.”

e-Lectio’s computer-based training system is hosted on the web using an SaaS (Software as a Service) model. “It includes a comprehensive simulator with an image library of over 50,000 images of genuine luggage, cargo and mail parcels, including threat items of all categories mandated by regulators,” Matan said. Updated yearly, this library has images captured by all leading brands of X-ray screening equipment commonly used in airports. The simulated X-ray machine user interfaces supported by e-Lectio’s software are either machine-neutral or machine-specific, as per customers’ preference.

“Our training program is fully customizable by the training administrator/instructor,” said Matan. “All training parameters are customizable, including number of images, time limit, score formula, difficulty levels of images, angles of threat items, dual/single view, bag rotation, and many more. Furthermore, training can be set to be automatically adapted for each screener according to his or her points of strength and weakness, speed and accuracy. The system also has modules that are dedicated to initial training, practice, certification testing, recurrent training, and re-certification.”

At STI, the company’s X-ray and CT (computer tomography) image interpretation training program OTS (Operator Training System) is customizable, adaptive and based on each customer’s individual environment. As for STI’s computer-based training approach? “To achieve a high-security detection level from the X-ray screeners, you have to get there step by step, with the right trainers, the proper teaching, methods and tests,” replied STI trainer Yvonne Henrich. This being said, “before being able to detect a threat, you need to get the basics,” she noted. “Students need to understand how an X-ray machine works, the meaning of colorization of the images (orange, green, blue), and the functionality of the keyboard. Then you understand the legal framework, and go deeper into the relevant international and national regulations.”

In the STI Xpert modules used for recurrent training, “the system will automatically check the strengths and weaknesses of the trainee, and will adapt the images accordingly,” she added. “So the trainee strengthens her/his skills while training. Moreover, our in-house solution ensures that a certain percentage of the images are renewed each year.”

What Students Are Taught

STI’s Henrich touched on the most vital aspect of any computer-based training system, namely what specifically the students are being taught. So let’s dig into this area of airport/transport security training.

When it comes to CASRA, “our focus is on maximizing the human-machine system performance in X-ray screening and in order to do that, we cover the whole competency life-cycle of X-ray screening from selection, to training to testing,” said Bracceschi. “Once a screener is selected, our training programs tackle image-based and knowledge-based factors, so that the screening officers are able to recognize new and emerging threats and improve their performance level while constantly updating their knowledge.”

To maximize successful training outcomes, an individually adaptive algorithm has been embedded in CASRA’s computer-based training system, so that each screener is trained according to their level and abilities, and challenged in their areas of opportunities — “which makes the training tailored to each trainee and also interesting,” Bracceschi said. “Moreover, our XRT4 solution provides single view and multi-view training, and since 2020 has also provided 3D training.”

Over at e-Lectio, “our program is unique in training X-ray screeners, in that it does not only focus on image interpretation skills but also on practicing how to follow security procedures when dealing with suspicious pieces of luggage,” said Matan. In fact, this training program simulates the end-to-end workflow of security screening, including image interpretation, manual checks (of cabin baggage) and comparison between the airway bill and the X-ray image of the consignment (in cargo).

This company also offers a ‘pre-employment module’ that measures the cognitive and visual-perception related abilities of candidates, predicting their readiness to perform the task of an X-ray screener. “Measured capabilities include numerical ability, problem-solving, spotting errors and inconsistencies, accurately reporting own errors, accuracy and rapidity, attention span, ability to differentiate between more relevant and less relevant information, attention to detail, spatial perception, and color blindness,” Matan said.

As for STI? Its OTS online training platform is designed to familiarize trainees with “the art of X-ray image interpretation,” said Stefan. To do this, “the OTS simulators provide an absolutely realistic representation of X-ray images in everyday airport operations,” Henrich said. “In this way, objects can be identified in the best possible way and everyday objects can be reliably distinguished from potential threats.”

STI’s step-by-step training approach to X-ray image interpretation is designed to slowly increase the complexity and level of difficulty for trainees as they develop expertise in this area. “They are supported at their own individual pace,” Henrich said. “In advanced training, they benefit from an adaptive system that is able to adjust independently to the level and progress of the trainees.”

To make this form of computer-based training productive for airport/transport security staff, STI develops a set of five skills, online at a time. They are:

• Skill 1: Detection of the prohibited items, as a whole or in parts.

• Skill 2: Detection in a fast way.

• Skill 3: Detection in different angles.

• Skill 4: Concentrated and observant, as well as a teamplayer.

• Skill 5: To learn and be able to use the X-ray equipment with all the different functions, and to get the best of the X-ray equipment.

The final step in STI’s training process is to have an X-ray screener identify prohibited items in a fast way and methodical approach, when viewed from different angles. To achieve this level of proficiency, “they learn to focus on visual key factors to detect prohibited items, and to be able to recognize manipulated items in a fast manner,” said Henrich. “Trainees also learn how to detect single assembly parts of all kinds of prohibited items, which can be brought together once in the security-restricted areas, by different persons.”

Examples of Training Success

To close this look into the state of computer-based security training, TSI asked these companies to tell us some ‘success stories’.

CASRA was happy to step up to the plate. “In terms of success stories, we receive feedback on detections on a regular basis from our clients, as a research center,” said Bracceschi. As well, CASRA has worked with the International Air Transport Association (IATA) to compile an international cargo screening study to verify the validity of CASRA’s methodology.

“The rationale for the study was a diffuse industry interest in screener’s performance in relation with the use of computer-based training (CBT) to see the value-add generated by CBT,” Bracceschi said. The results were impressive: “The study demonstrated that substantial improvements in cargo screening performance can be achieved (average of +8% detection and -6% false alarms) through individually adaptive online CBT using XRT4 after an average of approximately only eleven hours of training,” she said,

STI has seen similar levels of success from computer-based security training, which is a source of deep pride to Yvonne Henrich. “From the trainer’s point of view, it is fantastic to convey the complex knowledge of aviation security to people from different age groups, different cultures, from different professions, who previously had nothing to do with aviation security,” she said. “All that within a few weeks — teaching persons and screeners to be confident in all kinds of situations. The training gives me the necessary knowledge and the soft skills to have a friendly and self-confident manner towards the customer, and to adapt.”

This kind of success is being proven daily at X-ray screening stations, where STI-trained personnel are detecting all kinds of potentially dangerous items. “Our screeners have successfully found things like butterfly knives, brass knuckles, and shoes with LEDs that were similar in construction to an explosive device,“ said Henrich. “A funny side of the job is finding sex toys in hand luggage. This can be especially funny if you don’t know what they are, and ask the passenger what they are and what they are for.”

As for the future of computer-based security training? “As technology advances so do the methods used by the perpetrators,” said CASRA’s Schwaninger. “Our goal is to provide services and solutions that help the screening officers face current, new and emerging threats.”

In particular, “concealment methods are ever-changing and new types of contraband and illicit goods are smuggled on a regular basis,” he told TSI. “Our approach to training allows us to provide effective and efficient training measures, so that the screening officers are well-equipped to succeed at detecting security threats and illicit goods while reducing response time. And as technology changes and evolves, so do we, as we incorporate such advances in our solution so that when training, the officers face similar challenges to live operations.”

At STI, “we are seeing the following technology advances,” said Stefan. To cope, the company is enhancing its browser-based training solutions to avoid compatibility issues and speed up the installation process, developing software to assist X-ray screeners for their recertifications, and creating more 3D CT training solutions.

All told, the state of computer-based security training is fully-featured, advanced, user friendly, and constantly being updated and modernized. When it comes to training airport and transport security staff, this is a vital, must-have tool for organizations large and small.

The posters explode with vibrant color and tell of exotic locations exclaimed in bright, bold text. Destinations such as Tahiti, Bora Bora, Paris, New Zealand and more line the walls of travel agents, ready to whisk you away to wonderland. How would you get there? Flying in style with TWA, Braniff, and Pan American World Airways, that’s how. This travel was the Golden Age of Flying and spared no expense to pamper you and your family on vacation to paradise.

Julia Lauria-Blum, editor-in-chief of Metropolitan Airport News, headquartered at JFK International Airport in New York, recently penned an article about the Golden Age of Aviation, specifically between the two World Wars. I spent some time with her this week discussing that period and other memorable times in air travel. We discussed the Jet Age, beginning in October 1958 when Pan Am started international service with the Boeing 707. Flying was a privilege reserved for the elite, dressed to the nines and posing for photographs before boarding. Fine accommodations weren’t just for the folks who sat up front. In her piece, Lauria-Blum states, “While First Class was spacious, ‘economy’ seating provided up to six inches more legroom than today.” That would have been nice on my last flight out to Los Angeles.

In those early days, security was an afterthought. With such a limited clientele, aircrew did not face the same risks as they do today. The Federal Aviation Administration (FAA) reviews aviation security measures and adjusts as needed. After 11 September 11, 2001, cockpit security remains at the forefront of safety initiatives. On 14 June, 2023, the FAA announced that they would start requiring a secondary flight deck barrier moving forward. “No pilot should have to worry about an intrusion on the flight deck,” said David Boulter, acting FAA associate administrator for safety. Those days are gone and things have certainly changed. Pilots went from posing for pictures with passengers to being barricaded in the cockpit, protected from them.

Transport Security International ran an article on flight attendant safety in the spring issue of this year. The story offered some excellent solutions that some are doing to help keep the peace in the air. Let’s check in on the other side of the Atlantic and see how EASA and other entities combat the in-flight “Fight Club.”

Unrest is on the rise

The International Air Transport Association (IATA) published an article on June 4, 2023, entitled, “Unruly Passenger Incidents on the Rise.” The piece highlights, “Latest figures show that there was one unruly incident reported for every 568 flights in 2022, up from one per 835 flights in 2021.” Physical abuse incidents during flights showed “an alarming increase of 61% over 2021, occurring once every 17,200 flights.” IATA’s two-pillar strategy calls for two things; regulation and guidance to prevent and de-escalate incidents.

European Union Aviation Safety Agency EASA is tackling the issue of passenger disruption head-on. A recently launched campaign, #notonmyflight, states that unruly passengers threaten flight safety every three hours. The statistics are troubling:

• Unruly passengers threaten the safety of 1,000 flights per year.
• 72% of all incidents involve physical aggression.
• On average, one flight per month forces an emergency landing due to unruly behavior.

EASA even issues a Call to Action on the website: Share if you don’t want to fly with them!

The Current State of Security

International concerns over passenger disruption were prevalent long before the pandemic. In January 2020, the Montréal Protocol 14 (MP14) came into effect. First drafted in 2014, the MP14 amends the Tokyo Convention of 1963, giving jurisdiction concerning incidents committed on board aircraft to the aircraft’s state of registration.

More insights are shared by the European Cockpit Association AISBL (ECA) in a published position paper entitled, “Prevention of Unruly Behavior” which addresses the increase of passenger trouble on flights. The paper begins by citing the International Civil Aviation Organization (ICAO) definition of an unruly passenger as “a passenger who fails to respect the rules of conduct at an airport or on board an aircraft or to follow the instructions of the airport staff or crew members and thereby disturbs the good order and discipline at an airport or on board the aircraft.” Alarmingly, the paper reports that unruly passengers have already often shown unusual or deviant behavior before boarding an aircraft and employees may not have taken appropriate action on the ground. The unruly passenger is allowed to board the airplane.

If an ounce of prevention is worth a pound of cure, they certainly missed the mark. Among the recommendations the paper suggests, prevention and deterrence top the list. Of course, the ideal situation would be to identify potentially disruptive individuals before boarding. While not always the case, airline or country protocol could impact the ability to act on the suspicious party.

Alcohol is frequently involved when disruptions occur. The paper holds generic information concerning alcohol and drugs. In all honesty, common sense covers much of this. To be fair to the ECA, a segment of the flying public does not subscribe to common sense. Some face covering/mask language is outdated, given the lifting of COVID-19 era mandates. Regarding training, the paper does not include specifics but has general intel on the importance of such. Good to know.

Uniform prosecution and worldwide enforcement sometimes fail due to jurisdiction issues. Even when jurisdiction is not an issue, some government entities lack relevant laws or provisions to charge and prosecute disruptors. The paper concludes by urging EU Member States to ratify MP14. The Montreal Protocol 2014 (MP14) amends the Tokyo Convention of 1963, giving jurisdiction over offences committed on board aircraft to the state of registration of the aircraft in question.

The European Business Aviation Association (EBAA) recently held the AIROPS 2023 panel, which included a session entitled, “Member Services Cabin Service: Meeting the Demands of the World’s Most Demanding Clientele.” The panel was moderated by Paul Walsh, senior manager at EBAA. The panel touched on crew safety training requirements for business aviation. One question was, “Are the crew sufficiently protected?” Panelist Caroline Caden, lead cabin crew for TAG Aviation, an aircraft management, charter, maintenance and FBO company, says the answer to that question is complicated. Caden mentioned receiving self-defense training during her time at British Airways (BA); however, it was only during the initial phase, and she never received recurrent training in that area.

“Crew self-defense training is much more critical at the commercial level,” Caden remarked. “In business aviation, we deal with a smaller cross-section of the population and get to know the regular guests and owners.”

“There is sufficient time to vet the clientele before the trip,” Caden stated, in reference to air charter operations. She recalls being nervous about booking a rock-and-roll band, but the lead singer acted lovely and refreshingly and only wanted his afternoon tea. My, how times have changed. When asked about self-defense training for corporate aviation operators, Caden replied that such specific training is welcome if it adds value to the organization.

FORCE Air Defense

The best defense against violence is to stop it before escalation and to gain control of the situation. What happens if you are too late and things are already going south? Well, then you must act and do so with confidence, skill and precision. That sounds easy chatting with friends at sea level, but what about at 30,000 ft while an intoxicated passenger is losing it?

If Stuart Lowe and Kathleen Reid had their way, no flight crew member would feel intimated or scared to engage someone losing their cool on a flight. What makes them so confident in this wish? A combination of mind, body and spirit. They would be happy to show you at a trainer session. FORCE Air Defence teaches self-defense techniques to corporate businesses, specifically in the aviation and transport industries. Lowe and Reid had heard the stories from flight crews and, using their extensive training, adapted the skills they gained during their careers to fit the confines of a tight space aboard aircraft.

FORCE Air Defence designed its training scheme to subdue flight and ground altercations. Their bespoke training courses adapt to a company’s unique operating environment and give the crew the confidence to take on the challenge causing the threat. The owners base training tactics on a defense program called Freestyle Unarmed Combat Ju-Jitsu, comprising techniques from many areas, including krav maga and jiu jitsu.

In a call with Lowe and Reid recently, their passion for safer skies shone through. We spoke of their training session on May 13 and 14, in which the FORCE Air Defence trainers met for their initial training session. This first team of candidates stemmed from all walks of life, but each had baseline knowledge of self-defense and physical restraint tactics. Some backgrounds included the army, Royal Navy, Royal Air Force, Royal Marines, police, special ops, close protection, security, martial arts instructors and sports coaches. A group no one would want to provoke. The “train the trainer” session began by covering defense and restraint moves and moved to perfect the techniques covered, and was followed by delivering the course to the cabin crew and ground staff.

A follow-up session is scheduled for mid–June, during which the training environment evolves from a wide-open area to the narrow confines of an aircraft’s cabin. The inaugural class of FORCE Air Defence will sit for final exams on July 9 and 30. Each candidate will demonstrate the ability to not only perform but will also possess the ability to teach the techniques and have a complete understanding of the processes.

First aid training, risk assessments and a self-study guide accompany the practical in-person training sessions. In the end, two written examinations tie everything together. The total training evolution is approximately 120 hours.

FORCE Air Defence will officially launch at the T-C-Alliance TCA 2023 Training Convention for Aviation from June 21 to 22, 2023, at Area 42 in Brussels, Belgium.

The T-C-Alliance is a collaborative group of subject matter experts from training and consulting organizations. TCA2023 is an event for airlines, airports, NAAs and organizations interested in learning development and innovation within the aviation industry.

Day one of the conference starts with an opening address, then different sessions centered on safety, well-being, inclusion, diversity and equity. Afternoon sessions focus on the next generation of aviation professionals and social impacts within aviation. The second day of the two-day event begins with innovations in learning, service level agreements and an introduction to aviation for new professionals.

During the conference, FORCE Air Defence has an allocated space in front and center of the exhibit hall allowing the team to demonstrate some of their defense and restraint techniques. The FORCE Air Defence team will hold a four-minute demonstration of their maneuvers, countermeasures and tactics each hour at the conference. Personal defense training is easily incorporated into a company’s training protocol and is well worth considering to add another layer of protection for the flight crew, cabin crew and passengers.

In June, the Baton Rouge Metropolitan Airport in Louisiana suffered a cyberattack on its administration system as part of a larger cyberattack by a ransomware group. Flight operations were not affected. In April, the international cyber hacking group Anonymous Sudan claimed credit for website outages of Hartsfield-Jackson Atlanta International Airport and UPS. Both websites were restored within a couple of hours, and both companies stated there was no impact on their operations.

In February, websites for seven German airports were knocked offline by a cyberattack. Affected airports included Dusseldorf, Nuremberg and Dortmund, but other systems were not affected. In September 2022, hackers used a phishing campaign to access personal information of some customers and employees of American Airlines.

This is just a sample of the cyberattacks that target the aviation industry. The scope of the aviation industry that could be affected includes aircraft and all interconnected functions, interfaces and systems, including ground, in-flight and maintenance operations and related processes. These incidents could impact safety, business operations and the company’s reputation. The reach could expand beyond the initial company under attack to its third-party partners.

According to Eurocontrol, a pan-European, civil-military organization dedicated to supporting European aviation, 52 cyber attacks were reported in 2020, 48 attacks in 2021, 78 attacks in 2022 and 27 attacks through May 2023.

How Hackers Find Vulnerabilities

According to cyber security company SOCRadar, there are four primary types of attacks on the aviation industry seen between 2020 and 2022. They are:

• Ransomware: 22%

• Data breach: 18.6%

• Phishing: 15.3%

• DDos (denial-of-service): 7.3%

Another 16% of attack types are unknown or fall into the “other” category. “Other” attacks include a backdoor attack, data theft, hijacks, social media scams and a website bug.

Motivation

When hackers launch cyberattacks, their goals typically fall into one of three categories: money, political and revenge. For many hackers, they want to steal data such as personal information, credit card numbers, passport numbers and other data they can then sell to the highest bidder. In some instances, they hold IT systems hostage until a ransom is paid. Other hackers attack for political reasons or as part of state-sponsored attacks to steal information to weaken other countries. And there are those hackers who have their own reasons for taking revenge against the company.

Another reason? Some hackers attack a company’s environmental records to damage their reputation. Others engage in cyberattacks simply to get credit and elevate their own reputation in the cyber community. And there are others who do it just for fun and excitement.

Challenges for Aviation

Companies throughout the aviation industry are at risk for the next cyberattack. Unfortunately, they also face numerous challenges to implementing effective cyber security to thwart those attacks.

For starters, hackers are finding a variety of ways into aviation systems. These include vulnerable APIs (application programming interfaces, or software), website applications, mobile apps and third-party partners with vulnerable systems.

“As aviation becomes more and more connected, the attack surface for potential cyber threats expands by introducing additional entry points for cyber attackers who are continuously adapting their tactics and techniques to exploit vulnerabilities in the aviation infrastructure, making it crucial to address vulnerabilities proactively,” Dorian Pantea, director of cyber security advisory and assurance for Air Canada, told a June 1 webinar.

That connectivity of systems results in connections in unexpected places of the supply chain, according to William Harvey, head of cyber security assurance and compliance at IAG Tech, a community of IT and digital professionals from the International Airlines Group (IAG).

One example Harvey provided during a June 1 webinar was vending machines at the aviation facility that connect online to notify the vendor when to refill the machines. It’s just one of many systems, third-party and otherwise, that look to connect with the aviation system that often is overlooked. “Not all organizations have necessarily architected their networks to safely have so many different organizations and business equipment using their networks for business-enabling purposes,” he said.

Legacy systems — outdated hardware or software still in use — provide another avenue for hackers to enter aviation systems. Legacy systems were designed without considering advanced cyber threats, making them more susceptible to attacks because there’s a lack of updates, patching and maintenance, Pantea said.

The many different regulations in the aviation industry also present a major hurdle for cyber security. Instead of one clear set of standards, the aviation industry must deal with local, state, federal and international regulations that often vary greatly from regulatory body to regulatory body.

“It depends on where you are,” said Lawrence Baker, managing consultant and aerospace technical lead for NCC Group Transport Practice. “We’re on a journey. Things don’t move that quickly in the aviation industry because there’s a lot of established processes and relationships and so on that need to happen in lockstep to make sure as a global industry that everyone acts in the same manner.”

Some regions are progressing faster than others. For example, in the European Union and the United Kingdom, there are ongoing initiatives involving regulations to improve cyber security, Baker said, but other regions around the world are behind. More collaboration needs to be done across the industry and the globe so there are more consistent and robust cyber regulations for everyone.

For some aviation companies, it all comes down to what Dr. Jeff Hall, principal security consultant and North America aerospace lead for security consultant NCC Group, calls basic cyber hygiene and preparedness, or a lack thereof. “Overall preparedness is not the best,” he said. “They usually have a document on paper of how it will happen, but when you start talking to them and ask if they have exercised their plan, you get a lot of silence.”

When reviewing those compliance documents, some haven’t been reviewed in a few years. Perhaps they don’t have messaging ready for the media. They haven’t practiced their recovery plans and don’t know how to get systems back online.

One reason for this lack of preparedness could be the lack of talent experienced and knowledgeable not only in cyber security but also IT and connectivity specific to the aviation industry.

A final challenge is one of the most difficult to overcome: cost. “Cost can become unmanageable,” Harvey said. According to IMARC Group’s “Aviation Cyber Security Market: Global Industry Trends, Share, Size, Growth, Opportunity and Forecast 2023-2028” report, the global aviation cyber security market size reached $4.3 billion in 2022. That number is expected to reach $6.5 billion by 2028.

How Companies Can Protect Themselves

While the challenges are daunting, there are solutions available to aviation industry members to strengthen their cyber security and protect their entities.

Education

Educating every worker on cyber security is essential to prevention. For example, ongoing education on how to spot suspicious intruders is one way to thwart attacks. Phishing — using legitimate-looking emails, texts and other messages — to induce users to reveal personal information or click on links that unleash malware remains a prominent tool for hackers.

“There’s still going to be somebody who always clicks the link or opens the PDF file without thinking twice because email looks very legitimate,” Hall said. “Everything looks right about it, even the wording, so unless you have the sense in the back of your head like, ‘Maybe I need to check with somebody inside before I click this or open this file,’ but they generally don’t so that’s still the best way in.”

Another option is to put together a cyber security attack response plan and routinely run practice drills in all areas of business operations so every employee understands his or her role in that response and how to implement it. This response plan should also be updated regularly to meet the evolving cyber attacks.

Additional educational opportunities are available through the International Air Transport Association (IATA), which offers in-person and virtual aviation cyber security courses.

Harmonize Regulations

Having a variety of regulations throughout the aviation industry leaves it open to complexities and gaps that lead to vulnerabilities. Therefore, there’s an immediate need for consistent cyber regulations that can only be achieved by collaboration through the aviation industry. That goal requires all regulatory bodies to come together to create universal standards that can be applied across the globe by every industry member. How to reach that goal remains a challenge that will continue to take time.

Transparency

Bringing awareness to all aspects of cyber security is a key way to ward off cyber attacks. “There’s generally a lack of trust to share risk information with aviation stakeholders,” said Brian Brown, senior cyber security engineer — aircraft for Atlas Air, told a June 1 webinar. This goes beyond just threats or attacks to include information on systems.

“The aviation industry sharing cyber security-related information such as threat intel, best practices and incident data enables all the stakeholders in the industry and the ecosystem to stay informed about the emerging threats, risks and vulnerabilities,” Pantea said. “This leads to robust cyber security strategies and proactive defenses to strengthen all stakeholders.”

Invest in Training

Training current employees on the cyber security is imperative to protect systems and effectively respond if a cyber attack occurs. One way to do this is to perform awareness sessions on cyber security on a regular basis in every department of the company.

It’s also important to bring in cyber security experts who are knowledgeable about aviation IT and systems. In addition to training cyber security experts on this technology today, members of the aviation industry can help train future cyber security experts.

Pantea recommends partnering with academia to develop these programs so students going into the aviation industry are learning about cyber security before they graduate. He also suggests getting as many interns as possible to learn cyber security skills in a real work environment.

Incorporating cyber security training organically within the industry will be especially effective because those persons already understand how the aviation industry works.

Third-Party Partners

Any third parties connected to your company’s systems must be equally vigilant about cyber security to prevent attacks through their systems. “The aviation sector is quite unique in the amount of dependency that each aviation organization has on each other,” Baker said. “It’s a web of transnational organizations that have to trust each other, and historically that’s worked fine. Cyber security has really rocked the boat, and now those relationships are being tested and exploited.”

Aviation companies must meet with those third-party partners to discuss vulnerabilities, possible solutions, and, of course, the budget to implement cyber security processes and protections. It’s important that both parties understand the risks involved by connecting systems and work together to manage cyber security. By working together, cyber security becomes ingrained from the onset of the relationship, benefiting all involved.

Become Cyber Resilient

When a company is cyber resilient, they can effectively participate, recover and adapt to the challenges of cyber security. “In summary, the real thing to take away from this is to think resilience and not security,” Baker said. “No defense is perfect. You need to think about what’s going to happen when it goes wrong and how can I learn from lessons of the past. How can I test for when the worst happens and recover from that situation so that I’m a resilient organization?”

Being able to fight through a cyberattack and retain functionality is key to strengthening not only individual aviation companies but the entire aviation industry as a whole.

The editor’s note in Transport Security International’s winter 2022 edition struck a chord. Joy Finnegan’s words about the enormous and enduring human impact of attacks on civil aviation quickly led me to reflect on the massive change I have witnessed during a career in national and international aviation security strategy, policy-making, operations, oversight and crisis response.

I have learned firsthand that acts of unlawful interference against civil aviation are transformative in shaping the steady evolution of priorities, policies, measures and culture. Unfortunately, a hastily drawn conclusion about that evolution has become pervasive and must be put right.

Events Have Driven Transformation

On June 23, 1985, Air India flight 182 was sabotaged using an improvised explosive device contained in checked baggage. Three hundred and twenty-nine people perished. The same day, an explosive device in checked baggage unloaded from Canadian Pacific flight 003 detonated on the ramp at Narita Airport killing two persons. In both cases, the checked baggage originated from airports in Canada.

Immediately and through successive waves aviation security measures in Canada were enhanced. Passengers, carry-on and checked baggage, and cargo were subject to strengthened screening. Airports doubled down on access control. A comprehensive review of the entire national civil aviation security program was carried out and recommendations were implemented. Twenty-five years later, a four-year Commission of Inquiry produced more recommendations to address gaps in Canadian security and intelligence arrangements.

At the international level, Canada spearheaded efforts to amend International Civil Aviation Organization Annex 17 Standards and Recommended Practices. These culminated in the adoption on May 19, 1985, of the ground-breaking global Standard requiring the matching of checked baggage with passengers on each flight. In the years that followed, operational experience resulted in more effective, better defined and documented implementation practices. It was the first aviation security measure focused directly on countering the sabotage of aircraft in flight. These advances made reconciliation a matter of routine and ended the awkward manual matching of passengers with their checked baggage on the ramp when necessary because of the threat.

At the same time, research and development of explosive vapor detection technology was coming to fruition. Accelerated by a new sense of urgency about the threat of sabotage to aircraft in flight, promising new technologies were brought into service. And thus began a marked and intensified shift toward greater reliance on advanced scientific and engineering solutions to secure civil aviation far beyond the capability of early-generation metal detection and baggage X-ray systems.

A similar progression of transformational change followed the downing of Pan Am flight 103 on December 21, 1988, over Lockerbie, Scotland. The United Kingdom adopted a multi-point plan to enhance aviation security in the U.K.. Using many of the same elements, the U.K. successfully lead international efforts to make regional and global aviation security frameworks much more robust.

The long-term relevance of the U.K.’s campaign and the practical results from policy-making have been made clear. For instance, current international and national frameworks for air cargo security trace their origin back to the U.K.’s recognition of the need to address security throughout the air cargo supply chain, not just in cargo facilities located at or adjacent to airports and while being transferred and loaded. The measures adopted also provided the groundwork for further strengthening air cargo security immediately following the intercepted printer cartridge bomb attacks targeting U.S.-bound aircraft in October 2012.

And the list goes on: restrictions on the carriage of liquids, aerosols and gels followed a failed plot to bomb aircraft over the North Atlantic in 2006; and new security measures for footwear followed the December 2001 shoe bomber attack.

Perhaps best known are the massive changes to aviation security globally following the attacks on September 11, 2001: governance and structural changes like the establishment of the United States Department of Homeland Security, the Transportation Security Administration and the Canadian Air Transport Security Authority; massive investments in technology and personnel worldwide; the introduction in many jurisdictions of new public finance arrangements for aviation security; and mandatory screening of checked baggage. That is just a small sample.

Following 9/11, transformation came also to maritime transport security through the International Maritime Organization’s adoption of the International Ship and Port Facility Security Code.

Transformation or Reaction?

The enhancement of security following acts of unlawful interference with civil aviation is a pattern. That is undeniable. When the pattern became widely recognized a conclusion reached by many — and regularly restated — was that aviation security has been reactive and not proactive. Commentators were quick to judge changes in security measures, institutional arrangements, governance and other shifts as reactions to attacks rather than things that should have been done wisely in advance to help prevent attacks.

Concluding that security has been reactive was probably a natural point to reach aided by the clarity of hindsight in connecting security information/intelligence to attacks and the wish that if only things had been done differently tragedies could have been averted. It has also been an opinion offered, with good intentions, by professionals to create some distance between how security arrangements have been done and how they should be done.

But the fact is, unfortunately, not everything can be predicted, even in the best circumstances. This remains a pressing challenge for aviation security and a truth quickly glossed over.

Consider that since 1986 International Civil Aviation Organization Annex 17 Standards have required each State keep under constant review the level of threat within its territory and adjust relevant elements of its national civil aviation security program accordingly. This requirement was originally framed and recommended by technical experts who understood that gaps and failures in even the most comprehensive systems could arise and be exploited, and not all means of attack could be anticipated. The Standard inherently acknowledged that unlawful interference would be attempted and, where it is, adjustment must be a first principle.

Absolutely fundamental to an accurate narrative about the transformation of aviation security over time is a recognition that most, if not all, significant achievements have been possible because of prolonged international cooperation. Civil aviation is a dynamic global ecosystem of jurisdictions, airlines, airports, manufacturers, labor, consumers and more. Cooperation — even in the most difficult times — has been a key feature of the context in which positive change has been made.

For example, differences in perceived security needs because of differences in aviation security threat assessment once frustrated necessary consensus building. Through cooperation, threat assessment has given way in recent years to comprehensive risk assessment using standardized vocabulary and methodology.

Risk assessment, when properly executed, more satisfactorily acknowledges and helps legitimize dissimilarity in national and regional approaches to aviation security. This important shift came about because change from analysis of threat to the more holistic analysis of risk evolved over decades. Risk assessment has generated a higher level of mutual confidence in decisions about security priorities and the allocation of scarce resources to mitigate risk.

The narrative on transformation must also acknowledge that supporting the efficiency of air transport is imperative. While critics may choose to highlight inefficiencies caused by aviation security and “failed” efforts to prevent attacks, they must also recognize the scale and scope of the challenge when applying security measures to local, national and global civil aviation systems. The development of security measures has been aided by constructive debate and experience that takes facilitation into account. It has not been an endless series of one-time, hasty reactions.

The evolution of aviation security since its earliest days has been complex and methodical, and cannot justly be described as reactive. I believe we do a disservice by tersely speaking about it as reactive. Doing so ignores the steady and deliberate progression of security as a cornerstone of civil aviation and unnecessarily diminishes processes, decisions, investments and trust that have been built up over many years of intense effort. Everything has happened in a context. The history of aviation security is best described as one of transformative events, not just simple reactions. There is an important distinction.

What Have We Learned?

Knowing as we do that transformative events lead to change, the task falls to professionals to be prepared. Preparation, of course, involves the vast range of responses to manage through a crisis event. At a point in time, depending on the nature, proximity or characteristics of the event, or a new/emerging risk, decision makers will need plans on what to do next. Creating such a plan hastily in the wake of an event can be a massive and precarious task because of all other priorities, organizational fatigue, insufficient capacity, lack of or hurried analysis, and a host of other challenges.

Instead, having a transformation plan always in progress that is ready for the assessment of rapidly developing risks, reallocation of responsibilities, realignment of priorities, corporate reporting, rapid decision making, scaling up and scaling down security measures, the acquisition of equipment, new training, establishment of task teams, interaction with stakeholders and partners, public communications, etc., is ideal. In other words, be well positioned for transformation. The prospect of transformation highlights the need to keep working on tomorrow’s needs today.

James Marriott began his career at Transport Canada shortly before the Air India tragedy in 1985. He progressed to the executive level through positions of increasing responsibility for aviation, maritime and land transportation security. In 2010 he joined the International Civil Aviation Organization as Chief, Aviation Security and Facilitation where he led policy and standards development (Annexes 11 and 17), the Universal Security Audit Program and international development assistance. He is currently president, James Marriott Consulting.