The consensus of security authorities familiar with general aviation paints a picture of a transportation mode low down on the list of likely terror attacks. The political impact of employing a private plane falls far below that of another attack involving an airliner- they contend. And despite the political noise made about the possible use of misidentified “unsecured” private aircraft- the damage potential of private planes also lags. ...
O&D vigilance required at all times.
The consensus of security authorities familiar with general aviation paints a picture of a transportation mode low down on the list of likely terror attacks. The political impact of employing a private plane falls far below that of another attack involving an airliner- they contend. And despite the political noise made about the possible use of misidentified “unsecured” private aircraft- the damage potential of private planes also lags.
It’s simple physics. The lower mass of the typical private aerial conveyance so trails the much-larger mass of a commercial aircraft- that the kinetic energy can’t begin to compare. As for packing a private plane full of explosives and flying it into a prime target- well- first you have to steal the airplane.
And an easily obtainable rental truck can carry far more potential for destruction than the typical private plane- piston- propjet or turbojet. That said- business aviation and the larger community of private flying retain the relative degree of freedom they enjoy because these communities educated security authorities on their ability to secure their own assets without the direct hand of government enforcing a ‘one-size-fits-all’ solution.
These communities accomplished this through a combination of self-discipline- applying best practices to the need for securing operations- and an elevated awareness of the need that’s translated into more use of security methods and specialists in and out of corporate flight departments.
The government has created regulations for the operation of some business aircraft weighing more than 12-500 pounds- but that was in consultation with the business aviation community. For the community using private aircraft for business and personal travel- the threat of being hijacked is but one concern.
Experts stress that the growth in use of business aircraft to access new- more remote areas- a higher degree of recognition of the financial importance of executives traveling by private aircraft- and an expansion in ways to track aircraft movements has attracted the attention of terrorists as well as criminals with more economic intentions.
Bombings- sabotage- or ground attacks on the aircraft are other ways in which security analysts warn that business aviation could be a target. The potential for kidnapping of high-value passengers is another possible concern- particularly in some international locales. So- the experts say- the smartest operators undertake their own security processes.
That’s the position of one expert- Matt Burdette chief of the intelligence division of ASI Group- which specializes in global risk management services. Burdette presented his views to more than 500 participants of the 2007 Bombardier Safety Standdown in Wichita last October.
He began his overview on international security with this observation: “Professional soldiers are predictable - but the world is full of amateurs.” Nevertheless- international destinations aren’t the only risky locales. Even some domestic destinations can involve risks to personnel. So the security-wise company today takes a proactive attitude toward security instead of the reactive approach of the first 12 to 18 months following the 9/11 attacks.
Vulnerability According to Burdette- threats to aircraft- crew and passengers are guided by one of two approaches: the standing threat pattern and the attack of opportunity. The length of time an aircraft is shut and unattended can influence both approaches.
Anytime someone ignores smart practices for even a brief period can leave the system vulnerable. It takes only a moment for the opportunistic threat to occur. And if personnel stick with the system- they can preclude both the opportunistic threat as well as those more calculated.
Steps to reduce exposure can be simple- common sense ones. For example- minimizing the number of people who know when you lock up and leave the aircraft can help mitigate a threat under either approach. So can knowing all the people involved in a flight.
Positively identifying as the correct person any passengers not known to the crew or other known passengers- can help protect against infiltration by an individual with hostile intent.
Avoiding complacency pays
In some environments- it’s easy to inadvertently expose information through casual conversation or a cavalier approach to handling travel information and flight plans. So avoiding unnecessary dissemination of travel plans- itinerary- or the identities of personnel traveling is another way to avoid becoming an easy target. Just because nothing untoward has happened in the past is no reason to ignore the issue or to use old procedures without an audit or challenge to their effectiveness.
An audit or an examination of past practices may reveal mistakes that have gone unnoticed or procedures that could be made more useful. The important thing- Burdette noted- is to examine what works- what’s right- what doesn’t work and isn’t right – and then correcting the weak areas. And this process of testing and re-evaluating the established system should- itself- be a part of the security thinking. Few things work so innocuously as a complacent attitude because the need for protection isn’t obvious.
Simple steps make effective solutions
Some steps toward securing the corporate operation can be as simple as providing coded identification for flight-department staff or others with access to hangars- shops and ramps and make a standing threat less so. Controlling facilities access with a monitor – human or otherwise – can help reduce or eliminate the prospect of an attack of opportunity- or strangers passing through to gather information for a planned event. “Issuing a dedicated pass to passengers that must match up with a manifest in the flight crew’s possession can help protect against a ‘ringer’ slipping through in place of a passenger from outside the company-” noted one security auditor for several business aviation clients. “Of course- a photo ID should be considered a must for confirming that everybody with a company ‘boarding’ pass is- in fact- who they claim to be.”
For international flights- of course- the passport is a must; for domestic travel a passport can still serve as a method for identifying passengers. “But to be even more sure- passengers and crew should have to produce at least two forms of photo ID- with at least one a government-issued document such as a passport or driver’s license.”
Within another few years- FAA-issued pilot licenses will also carry a photo to ID the holder; today- pilots and mechanics holding the old-style photo-deprived certificates must also show another government-issued photo ID if demanded by law enforcement or FAA inspectors – and it’s not a bad idea for FBO and airport personnel to consider whenever there’s a question about a person.
Nothing is forever?
The last thing a company needs- though- is to become predictable - and leaving a system in place too long without variation can provide an opening to those with hostile intent.
First- periodic challenges to the system should be considered a Standard Operating Procedure (SOP) to assure both the use of existing processes and to weigh their effectiveness. Periodically- but not predictably- changing some aspects of the security system can help mitigate both standing and opportunistic threats- say security officials who do contract work for business aviation clients. “If a security- or control-gate’s access code has been the same for more than a month- it should be changed - weekly might be a little much- but no more than a month-” noted our security contractor.
If a company-issued flight or ramp pass is employed- its look and identifying marks should also be varied on a regular basis- or maybe the color paper on which it’s printed. If a verbal password and confirmation word are employed to confirm an identity in phone or e-mail communications- those words- too- should be periodically changed. “There’s no point in giving the bad guys a chance to detect weaknesses or exploitable aspects by simple observation or through intercepted communications-” noted a retired law-enforcement pilot who now provides private security audits. “Nothing is forever and a patient observer will eventually detect a pattern- a weakness and opportunity- and go to work to exploit it.”
Burdette added- “Any measure can eventually be defeated- but the more secure the measure- the more time it will take.”
Our security auditor continued: “Avoid making any changes- upgrades or tests- on a discernable schedule- lest the bad guys pick up on that pattern and exploit the established rhythm.”
To make the bad guy’s task harder- the best security systems employ multiple layers or multiple points of challenge. Broaching any part of the system must be time consuming enough to allow detection and activation of a response- Burdette stressed. It does little good if the threatening person can get past the protection and do their damage before anyone knows or can react to the breach. “That kind of system is the functional equivalent of no protection at all-” remarked our retired law enforcement pilot. “It may make people feel like something’s being done- but unless it functions to stop the threat- you’re counting on luck to prevent a tragedy.”
Safety on the ground
Of course- the company airplane or the high-value passengers aren’t only subject to risk when traveling in remote areas and internationally. In some major cities in and out of the U.S.- certain neighborhoods pose higher risks than others; sometimes just getting between the airport and the hotel can present risks in some of those cities. While professional security experts can help provide an assessment of destination cities- short of using bodyguards- flight crew can be exposed once they leave the security of the airport FBO. And what crew members often carry could provide useful information to terrorists or criminals bent on exacting physical or economic damage. The theft of a pilot’s chart bag with his EFB and notebook computer could provide movement information- and a window into existing- repeated travel patterns and future plans. As strangers in a strange land- both crew and passengers make an attractive target to criminals interested in jewelry- iPods or cameras – threats with the potential to hurt someone getting what they want.
Staying together can be a hedge against becoming a victim of an opportunistic thief or mugger. But in some cities- organized bands of pickpockets and petty thieves can carve out a victim from a crowd and complete a mugging in a short time – possibly injuring the victim with small knives or razors in the process- or maybe blacking an eye or breaking a wrist.
Learning where- and where not to go should be a part of the standard security preparations for travel into new- unfamiliar territory – or known territory with an established risk element. Bars and restaurants can be locations ripe with potential victims- particularly if diners or drinkers flash cash- expensive watches or cameras- electronics or computers – even the good-old credit card.
“Having a credit card- wallet or passport stolen overseas can lead to all sorts of problems- including the use of documents to create forged IDs for bad guys-” noted our retired law-enforcement pilot. “The best defense is to be as unobtrusive as possible and avoid attracting any attention – or- at least- as little attention as a stranger can get away with.”
Blocking the trackers?
One useful method for tracking company flights for security purposes involves using one of the many ATC-based flight-tracking services available on the Internet or in-cockpit technology that uplinks aircraft progress data to a secure website.
Note that last method – a secure website. This approach also typically allows datalink communications directly between the tracked aircraft and the tracker- regardless of their locations. But steps should be employed to protect the access to codes for these services- lest others find a way to figuratively look over the shoulder of the valid tracker.
As for those public and private services that employ a composite of ATC data of IFR flight plans- well- there are ways to opt out- depending on the service used. By contracting with some private sources- the aircraft’s information can be blocked to everyone except those with a password to access the data – with limits on who or how many can access the data. This will help shield the public movement of a private aircraft to the public in general; but remember the cautionary above.
No system will work all the time in all circumstances – not where bad people are willing to spend time to defeat any countermeasures. And the best hedge against even the dedicated threat lies in varying routines and changing access codes. The best you can do…
The best you can do can ultimately be undone by a devoted- motivated criminal or terrorist. But at the end of the day- the threat of detection or capture presented by a formidable set of security measures can serve to make the bad guy move on in search of an easier target.
As business aviation continues to develop- embrace and employ good security practices- the bad guys will find ever fewer weak spots to exploit. And in the end- the business aviation community can shoot for no better outcome than being so unattractive that the bad guys just move on to another type of target.