- Biometrics can be an effective technology for aviation security if properly implemented, but requires careful planning and management to be successful. - Key factors for a successful biometric deployment include having clearly defined security objectives, starting small and gaining successes before expanding, and ensuring effective user education and buy-in. - Biometrics are one part of an overall security system and must be integrated with operational processes and personnel to be effective. Proper project methodology is essential.

1. Biometrics and Aviation: Opportunities and Challenges Ben Rothke, CISSP, SITA Level 3 Senior Security Consultant BT Professional Services

2. About Me Ben Rothke, CISSP, CISM, SITA L3 Senior Security Consultant – BT Professional Services Previously with AXA Equitable, Baltimore Technologies, Ernst & Young, Citibank. Have worked in the information technology sector since 1988 and information security since 1994 Frequent writer and speaker Author - Computer Security: 20 Things Every Employee Should Know (McGraw-Hill 2006)

3. Agenda How to make biometrics work in the aviation sector Not an introduction to biometrics Overview of authentication Starting point for biometric roll-out Not a monologue Ask a question, make a comment, etc.

4. Key Biometrics Takeaways Powerful and effective technology – must know: What your specific security issues are How you expect biometric technology to solve them Not security silver bullet or plug and play Project management and methodology essential Successful deployments Small-scale, closed-loop applications Start small Gain successes Grow biometric rollout

5. People, Processes and Technology Successful implementation of biometric technology solution depends not just on performance but: Operational processes that employ the technology People who execute processes Biometric technology just piece of overall decision support system First decision: whether to issue ID Second decision: whether to admit (made at entry point) Biometrics can play role in both

6. Biometrics Standard definition: Technology that confirms a person’s identity by comparing patterns of physical characteristics in real-time against enrolled computer records of those patterns. Alternate definition: A way to blow your budget on an ill-conceived and poorly defined authentication project Security treadmill designed to gather dust

7. Why Do We Need Authentication?

8. Biometric Authentication, not Identification Identification One-to-many match Used by law enforcement to identify criminals Identify qualified recipients for benefit programs Registration systems for voting, licensing drivers, etc. Authentication One-to-one match Live biometric presented by user Compared to stored sample previously given by that individual during enrollment Match then confirmed or rejected

9. Airport Biometric Success Story Ben Gurion International Airport (TLV) Technological upgrades can work wonders for efficiency and dramatically improve traveler’s moods Israelis flying out of TLV undergo biometric handprint check that speeds them through passport control in five seconds. Most airports can’t regulate behavior of passport control agents and security officers, who are usually not airport employees Israel Airports Authority does, and invests a lot of time and money in keeping the security screening process short and courteous without sacrificing quality. “ Security doesn't mean that you have to be rude to somebody” - Zeev Sarig, managing director at TLV. 3Q06 - the first time TLV was surveyed, it placed first out of 40 European airports and fifth among 77 worldwide.

10. Other airport biometric success stories SFO & TOL Hand geometry devices in conjunction with ID cards to protect secure areas of airport (tarmac and loading gates) ORD Fingerprint biometrics for increasing speed and security for cargo truck drivers CLT Pilot program using iris recognition to verify employees entering secure areas TLV Hand geometry to speed people through customs KEF Face recognition for surveillance applications

11. Airport Biometric Horror Stories Rash of airports/airfields hastily deployed biometrics Especially post 9/11 Lack of evaluation methodology Lack of integration Lack of documentation Lack of capability of the technology and/or vendor Lots of congressmen creating bills Airports, airlines, vendors, SI, government agencies contacting FAA to offer services for demonstrations/ installations of biometric technology Budgets blown, projects terminated, nothing gained

12. GAO on Biometrics in Aviation Effective security cannot be achieved by relying on technology alone. Technology and people must work together as part of an overall security process. Weaknesses in any of these areas diminish the effectiveness of the security process. Security process needs to account for limitations in biometric technology. GAO Report: Aviation Security - Challenges in Using Biometric Technologies www.gao.gov/new.items/d04785t.pdf

13. Using Biometrics for Aviation Security FAA, DHS and TSA examining use of biometrics for aviation security for several years 2001 - FAA and DoD Counterdrug Technology Development Program Office co-chaired the Aviation Security Biometrics Working Group (ASBWG) Examined use of biometrics in 4 aviation security applications: Identity verification of employees Protection of public areas in and around airports Identity verification of passengers boarding aircraft Identity verification of flight crews prior to and during a flight.

14. Intelligence Reform and Terrorism Prevention Act (IRTPA) of 2004 Title IV – Transportation Security, Section 4011 – Provision for the Use of Biometric or Other Technology , directs TSA to “issue, not later than March 31, 2005, guidance for use of biometric technology in airport access control systems.” TSA encourages airport operators to use this guidance document to improve upon their existing access control systems by incorporating biometric technologies.

15. IRTPA - section 4011(a)(5) Directs TSA Asst. Secretary, with representatives of the aviation industry, biometric identifier industry and NIST to issue guidance to establish, at minimum: (A) comprehensive technical & operational system requirements and performance standards for the use of biometric identifier technology in airport access control systems (including airport perimeter access control systems) to ensure that the biometric identifier systems are effective, reliable, and secure. (B) list of products and vendors that meet the requirements and standards set forth in sub paragraph (A) (C) procedures for implementing biometric identifier systems to ensure that individuals do not use an assumed identity to enroll in a biometric identifier system and to resolve failures to enroll, false matches, and false non-matches (D) best practices for incorporating biometric identifier technology into airport access control systems in the most effective manner, including a process to best utilize existing airport access control systems, facilities, and equipment and existing data networks connecting airports.

16. Regulations Governing Airport Security Title 49 CFR Chapter 12, Part 1542: Airport Security - requires airport operators to: Adopt and carry out security program approved by TSA Include in its security program: Establish secured area – Air Operations Area (AOA) and/or Security Identification Display Area (SIDA) Control entry into the secure area via access control systems Perform access control functions required and procedures to control movement within secured area, including identification media Majority of US airports subject to Part 1542 regulations Few have access control systems with biometrics, some of which were implemented through TSA pilot programs at a limited number of access points.

17. Transportation Worker Identification Credential (TWIC) Established by Congress via Maritime Transportation Security Act (MTSA) Administered by the TSA and U.S. Coast Guard. TWICs are tamper-resistant biometric credentials Issued to workers who require unescorted access to secure areas of ports, vessels, outer continental shelf facilities and all credentialed merchant mariners. Expect 750,000+ workers, including longshoremen, truckers, port employees and others, will be required to obtain TWIC.

18. TWIC Enrollment / issuance began at Port of Wilmington, DE October 2007 and will continue through 2008 Obtaining TWIC Individual provides biographic and biometric information, digital photograph, successfully passes TSA security threat assessment Pre-enrollment saves applicant time Enables them to provide biographical information and make appointment for in-person enrollment. Currently, no regulatory requirements pertaining to use of TWIC readers Initial testing and evaluation of TWIC readers will begin in 2008 as part of TSA pilot phase

19. Strategic Biometric Planning Legacy apps Risk Modeling Awareness Dev. Implementation Training Audit Define Drivers Regulatory Evaluation/ Testing Effective Biometric Deployment Strategy Deployment Requirements

20. Biometric Requirements Universality Every person must have this characteristic Uniqueness Two people unlikely to share this characteristic Height, weight, hair and eye color clearly not unique Permanence Characteristic must be available over long term Collectability Must be easy and unobtrusive to obtain

21. Biometric Requirements, cont. Performance Accuracy, speed, and robustness of technology used Non-circumvention Inability to bypass User acceptance Degree of technology approval Ensure in advance that user base is not offended

22. Important Features of Biometric Technologies Source: Registered Traveler Program Policy and Implementation Issues http://www.gao.gov/new.items/d03253.pdf Technology characteristic Fingerprint Iris Facial Hand How it works Captures and compares fingertip patterns Captures and compares iris patterns Captures and compares facial patterns Measures and compares dimensions of hand and Fingers Cost of device Low High Moderate Moderate Enrollment time 3 minutes, 30 Seconds 2 minutes, 15 seconds About 3 minutes About 1 minute Transaction time 9 to 19 seconds 12 seconds 10 seconds 6 to 10 seconds False non-match rate .2%–36% 1.9%–6% 3.3%–70% 0%–5% False match rate 0%–8% Less than 1% 0.3%–5% 0%–2.1% User acceptance issues Associated with law enforcement, hygiene concerns User resistance, usage Difficulty Potential for privacy misuse Hygiene concerns Factors affecting Performance Dirty, dry, or worn Fingertips Poor eyesight, glare, or Reflections Lighting, orientation of face, and sunglasses Hand injuries, arthritis, Swelling Demonstrated Vulnerability Artificial fingers, reactivated latent prints High-resolution picture of iris Notebook computer with digital photographs None Variability with age Stable Stable Affected by aging Stable Commercial availability since 1970s 1997 1990s 1970s

23. Leading and Emerging Biometric Technologies Leading Facial recognition Fingerprint recognition Hand geometry Iris recognition Retina recognition Signature recognition Voice recognition Emerging Vein scan/vascular Facial thermography DNA matching Odor sensing Blood pulse measurement Skin pattern recognition Nailbed identification Gait recognition Ear shape recognition

24. Risk Management and Biometrics What am I protecting? Identify assets that must be protected and the impact of their potential loss. Who are my adversaries? Intent/capability of adversary are principal criteria for establishing degree of threat to assets How am I vulnerable? Identifying/characterizing vulnerabilities that allow identified threats to be realized. What weaknesses allow security breach? What are my priorities? Risk must be assessed and priorities determined for protecting assets. Risk assessment examines the potential for the loss or damage to an asset. Risk levels established by assessing impact of loss or damage, threats to asset, and vulnerabilities. What can I do? Identify countermeasures to reduce or eliminate risks. Countermeasures advantages/disadvantages weighed against their disadvantages/costs

25. Keep Asking Lots of Questions Does the system have clearly and narrowly defined purpose? Who will use the system? Have the potential system capabilities been evaluated? Has there been an evaluation of range of alternative choices? What types of information will be available through biometric? Will biometric information be used as universal unique identifier? Will storage of biometric information include extraneous information? Will the system store original biometric data?

26. Biometric Reality 10% technology; 90% policy and management Must deploy with effective methodology Project planning is key

27. End-user Resistance Most complaints are concerns over unknown Privacy Hygiene Union / employee groups resisting change Fingerprints taken only when accused of a crime Consumer and end-user resistance can sink even best technology. Be prepared!

28. Many People Can’t be Fingerprinted Thin skin, including those who have it as part of genetic makeup Use cleaning chemicals extensively Prescription drugs that slightly thin the skin while treating various autoimmune ailments. Finger injuries, even a knife scrape, can result in prints becoming either unreadable or altered, and lead to system rejection People whose fingers have limited movement Elderly population / construction workers have difficulty enrolling Faded fingerprints prevent man from working at nuclear power plant - www.freerepublic.com/focus/f-news/1048051/posts

29. End-User Education Deployment most effective and flows smoothly when you educate users before roll-out Users need clear instructions on how to log in Encourage users to read online help Let users know that their biometric images will not be stored Only specific features of the biometric are obtained and stored Data can’t be reverted to actual biometric images

30. Why Biometric Roll-outs Fail Not enough servers to support deployment Lack of legacy support Adequate response times not established No pilot testing No documentation, processes or procedures Ineffective training Attempting too large initial roll-out BR/DRP not designed into program Lack of project management/project manager Especially around user enrollment

31. Making Biometrics Work Know what your problem is What is specific security problem and how can biometric solution solve it? Start with simple question: What is my objective? If you can’t answer these questions, your biometric initiative will fail Start small Gain small victories Grow the program Don’t think of trying a huge enterprise rollout

32. No Biometric is Suitable for Every Situation Hand geometry requires least data storage Fingerprint and iris recognition have lowest error rates Facial recognition is easiest to use Each technology has limitations: 2%-5% of people cannot be easily fingerprinted Facial recognition systems have not performed particularly well in independent testing. Iris recognition is relatively new technology and has not been used in any large operational application

33. Key Considerations Decide how technology will be used Conduct detailed cost-benefit analysis to determine that benefits gained outweigh costs Conduct trade-off analysis between increased security, which biometrics provides, and effect privacy and convenience

34. Business, not technology Business, not technical challenges Biometrics are for most part stable and mature Real challenges are: Meeting business requirements Integrating into applications Producing documentation to deliver trust Management and reliability Planning and deployment Managing migration and scalability

35. Effective Roll-out Methodology Must be deployed in strict, methodical fashion Take following items into consideration: Authentication strategy High-level direction and commitment Technology architecture Baseline controls Standards Policies Processes Budget Political and cultural issues Physiological vs. behavioral biometric requirements Implementation details Workflow Practice statements Mechanisms Testing Logging Training Roles and Responsibilities Staff Backup plans

36. Biometric Success Metrics Delivers real business benefits Deployed in timely and cost-effectively manner Secure and provides trust Reliable and easy to use Can be managed Can evolve and scale Cost effective Support regulatory efforts

37. TSA Qualified Products List (QPL) TSA and NIST create standards to evaluate biometric sub-systems for inclusion on the QPL In some cases a device that does not meet all the criteria and standards may be approved for placement on the list if TSA believes its performance will be comparable to devices that meet the criteria and standards.

38. References GAO Report Aviation Security - Challenges in Using Biometric Technologies www.gao.gov/new.items/d04785t.pdf Aviation Security Biometrics Working Group www.biometricscatalog.org/asbwg Recommended Security Guidelines for Airport Planning, Design and Construction www.tsa.gov/assets/pdf/airport_security_design_guidelines.pdf Using Biometrics for Border Security www.gao.gov/new.items/d03174.pdf

39. Resources International Biometric Industry Association www.ibia.org International Biometric Group www.biometricgroup.com Biometric Consortium www.biometrics.org Biometric Technology Today www.biometrics-today.com National Biometric Security Project www.nationalbiometric.org DigitalPersona Pro www.digitalpersona.com Penflow www.penflow.com Fingerprint Vendor Technology http://fpvte.nist.gov/index.html Biometrics Institute www.biometricsinstitute.org Biometrics.gov www.biometrics.gov NIST www.itl.nist.gov/div893/biometrics Precise Biometrics www.precisebiometrics.com WISeKey www.wisekey.com Biometric Time & Attendance http://recognitionsystems.ingersollrand.com

40. Conclusions Biometrics efficacy tied to how effectively deployed Biometrics not security silver-bullet technology Will solve some of, but not all, your aviation security problems Biometrics not plug and play Plan to expend appropriate time and money

41. Q/A – Contact info Ben Rothke, CISSP, QSA Senior Security Consultant BT Professional Services [email_address]