Hide Notes 

Slide 1: Biometrics and Aviation: Opportunities and Challenges Ben Rothke, CISSP, SITA Level 3 Senior Security Consultant BT Professional Services
Slide 2: About Me • Ben Rothke, CISSP, CISM, SITA L3 • Senior Security Consultant – BT Professional Services • Previously with AXA Equitable, Baltimore Technologies, Ernst & Young, Citibank. • Have worked in the information technology sector since 1988 and information security since 1994 • Frequent writer and speaker • Author - Computer Security: 20 Things Every Employee Should Know (McGraw-Hill 2006)
Slide 3: Agenda • How to make biometrics work in the aviation sector – Not an introduction to biometrics • Overview of authentication • Starting point for biometric roll-out • Not a monologue – Ask a question, make a comment, etc.
Slide 4: Key Biometrics Takeaways • Powerful and effective technology – must know: – What your specific security issues are – How you expect biometric technology to solve them • Not security silver bullet or plug and play – Project management and methodology essential • Successful deployments – – – – Small-scale, closed-loop applications Start small Gain successes Grow biometric rollout
Slide 5: People, Processes and Technology • Successful implementation of biometric technology solution depends not just on performance but: – Operational processes that employ the technology – People who execute processes • Biometric technology just piece of overall decision support system – First decision: whether to issue ID – Second decision: whether to admit (made at entry point) – Biometrics can play role in both 5
Slide 6: Biometrics • Standard definition: – Technology that confirms a person’s identity by comparing patterns of physical characteristics in real-time against enrolled computer records of those patterns. • Alternate definition: – A way to blow your budget on an illconceived and poorly defined authentication project – Security treadmill designed to gather dust
Slide 7: Why Do We Need Authentication?
Slide 8: Biometric Authentication, not Identification • Identification – – – – One-to-many match Used by law enforcement to identify criminals Identify qualified recipients for benefit programs Registration systems for voting, licensing drivers, etc. • Authentication – One-to-one match – Live biometric presented by user – Compared to stored sample previously given by that individual during enrollment – Match then confirmed or rejected
Slide 9: Airport Biometric Success Story • Ben Gurion International Airport (TLV) – Technological upgrades can work wonders for efficiency and dramatically improve traveler’s moods – Israelis flying out of TLV undergo biometric handprint check that speeds them through passport control in five seconds. – Most airports can’t regulate behavior of passport control agents and security officers, who are usually not airport employees – Israel Airports Authority does, and invests a lot of time and money in keeping the security screening process short and courteous without sacrificing quality. – “Security doesn't mean that you have to be rude to somebody” Zeev Sarig, managing director at TLV. – 3Q06 - the first time TLV was surveyed, it placed first out of 40 European airports and fifth among 77 worldwide. 9
Slide 10: Other airport biometric success stories • SFO & TOL – Hand geometry devices in conjunction with ID cards to protect secure areas of airport (tarmac and loading gates) • ORD – Fingerprint biometrics for increasing speed and security for cargo truck drivers • CLT – Pilot program using iris recognition to verify employees entering secure areas • TLV – Hand geometry to speed people through customs • KEF – Face recognition for surveillance applications 10
Slide 11: Airport Biometric Horror Stories • Rash of airports/airfields hastily deployed biometrics – – – – – Especially post 9/11 Lack of evaluation methodology Lack of integration Lack of documentation Lack of capability of the technology and/or vendor • Lots of congressmen creating bills • Airports, airlines, vendors, SI, government agencies contacting FAA to offer services for demonstrations/ installations of biometric technology • Budgets blown, projects terminated, nothing gained 11
Slide 12: GAO on Biometrics in Aviation • Effective security cannot be achieved by relying on technology alone. • Technology and people must work together as part of an overall security process. • Weaknesses in any of these areas diminish the effectiveness of the security process. • Security process needs to account for limitations in biometric technology. • GAO Report: Aviation Security - Challenges in Using Biometric Technologies www.gao.gov/new.items/d04785t.pdf 12
Slide 13: Using Biometrics for Aviation Security • FAA, DHS and TSA examining use of biometrics for aviation security for several years – 2001 - FAA and DoD Counterdrug Technology Development Program Office co-chaired the Aviation Security Biometrics Working Group (ASBWG) – Examined use of biometrics in 4 aviation security applications: 1. Identity verification of employees 2. Protection of public areas in and around airports 3. Identity verification of passengers boarding aircraft 4. Identity verification of flight crews prior to and during a flight. 13
Slide 14: Intelligence Reform and Terrorism Prevention Act (IRTPA) of 2004 • Title IV – Transportation Security, Section 4011 – Provision for the Use of Biometric or Other Technology, directs TSA to “issue, not later than March 31, 2005, guidance for use of biometric technology in airport access control systems.” • TSA encourages airport operators to use this guidance document to improve upon their existing access control systems by incorporating biometric technologies. 14
Slide 15: IRTPA - section 4011(a)(5) • Directs TSA Asst. Secretary, with representatives of the aviation industry, biometric identifier industry and NIST to issue guidance to establish, at minimum: – (A) comprehensive technical & operational system requirements and performance standards for the use of biometric identifier technology in airport access control systems (including airport perimeter access control systems) to ensure that the biometric identifier systems are effective, reliable, and secure. – (B) list of products and vendors that meet the requirements and standards set forth in sub paragraph (A) – (C) procedures for implementing biometric identifier systems to ensure that individuals do not use an assumed identity to enroll in a biometric identifier system and to resolve failures to enroll, false matches, and false non-matches – (D) best practices for incorporating biometric identifier technology into airport access control systems in the most effective manner, including a process to best utilize existing airport access control systems, facilities, and equipment and existing data networks connecting airports. 15
Slide 16: Regulations Governing Airport Security • Title 49 CFR Chapter 12, Part 1542: Airport Security requires airport operators to: – Adopt and carry out security program approved by TSA – Include in its security program: • Establish secured area – Air Operations Area (AOA) and/or Security Identification Display Area (SIDA) • Control entry into the secure area via access control systems • Perform access control functions required and procedures to control movement within secured area, including identification media • Majority of US airports subject to Part 1542 regulations • Few have access control systems with biometrics, some of which were implemented through TSA pilot programs at a limited number of access points. 16
Slide 17: Transportation Worker Identification Credential (TWIC) • Established by Congress via Maritime Transportation Security Act (MTSA) – Administered by the TSA and U.S. Coast Guard. • TWICs are tamper-resistant biometric credentials – Issued to workers who require unescorted access to secure areas of ports, vessels, outer continental shelf facilities and all credentialed merchant mariners. – Expect 750,000+ workers, including longshoremen, truckers, port employees and others, will be required to obtain TWIC. 17
Slide 18: TWIC • Enrollment / issuance began at Port of Wilmington, DE October 2007 and will continue through 2008 • Obtaining TWIC – Individual provides biographic and biometric information, digital photograph, successfully passes TSA security threat assessment • Pre-enrollment saves applicant time – Enables them to provide biographical information and make appointment for in-person enrollment. • Currently, no regulatory requirements pertaining to use of TWIC readers – Initial testing and evaluation of TWIC readers will begin in 2008 as part of TSA pilot phase 18
Slide 19: Strategic Biometric Planning Requirements Deployment Define Drivers Legacy apps Implementation Strategy Regulatory Risk Modeling Training Evaluation/ Testing Awareness Dev. Audit Effective Biometric Deployment
Slide 20: Biometric Requirements • Universality – Every person must have this characteristic • Uniqueness – Two people unlikely to share this characteristic – Height, weight, hair and eye color clearly not unique • Permanence – Characteristic must be available over long term • Collectability – Must be easy and unobtrusive to obtain
Slide 21: Biometric Requirements, cont. • Performance – Accuracy, speed, and robustness of technology used • Non-circumvention – Inability to bypass • User acceptance – Degree of technology approval – Ensure in advance that user base is not offended
Slide 22: Important Features of Biometric Technologies Technology characteristic How it works Fingerprint Captures and compares fingertip patterns Iris Captures and compares iris patterns Facial Captures and compares facial patterns Hand Measures and compares dimensions of hand and Fingers Moderate About 1 minute 6 to 10 seconds 0%–5% 0%–2.1% Hygiene concerns Cost of device Enrollment time Transaction time False non-match rate False match rate User acceptance issues Low 3 minutes, 30 Seconds 9 to 19 seconds .2%–36% 0%–8% Associated with law enforcement, hygiene concerns Dirty, dry, or worn Fingertips Artificial fingers, reactivated latent prints Stable 1970s High 2 minutes, 15 seconds 12 seconds 1.9%–6% Less than 1% User resistance, usage Difficulty Moderate About 3 minutes 10 seconds 3.3%–70% 0.3%–5% Potential for privacy misuse Factors affecting Performance Demonstrated Vulnerability Variability with age Commercial availability since Poor eyesight, glare, or Reflections High-resolution picture of iris Stable 1997 Lighting, orientation of face, and sunglasses Notebook computer with digital photographs Affected by aging 1990s Hand injuries, arthritis, Swelling None Stable 1970s 22 Source: Registered Traveler Program Policy and Implementation Issues http://www.gao.gov/new.items/d03253.pdf
Slide 23: Leading and Emerging Biometric Technologies Leading 1. 2. 3. 4. 5. 6. 7. Facial recognition Fingerprint recognition Hand geometry Iris recognition Retina recognition Signature recognition Voice recognition Emerging 1. 2. 3. 4. 5. 6. 7. 8. 9. 23 Vein scan/vascular Facial thermography DNA matching Odor sensing Blood pulse measurement Skin pattern recognition Nailbed identification Gait recognition Ear shape recognition
Slide 24: Risk Management and Biometrics • What am I protecting? – Identify assets that must be protected and the impact of their potential loss. • Who are my adversaries? – Intent/capability of adversary are principal criteria for establishing degree of threat to assets • How am I vulnerable? – Identifying/characterizing vulnerabilities that allow identified threats to be realized. – What weaknesses allow security breach? • What are my priorities? – Risk must be assessed and priorities determined for protecting assets. – Risk assessment examines the potential for the loss or damage to an asset. – Risk levels established by assessing impact of loss or damage, threats to asset, and vulnerabilities. • What can I do? – Identify countermeasures to reduce or eliminate risks. – Countermeasures advantages/disadvantages weighed against their disadvantages/costs 24
Slide 25: Keep Asking Lots of Questions • • • • • • Does the system have clearly and narrowly defined purpose? Who will use the system? Have the potential system capabilities been evaluated? Has there been an evaluation of range of alternative choices? What types of information will be available through biometric? Will biometric information be used as universal unique identifier? • Will storage of biometric information include extraneous information? • Will the system store original biometric data? 25
Slide 26: Biometric Reality • 10% technology; 90% policy and management • Must deploy with effective methodology • Project planning is key
Slide 27: End-user Resistance • Most complaints are concerns over unknown – – – – – Privacy Hygiene Union / employee groups resisting change Fingerprints taken only when accused of a crime Consumer and end-user resistance can sink even best technology. – Be prepared!
Slide 28: Many People Can’t be Fingerprinted • Thin skin, including those who have it as part of genetic makeup • Use cleaning chemicals extensively • Prescription drugs that slightly thin the skin while treating various autoimmune ailments. • Finger injuries, even a knife scrape, can result in prints becoming either unreadable or altered, and lead to system rejection • People whose fingers have limited movement • Elderly population / construction workers have difficulty enrolling • Faded fingerprints prevent man from working at nuclear power plant - www.freerepublic.com/focus/f-news/1048051/posts
Slide 29: End-User Education • Deployment most effective and flows smoothly when you educate users before roll-out • Users need clear instructions on how to log in • Encourage users to read online help • Let users know that their biometric images will not be stored – Only specific features of the biometric are obtained and stored – Data can’t be reverted to actual biometric images
Slide 30: Why Biometric Roll-outs Fail • • • • • • • • • Not enough servers to support deployment Lack of legacy support Adequate response times not established No pilot testing No documentation, processes or procedures Ineffective training Attempting too large initial roll-out BR/DRP not designed into program Lack of project management/project manager – Especially around user enrollment
Slide 31: Making Biometrics Work • Know what your problem is – What is specific security problem and how can biometric solution solve it? – Start with simple question: What is my objective? – If you can’t answer these questions, your biometric initiative will fail • Start small – Gain small victories – Grow the program – Don’t think of trying a huge enterprise rollout
Slide 32: No Biometric is Suitable for Every Situation • • • • Hand geometry requires least data storage Fingerprint and iris recognition have lowest error rates Facial recognition is easiest to use Each technology has limitations: – 2%-5% of people cannot be easily fingerprinted – Facial recognition systems have not performed particularly well in independent testing. – Iris recognition is relatively new technology and has not been used in any large operational application 32
Slide 33: Key Considerations • Decide how technology will be used • Conduct detailed cost-benefit analysis to determine that benefits gained outweigh costs • Conduct trade-off analysis between increased security, which biometrics provides, and effect privacy and convenience 33
Slide 34: Business, not technology • Business, not technical challenges – Biometrics are for most part stable and mature • Real challenges are: – – – – – – Meeting business requirements Integrating into applications Producing documentation to deliver trust Management and reliability Planning and deployment Managing migration and scalability
Slide 35: Effective Roll-out Methodology • Must be deployed in strict, methodical fashion • Take following items into consideration: – Authentication strategy – High-level direction and commitment – Technology architecture – Baseline controls – Standards – Policies – Processes – Budget – Political and cultural issues – Physiological vs. behavioral biometric requirements – – – – – – – – – – Implementation details Workflow Practice statements Mechanisms Testing Logging Training Roles and Responsibilities Staff Backup plans
Slide 36: Biometric Success Metrics • • • • • • • • Delivers real business benefits Deployed in timely and cost-effectively manner Secure and provides trust Reliable and easy to use Can be managed Can evolve and scale Cost effective Support regulatory efforts
Slide 37: TSA Qualified Products List (QPL) • TSA and NIST create standards to evaluate biometric sub-systems for inclusion on the QPL • In some cases a device that does not meet all the criteria and standards may be approved for placement on the list if TSA believes its performance will be comparable to devices that meet the criteria and standards. 37
Slide 38: References • GAO Report Aviation Security - Challenges in Using Biometric Technologies – www.gao.gov/new.items/d04785t.pdf • Aviation Security Biometrics Working Group – www.biometricscatalog.org/asbwg • Recommended Security Guidelines for Airport Planning, Design and Construction – www.tsa.gov/assets/pdf/airport_security_design_guidelines.pdf • Using Biometrics for Border Security – www.gao.gov/new.items/d03174.pdf 38
Slide 39: Resources • International Biometric Industry Association – www.ibia.org • International Biometric Group – www.biometricgroup.com • Biometric Consortium – www.biometrics.org • Biometric Technology Today – www.biometrics-today.com • National Biometric Security Project – www.nationalbiometric.org • DigitalPersona Pro – www.digitalpersona.com • Penflow – www.penflow.com • Fingerprint Vendor Technology – http://fpvte.nist.gov/index.html • Biometrics Institute – www.biometricsinstitute.org • Biometrics.gov – www.biometrics.gov • NIST – www.itl.nist.gov/div893/biometrics • Precise Biometrics – www.precisebiometrics.com • WISeKey – www.wisekey.com • Biometric Time & Attendance – http://recognitionsystems.ingersollrand.com
Slide 40: Conclusions • Biometrics efficacy tied to how effectively deployed • Biometrics not security silver-bullet technology – Will solve some of, but not all, your aviation security problems • Biometrics not plug and play – Plan to expend appropriate time and money
Slide 41: Q/A – Contact info Ben Rothke, CISSP, QSA Senior Security Consultant BT Professional Services Ben.Rothke@bt.com