Securing future connections

posted on 15th June 2021
Securing future connections

The implementation of open architecture in airport security has a number of challenges to overcome but will ultimately play a significant role in future operations, argues Smiths Detection’s global director aviation Richard Thompson

The open architecture (OA) approach is gathering momentum in the aviation industry and is set to disrupt the status quo for airport security systems design, installation, operation and maintenance.

OA, also known as ‘open platform’, is a design principle which enables the interoperability and interfacing of security screening hardware, software and algorithms from different suppliers within one solution. Open architecture can be applied to checkpoint systems and hold-baggage solutions as well as cargo scanning equipment.

Typically, airports partner with one or two security screening suppliers on a checkpoint or hold-baggage system, but by allowing hardware to talk to new software, OA essentially creates more choice for airports by allowing new components to be incorporated into their screening systems.

Although still in its early days, OA interest is growing because of the significant benefits it has the potential to deliver to airports and regulators.

Those benefits range from quicker adoption of advanced technology capabilities to the possibility of increased knowledge sharing between airport and security authorities around the world.

A new approach
While it is already standard practice to integrate lanes and scanners from different suppliers, the integration of software is a new concept. The idea of OA has emerged against a backdrop of increasingly complex security threats and greater availability of technologies like artificial intelligence (AI).

Airports are looking to enhance their systems to ensure that they can adapt to meet these new threats as fully and as quickly as possible while creating competitive advantage.

As outlined in a paper prepared by Heathrow Airport and Avinor AS called Open Architecture for Airport Security Systems, OA provides “new entry paths for collaborators”, which is essential for ensuring the best technologies from “tomorrow’s software developers” can be integrated into airport security systems.

By opening up existing hardware solutions, security systems can be easily and cost-effectively upgraded with the latest detection algorithms and software on the market, not only improving the security outcome but operational efficiency, passenger experience and overall agility to be able to meet new operational requirements and regulation.

OA platforms can also increase data sharing and collaboration between airports to tackle threats more effectively on an industry-wide and global scale.

Systems that are more open and compatible can better utilise Digital Image and Communication in Security (DICOS), a standard that supports the sharing of X-ray images and related data.

Sharing screening results between departure, transit and arrival airports not only boosts safety around the aviation network but significantly increases operational efficiency by potentially removing the need for rescreening at each airport.

While airports are heavily focused on how this new approach can be best leveraged, there is still no agreed industry best practice for how OA should be adopted for security screening.

Responsible deployment
The performance and compliance of a screening system and all its components, from the hardware to the algorithms to the networks, can never be compromised.

Screening and image sharing are regulated and often classified functions, so an industry standard for the responsible deployment of OA is critical.

A responsible approach is one that mitigates risk while achieving the desired result of increased flexibility and associated benefits.

Industry stakeholders are therefore currently exploring how the benefits of OA can be unlocked in a way that does not compromise the effectiveness, operational availability or the integrity of screening data.

The issue is that there are several challenges to deploying OA while at the same time ensuring peak performance of a screening solution.

These challenges range from the technical to the regulatory to the commercial and while there is steady progress, there are currently as many questions as there are answers.

Introducing risk
Perhaps two of the greatest concerns with OA are around cybersecurity and intellectual property (IP) loss.

Configuration changes can create network vulnerabilities and increase the risk of cybersecurity attacks, while open interfaces with third parties may weaken cyber-hardened components of a security screening system.

As a rule, the more open a system becomes the greater the cybersecurity risk. Added to this are suppliers’ concerns about potential IP loss.

The process of adapting hardware to be compatible with multiple third-party products requires close collaboration and the sharing of commercially sensitive information.

This and related issues are being addressed by an industry working group – a potential result being a model framework of agreements or contracts.

Achieving interoperability
While the integration of hardware from different suppliers is not uncommon, there still needs to be a standard solution for how lanes and scanners are interfaced so that hardware interoperability is easily achieved and the system operates reliably.

Screening system manufacturers understand the complexities and ramifications of interoperability which can often make them best placed to bring together airports and third parties to develop algorithms, but when it comes to the transfer of images and data between hardware and new software there are still a lot of unknowns.

For example, some software developers have produced detection algorithms which require access to image data in a standard format.

To solve these issues standard specifications must be agreed across the industry. In this instance, adoption of the DICOS standard is one approach to solving this issue.

Ultimately, interoperability is contingent on robust software. This means that technically there need to be assurances on the quality of the software, to ensure that there is no latency related to providing analysis results.

Removing regulatory barriers
OA also presents complexities for regulatory approval. The issue is around certifying combinations of screening systems with third-party detection algorithms, given that unauthorised connections and interfaces with certified equipment are not guaranteed to be compliant.

In this scenario the regulatory process would be a likely bottleneck, with each new algorithm requiring certification in combination with different pieces of the relevant equipment.

The requirement for regulatory approval would therefore remove the benefit of OA in enabling the speedy adoption of new detection algorithms, and it would be extremely difficult to ensure regulatory compliance throughout the lifetime of a system, during which there are likely to be many configuration changes.

For OA to be viable, more flexible certification processes would need to be considered. For example, certification of a system in its entirety could be granted, as opposed to certifying each individual interface.

Taking responsibility
With multiple supplier components incorporated into a singular system, it is not clear who would be accountable for the overall performance of the system and oversee maintenance, support and repair.

Currently original equipment manufacturers are responsible for the supply and maintenance of certified screening equipment, providing classified data protection and ensuring electrical and mechanical safety as well as electromagnetic compatibility (EMC).

Contractual obligations include equipment ‘up-time’, system availability and lifetime management of the products.

With OA there is a risk of software upgrades to individual components causing other components to malfunction. In that scenario, it is hard to say who would be responsible for rectifying the malfunction.

The most practical approach is for the role and responsibility of each party to be agreed – with overall accountability being given to one organisation, whether that be the OEM or the airport itself.

There also needs to be an appointed responsible authority for vetting third-party algorithm developers, as technically there need to be assurances on the quality and robustness of the software.

The way forward
The rewards of OA are clear: greater flexibility to integrate the latest technologies into one screening solution to tackle threats and meet new operational requirements more effectively.

However, the risks of implementing OA in practice are also evident. To address these risks, it is essential to establish a common set of standards to ensure open architecture platforms operate securely, safely and compliantly.

The good news is that the European Organisation for Security is actively involved alongside the air transport industry and regulators in establishing an agreed approach to OA.

At Smiths Detection, we are increasingly playing a co-ordinating role between stakeholders, utilising our system interfacing experience to advise on best practice.

It is only through working closely together to agree an industry-wide set of standards that the risks can be mitigated and the benefits of OA fully realised.

Ultimately, OA can pave the way to a more integrated and secure airport network, but only when delivered responsibly.