Airport Identity Cards (NZ)

Tuesday, Oct 8, 2024 | 5 minute read | Updated at Tuesday, Oct 8, 2024

Pepsi

New Zealand runs 2 primary identification systems for their airports: Airport Identity Cards and Security Controlled Area Identity Cards.

The AIC and SCAIC

The AIC is a card issued to individuals who require regular access to restricted or controlled areas within New Zealand’s airports. Individuals eligible for an AIC include airline staff, ground handlers, security personnel, and airport operators. The AIC allows holders to access secure areas in accordance with the Civil Aviation Rules, primarily Part 19 of the Civil Aviation Act 1990.

The SCAIC is a more specialized variant of the AIC, focused on restricting access to the most sensitive sections of an airport, specifically security-controlled areas. This might include access to baggage handling facilities, tarmacs, and other zones where unrestricted access could pose significant threats.

Key Features of AIC

  • Access Control: Provides access to limited areas such as terminals, gates, and operational sites.
  • Background Checks: Requires employees to undergo background checks to assess their suitability for clearance.
  • Expiration: Time-limited validity, which demands continuous employment validation and renewed background checks.

Key Features of the SCAIC

  • Heightened Access Restrictions: The SCAIC grants access only to areas designated as security-controlled, requiring more stringent background checks compared to the AIC.
  • Usage: Primarily issued to personnel who require access to “airside” (e.g., grounds crew or customs officers).
  • Surveillance Integration: Often linked with video monitoring and real-time tracking systems, depending on the airport’s security infrastructure.

Technical Analysis

Both AICs and SCAICs leverage radio-frequency identification (RFID), as is the case with most digital access control cards. The RFID chip contains an encrypted unique identifier, which communicates with readers installed at entry points. While the encryption strength might vary depending on the airport, this generally follows the MIFARE DESFire or HID Proximity standards—both of which offer anti-cloning mechanisms and are widely recognized for security.

Although airports in New Zealand use biometric technology in some areas, not all AICs or SCAICs are integrated with biometric security. This represents a significant opportunity for the program to evolve towards higher levels of security, especially in critical areas where maximum security is essential.

The database that handles AIC and SCAIC data is typically integrated into the national air transport security system, overseen by AvSec and the New Zealand CAA. The system itself is likely (hopefully) maintained with robust API access controls, ensuring interoperability with other systems such as passport databases and airport surveillance systems. Nonetheless, ensuring secure communication within the database remains a critical requirement for reducing data leakage or unauthorized access through cyberattacks.

Data in-transit is encrypted using TLS (it currently appears to be 1.0, which is outdated, but AvSec refused to confirm this). While necessary for maintaining forward security, encrypted transmission needs to be regularly updated with encryption protocols. Failure to update these encryption protocols due to outdated software may introduce new vulnerabilities.

Key Strengths

Many airports globally, including New Zealand’s, invest in complementary layers of security infrastructure, such as CCTV, biometric scanners, and Access Control Management Systems (ACMS). When synced with the AIC and SCAIC, these systems offer multi-factor authentication for airport personnel. For example, coupling the AIC/SCAIC with biometric technology (e.g., fingerprint/iris scanning) can ensure that compromised cards cannot be used by unauthorized persons, thus mitigating risks of card theft or cloning.

The system’s layered approach (AIC for general personnel; SCAIC for secure, high-risk zones) ensures that employees are given only the access they need based on their role. Granular permission settings limit access to vulnerable areas, thereby reducing the risk of insider threats or accidental breaches. Additionally, separating the majority of staff through AIC while reserving the SCAIC for highly sensitive access creates an additional buffer of protection. The AIC can be considered roughly equivalent to a white ASIC, while the SCAIC would be considered equivalent to a red ASIC.

Every applicant for an AIC or SCAIC is subjected to vigorous background screening, following a robust employment history check and criminal diagnostics as per the CAA’s security clearance policy. By doing so, the program prevents the onboarding of personnel with unsatisfactory criminal backgrounds or associations with potential malicious actors.

AIC and SCAIC cards both incorporate smart card technology, meaning the data onboard is confirmed using a proximity reader. As such, the validity of the card can be authenticated by aerodrome operators and security personnel.

Weaknesses

While the system’s technical components are secure, social engineering remains a notable weakness. Personnel with access to restricted or secure areas might be susceptible to coercion, bribery, or manipulation. Though this is not a technical fault, such vulnerability cannot be overlooked in any security measure reliant on human compliance.

Most AIC and SCAIC systems rely on proximity chips within the cards for authentication. Although adding a layer of security, proximity chip technology can be vulnerable to cloning through specialized RFID skimmers. Without native encryption or added biometric verification, card-based systems can be emulated by malicious actors.

As airports expand and involve more third-party contractors (e.g., cleaning services, baggage handlers, retail employees), the sheer volume of applicants for AICs creates logistical and administrative strain. Additionally, subcontractors may not always conduct security training or screening as rigorously as airport-specific or airline-specific employees.

STAR Rating

Security

The AIC and SCAIC programs provide a robust baseline for securing sensitive zones at airports. The mandatory background screening, RFID-based access control, and potential for biometric integration make these programs relatively secure. However, human factors, like social engineering and RFID technology’s potential susceptibility to cloning, suggest that there is room for improvement.

4/5

Throughput

Throughput is where the system performs well, assuming proper card issuance and maintenance. RFID systems offer minimal delays upon scanning and are well-suited to high-volume personnel environments.

5/5

Accuracy

The RFID system provides reliable authentication, but occasional equipment failure or administrative mismanagement (e.g., issuing clearance to the wrong personnel) can cause temporary breakdowns in the system. However, this is mitigated using “smart passports” which incorporate the biometrics of the user. A fraudulent SCAIC/AIC holder must also have a fake but valid passport which is present in the NZ national database.

4/5

Readiness

The system has a proven implementation and meets international standards. With digitized backing and integration with global ICAO norms, it is already operational but could greatly benefit from increased adoption of biometrics and improved database management.

5/5

Overall Score: 18/20 ⭐⭐⭐⭐

© 2024 Airport (in)Security

Written with ❤️ for COMP6441 by Pepsi. All rights reserved.

Social Links