Schneier on Security
A blog covering security and security technology.
« The Kryptos Sculpture |
| Friday Squid Blogging: Firefly Squid in Japan »
April 21, 2006
Software Failure Causes Airport Evacuation
Last month I wrote about airport passenger screening, and mentioned that the X-ray equipment inserts "test" bags into the stream in order to keep screeners more alert. That system failed pretty badly earlier this week at Atlanta's Hartsfield-Jackson Airport, when a false alarm resulted in a two-hour evacuation of the entire airport.
The screening system injects test images onto the screen. Normally the software flashes the words "This is a test" on the screen after a brief delay, but this time the software failed to indicate that. The screener noticed the image (of a "suspicious device," according to CNN) and, per procedure, screeners manually checked the bags on the conveyor belt for it. They couldn't find it, of course, but they evacuated the airport and spent two hours vainly searching for it.
Hartsfield-Jackson is the country's busiest passenger airport. It's Delta's hub city. The delays were felt across the country for the rest of the day.
Okay, so what went wrong here? Clearly the software failed. Just as clearly the screener procedures didn't fail -- everyone did what they were supposed to do.
What is less obvious is that the system failed. It failed, because it was not designed to fail well. A small failure -- in this case, a software glitch in a single X-ray machine -- cascaded in such a way as to shut down the entire airport. This kind of failure magnification is common in poorly designed security systems. Better would be for there to be individual X-ray machines at the gates -- I've seen this design at several European airports -- so that when there's a problem the effects are restricted to that gate.
Of course, this distributed security solution would be more expensive. But I'm willing to bet it would be cheaper overall, taking into account the cost of occasionally clearing out an airport.
Posted on April 21, 2006 at 12:49 PM
• 30 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Putting screeners and machines at every gate sounds pretty expensive. The costs of clearing an an airport occaisionally have got to be less than the costs of outfitting every major airport with more equipment and staff.
It seems like it would make more sense to have metering lights at each station and instead of having mobs go through, have each individual queue up ready to go through screening and not let the next one through until the first had passed. If everyone takes their shoes off before getting up to the light and puts them back on after they pass the screening area, this shouldn't really cause any significant delays.
Of course they may just be blaming the problem on the software. The test may have been normal and the screener Just did not notice the "this is a test" message.
In any case, if they could not tie the bag to the image then they have a bigger problem.
It may be a bit of a "movie" device, but if you were to detect a bomb in the machine it would seem like a good idea that the bag would then stay inside the machine. Otherwise a bomber might just "take what they could get" and trip the device in the screening area and kill as many as they could, rather than face arrest.
Sounds like an moderately interesting queueing theory problem. If we can design a call center with "optimal" wait time, we should be able to do this. All we need to know is the probability distribution according to which explosives are found in luggage ;^)
ARL: Schneier's original comment that the system was not designed to fail well still applies. The screener should not be able to "not notice" the message, either because it takes deliberate and complicated ( like ctrl-alt-delete, not necessarily time consuming) steps to remove, requires supervisory password to clear, etc.
> It may be a bit of a "movie" device, but if you were to detect a bomb in the
> machine it would seem like a good idea that the bag would then stay inside the
At the very least suspicious packages should not be accessible to passengers until cleared. The belt should stop, the machine should turn off, and the bag should be removed by security personnel instead of being ejected out the normal end where someone can grab it.
Schneier: Well yes, the distributed would work better, but, since the gov't is already underfunding airport security, they are not about to pick up this tab either. Especially since they (the gov't) are not directly hurt by shutting down the airport, it's only the airlines. AND, the gov't can pass off it's mismanagement and mendacity because the flying public has been "made to understand" (read propagandized, bamboozled, etc) that security takes time and they may have to put up with the inconvenience.
"This kind of failure magnification is common in poorly designed security systems. Better would be for there to be individual X-ray machines at the gates."
It's like having city street lights switched serially instead of (obviously) parallel.
one goes down, the whole chain collapses.
The idea of pushing the security screening out to individual gates just as people are getting ready to board the plane is one I've been suggesting since just after 9/11. It prevents the boarding pass swapping security hole that currently exists in the screening procedures as well.
I think the thing people need to consider is that you don't need dedicated security at every single gate, you just need a mechanism of movable secure hallways and doors (much like is already used for diverting international passengers arriving at gates that also serve domestic flights) that can be shared between several nearby gates, and the scheduling of flights such that you haven't over-booked the security screening machines and personnel.
I haven't looked this up..
But.. What was the operator to do if (s)he knew it was a test image? There is obviously some action that needs to take place...
What is the point of these tests anyway?
Maybe the software did fail.. Maybe not.. But clearly, sending test images when the only reason for doing it is for an action to occur that would cause any delay seems pretty pointless.
> What is the point of these tests anyway?
Human beings are bad at error detection when it comes to repetitive tasks. If a screener is looking at "clean" bags 99.999% of the time, a "dirty" bag will be missed, because the human's perception isn't tuned to notice the bad bag.
You throw in intentional fake positives to make sure the screeners are awake, essentially.
"At the very least suspicious packages should not be accessible to passengers until cleared. The belt should stop, the machine should turn off, and the bag should be removed by security personnel instead of being ejected out the normal end where someone can grab it."
Many of the airport X-ray systems I've seen have some sort of metal channel after the X-ray unit with an opening on the screener side, so that they indeed have access before the passengers do. I wouldn't be surprised if the conveyor can be stopped on command, either.
That's fine.. but there are better ways to do that... just flash signs like "WAKE UP".. Show a 2-3 second clip of color wheels..
Showing an image of something that is "bad" which you aren't going to do anything with just seems like a waste..
On the other hand, last week as I prepared to travel I switched jackets at the last minute.
Later while waiting to board the plane, I reached into my jacket pocket and found a lockback knife which I had completely forgotten about ... it went right through screening.
When i think more about it i come to this conclusion:
Somethings have to do with perception, like: "Do NOT think of a pink monkey"
and yes.. you think of it. Also with signs, good signs are made simple, with basic colors, like: red or yellow -> danger, caution. If you present something dangerous in nice colors like green orso, the message doesn't come accros to people. So the "test" they used on the screens should be screamingly red! but then we have another problem, maybe they think that that means there is really something going on!
I also notice: if someone uses "the testing" for real mean purposes, who will notice that it is for real? and that it is NOT a test?
No, actually, you want to put in test positives. Telling someone to wake up won't necessarily improve their ability to notice a suspect bag. Passing a test positive into the system results in good detection training -> either the scanner notices the test positive, and gets the reinforcement on the success, or they miss the test positive and the subsequent investigation is a learning process.
Moreover, one important critical aspect of security screening is that people need to respond properly when something triggers an alert. This is why you have training -> so that people don't freak out when a suspect bag shows up in the scanner. They need to follow procedure.
I've seen those too. What makes me wonder about this situation is what is it about the configuration of this particular queue that led to this over-reaction?
If it is not possible for passengers to get at the bags, why shut down the airport? There must have been something about this particular screening process that led the screeners to think that the suspect bag had gotten into the airport proper, which means it had to have been removed from the conveyor somehow.
The old "it's better to be safe the sorry" fallacy. I suspect that internally they will be patting themselves on the back. I say penny wise, pound foolish.
"There must have been something about this particular screening process that led the screeners to think that the suspect bag had gotten into the airport proper, which means it had to have been removed from the conveyor somehow."
Since there was no bag to find, and no indication that it was a test image, then the natural assumption is that the "suspicious bag" has been removed.
But if there is no place for the bag to go, then the natural assumption would be that there is something wrong with the machine.
If my scanner machine says, "Scary bad thing here!", but upon opening machine there is no thing to be found, I'm not going to assume someone unseen crawled up the conveyor belt to grab their bag, or that magic gremlins spirited the scary thing away from the depths of the machine.
When something triggers an alert, the machine should STOP. Removal of the suspect item from the scanning device should be something only an authorized person can perform, using a different egress than the one accessible from the passengers.
No one has pointed out yet that the software apparently doesn't record the fact that there was a test, so that if a screener sees a "doped" bag and doesn't notice the "This was a test" sign, they can figure it out after the fact without shutting down the airport.
I vote for an automatic cookie dispenser providing rewards whenever the screener correctly flags a test bag.
The tester should press a button whenever he sees something suspicious on the screen. This way, his/her performance with test images can be monitored (and there is penalty for missing).
I'm a security guard. The penalty for missing is entirely up to management. If the penalty for missing is to lose a minimum wage job (around ten bucks an hour in the Bay Area), then you don't have much to lose. Raise the pay to fifteen bucks an hour and they might pay attention. Thirty bucks an hour and they will definitely pay attention for fear of losing their job.
And have false positives about once every half hour. More than that is unnecessary and irritating, less than that is too little and you tend to zone out.
Also, you want clearing the false positive to be a one button deal. You automatically push the button and the false positive clears, or it doesn't clear and you know that it's not a false positive.
I wonder how much damage was done to luggage belonging to innocent travellers by security personnel looking for the non-existent dangerous item.
I don't imagine its owners get compensated in any way -- just one of the sacrifices that must be made in the name of security.
"Putting screeners and machines at every gate sounds pretty expensive. The costs of clearing an an airport occaisionally have got to be less than the costs of outfitting every major airport with more equipment and staff."
It would certainly be more expensive than centralized screeners, but possibly not that much more. More equipment certainly, but you would only need two or three people at each gate -- and then only when there is a departure at that gate.
It would require a substantial redesign of the airport, though, which is probably the real expense.
The Salt Lake City, UT airport has x-ray scanners assigned to small (2-3) groups of gates. This is *not* a good plan. I bought a cup of coffe, then had to remove my shoes to get a security scan. When my flight was delayed, I spent another 20 minutes getting scanned -- by the same people -- after buying a bagel.
If you're going to move scanning nearer to the gates, move it all the way to the jetway.
I was a member of the group (manag. consul.) who assisted in the redesign of Changi Airport's passenger flow systems in Singapore *quite* a number of years ago. Our given aims were (very briefly):
minimise security queues;
deny contact between those who had passed through security and those who had not;
minimise passenger/staff interaction;
deny exit from secure areas, and
create containable secure areas.
Anyone who has travelled through Changi (T1 or 2) shall have seen our solution.
Each gate is a large double-glassed lounge that has a passport/boarding pass check (one staff member) followed by a security check. Once inside, leaving is not possible. Further, the one-way flow/passenger grouping architecture was such that a criminal/terrorist could not flee into other parts of the terminal if a threat was discovered (originally, only 10 cleared at once, with doors opening and closing, etc, however this was scrapped in 2002 due to efficiency issues) A drinks/food machine as well as a water fountain and a bathroom are to be found inside.
The only main downfall of this plan, from the airport's point of view, was that the diode-like properties of the gate lounges would result in a decrease in consumer/retailer incidence (i.e. the passengers would spend less time spending). This was countered by decreasing the difference between the GoToGate announcement and the Boarding announcement, as well as the fact that, with less for passengers to 'do', the drinks machines would do a roaring trade.
Changi have, in real terms (accounting for changes in demand), noted shorter net passenger/staff interaction times as well as lower marginal security cost per passenger as a result of this system.
The most relevant part of our solution to this article, however, was the 'actions-on' threat discovery, which was done by a security consult. group with us. If a level two item (this was their definition - basically anything that could be a drug or truly offensive weapon) was seen, the lounge doors could be closed remotely from the X-ray desk, and the gate security staff would be notified automatically. The metal detector would beep when *anything* passed through it (i.e. the magnetic disturbance tolerance was set to zero) and the owner would be wanded, patted etc, then asked to walk through the detector again. This simply bought time for the X-Ray staff (on and off site - in all modern major airports the screen is viewable remotely) to more conclusively evaluate the threat. If the staff were not told otherwise (i.e. the threat was not yet cleared) the owner would be walked off to a curtained booth (the curtain facing away from the x-ray machine) and the bag would be removed and searched.
SPS said: "A drinks/food machine as well as a water fountain and a bathroom are to be found inside.
The only main downfall of this plan, from the airport's point of view, was that the diode-like properties of the gate lounges would result in a decrease in consumer/retailer incidence (i.e. the passengers would spend less time spending)."
Good luck getting any airport in the US to a) put a bathroom in EVERY hold lounge, very expensive and utility intensive and b) making any limits on US buyers having access to retail concessions in US airports (biz model is now, since we have a captive audience, let's milk them, look at recent remodel at SeaTac) and c) getting the TSA staffing to man each gate individually (centralization is what TSA wants to lower staff, the same priciple is what is driving hold baggage screening from lobby solutions to integrated, back of house EDS solutions. Also, TSA doesn't really listen much to what the airports want, they are primarily concerned with security, not profit).
Also, despite Kelly's opinion (in another post above), what she is proposing is actually an extraordinarily complex design issue, and one which US airlines would resist tooth and nail, as it would tend to lock them in to certain gates and certain times. This is marginally acceptable to international airlines with less "pull" at US airports, but US carriers like more flexibility for late flights and any (real or percieved) difference in services between gates would be quickly identified, fought over vigorously and would lead to a differential rate structure, which is undesirable.
My point being: It'll never happen, or at least not for another 20-40 years when the next wave of new airports/airport remodels occurs. More likely, to my mind, is a "sterile terminal". Checkin and security screening all in one small area near the curb/parking structure. Very secure, but would exacerbate the problem described in this article.
It makes for an interesting denial of service possibility, doesn't it?
I don't have to actually _carry_ a bomb through the airport to shut it down. I only have to trick the x-ray machine into _showing_ that there is a bomb.
Nothing more or less than technology
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..