Flight departments must close security gaps on the ground and in the air and remain vigilant of the constant presence of risks, security experts warn.

Four of these experts recently highlighted some of those concerns during a webinar hosted by NBAA. The thrust of their messages surrounded the need to research, plan, and prepare for contingencies. They also agreed that the vulnerabilities could be anywhere and involve anyone.

“Security gaps are those areas and those vulnerabilities that we end up falling into—we don't even realize that they’re there,” said Aviation Secure founder and president Kristopher Cannon. “Because we don’t realize they’re there—because we’re not really paying attention to it—we go on our daily day. It’s the same thing all the time. We call, we get transportation, we get catering, and we get the airplane ready. The CEO shows up, and we take off. Nothing actually seems to get in our way. Everything is always great until crazy shows up.”

He pointed to a recent incident in La Crosse, Wisconsin. “A guy walked through an FBO, and next thing you know, you got a barricaded suspect on a [Gulfstream] G500.”

Cannon pointed to another incident where a principal got into a vehicle that wasn’t his vehicle at the airport. The FBO sent the wrong driver or the right driver to the wrong airplane, picked up the CEO, and drove away. “The CEO finally realized that he wasn't going in the direction he was supposed to be going in,” Cannon said.

These examples are a microcosm of security risks that aviation operations face, especially with global markets and global geopolitical conflicts. Added to this are a variety of concerns of protesters of all walks and potential adversaries.

Turning Folders Upside Down

Matt Burdette, country manager and v-p of business development for ASA Security Services, noted that recent events abroad as well as in the U.S. should encourage flight departments and others to take a careful look at their security. “There has to be a thorough review at this point. There needs to be the point where you pull out all of the folders from your file cabinet, turn them upside down, and carefully review them with the heads of all the departments potentially involved,” Burdette said. “Look at it from a what-if perspective.”

Each organization will have different risk tolerances, and that should be examined for all the employees. “That needs to be a no-holds-barred, looking at the situation, and then looking carefully for gaps,” he added.

Cannon added that with many companies, if a CEO wants to go somewhere, the flight department puts together a trip and goes. But often there is not a lot of input if an area carries a heightened risk or whether contingencies should be in place. “We see a lot of these companies don’t actually have security plans and policies and protocols in place. And if they do, sometimes they're very limited,” he said. “What are your tolerances? What’s on paper? If nothing’s on paper, now’s the time to get something together so everybody can agree on a more formal policy that you can operate in. If you’re not doing risk assessments, now’s the time to get started.”

Daniel Foust, president and founder of Corporate Aviation Security International, reiterated these comments. “In anything security-related, you have to be proactive in everything you do. You need to do an immediate assessment and audit of what the protocol is, how they’re doing it, and find out their vulnerabilities,” Foust said. “You can’t fix the vulnerabilities if you don’t know what they are. And key to that is finding out what your vulnerabilities are before the enemy does. And don’t think that they’re not trying to find them right now, whether it’s through cyber, through physical, through structural, whatever they’re doing, they’re going to come after you that way.”

He added that operators have many resources to help build security protocols and contingencies, whether working through a third-party security specialist, bringing in more security-experienced personnel, or simply coordinating with a flight department next door that has a working system. “But understand that everybody has these vulnerabilities; they’re different, and they’re unique to each flight department.”

Foust agreed with the need for assessments and audits to make sure what is in place is working, as well as to look at what’s new, what has changed, and the current threats.

They offered further advice such as in the case of ground transportation. Cannon recommended that companies use a password that the limo driver must have before anyone gets in the car. Further, the identification of the driver should be checked, and it should be confirmed that there is nobody else in the car. “I know it sounds like a big deal, but it’s really not. It takes about 30 seconds.”

Getting advanced intelligence on the destination is critical, they agreed, and further stressed that “boots on the ground” are extremely important in gathering key information.

“When you’re planning, you are getting the vetting done beforehand,” Foust said. “It’s a security mindset. Who do you know in that area where you can get information?” There are government resources, online paid resources, and news articles, he noted. But people on location are “the best intel you can get.”

He pointed to instances where his company received queries about various locations such as in South America or Africa. “What’s really going on?” he asked. “We’ve had some instances where the news says it’s horrible, but where you’re going is an hour away and you’re safe...We’ve had just the opposite. We’ve reached out to our teammates [at a location], and they replied back with a full report. But the executive summary was two bullet points: ‘Don’t you dare come here. It’s a war zone,’ and ‘If you are going to come here, we need to know by close of business because all of the advanced work [that is required].’”

Burdette agreed. He noted that being aware of where people fly is crucial. He cited as an example Davos, Switzerland, which draws the World Economic Forum and protesters along with it.

“We’ve seen recent events that have been very anti-capitalist in nature,” he said, recalling the security breach during the 2023 edition of EBACE. “We’ve also seen in the last year a couple of penetrations of the perimeter security at airports and damage or more to aircraft. When you have an incident or you have an event happening that is probable to draw individuals or organizations like that, you’re going to have that opportunity there. You’re going to have a higher probability of bad guys or potential bad guys, even if they’re not trying to hurt people. Nonetheless, that affects your mission and your travel.”

Cannon further stressed the need to have a contingency plan in place that is updated. He cited what he called “the big four” for contingency plans: illness or injury (whether the flight crew or the people aboard); crime and/or protests; fire or other evacuations; and emergency departures. “How do we handle that? What’s our contingency plan? Who do we contact?” he asked, and added, “This comes to culture; it's the culture within the organization. It’s the buy-in that we need to get from each player in the company. We all have to take a look around us and say, ‘Hey, you know what? We are in a vulnerable job. We’re traveling to different parts of the world where we can't guarantee that it’s going to be all rosy and sunshine when we get there. And certainly, we can’t guarantee that's going to stay that way.’

“The last thing you ever want to do is execute that emergency reaction plan. You want to be well ahead of that and that starts with communication, that mindset, and then getting that information way ahead of time so you can plan properly for something.”

Eric Moilanen, founder of Premier Corporate Security, discussed precautions necessary for the use of supplemental lift. Moilanen stressed the need for pre-vetting but also asked about situations where there is an unexpected, urgent need for supplemental lift and a company hasn’t planned for that contingency. “Not planning is really not the best option. If you have at least a basic plan in place with some bullet points, [you have] some things to look at when you’re in the situation where this has come up right now and everybody in the flight department is going a million miles an hour trying to coordinate all the other things that go along with a zero-notice flight. Having at least some of a framework of what we should look for in the vetting is still going to be valuable even if you don’t have all the finite details of that particular situation.”

The Enemy Within

Security risks aren’t always external. Sometimes that begins with the crew. Moilanen noted that companies go to great lengths to avoid being tracked at destinations, but the crew must be aware of their surroundings. “We go to the hotel lobby bar and we talk about work, we use aviation terms and company terms, and we sit at our high-top table and blab away. And we all have done it.”

But by having those discussions where anybody can hear, “we've taken everything that we tried to put in place, and inadvertently, we have become the insider threat just through our normal course of conversation,” Moilanen said.

Cannon cautioned against clothing with company logos at destinations. “We have to understand where we sit on that controversial scale and understand that there could be a threat against us. There could be a threat against our principal or our company. And so when we’re wearing certain clothing, we become that commodity,” he said, adding that he’s a fan of simple black polos.

Also, crew communications are essential, especially while on the ground. “Flight departments have a general awareness of what corporate security is doing for the passengers, the principals, whoever is on this trip, and corporate security generally knows what the flight department is doing. But neither one of them gets into a lot of detail,” said Moilanen. That can become problematic.

He cited as an example a three-day trip. During the day in the middle, the flight crew may be laying out by the pool or using the day to catch up on emails. “But if that is the most critical day for the principal’s visit and that is the highest risk environment they’re going to be in, the corporate security department needs to know that aircraft is one of the biggest tools they have to resolve an issue with that principal.”

That may not be the best day to be dressed down and nowhere near the airplane, he cautioned. “If there’s a critical timeframe where an extraction might be the most sensible thing to do, that comes back to the communication,” Moilanen said.

The corporate flight department can educate the security apparatus in the company on what their capabilities are, how long it takes to get the airplane started, whether the aircraft is left fueled—all the pieces that are necessary if the crew gets word: “We’re headed to the airport right now, the boss is injured, there was a threat, we got to get him out of town.”

On the other hand, the flight department needs to know all the details to adjust to the sudden departure. “Maybe there’s some aircraft capabilities, parking, weight, and things like that factor into that.” From the corporate side, that may be minutiae, but all those details take up valuable minutes when a critical incident occurs.

A Lack of Privacy

One critical area that operators grapple with—and one where there’s no clear resolution—is privacy of movement. Congress reinforced protections in place to prevent flight trackers from releasing real-time flight information of aircraft in cases where the operator has asked for privacy. However, with the ability to track aircraft by ADS-B, few flight monitoring organizations or individuals with such capabilities honor that. The ones that do are well-known and respected companies such as FlightAware. But most are not. This has resulted in high-profile cases such as the tracking of Taylor Swift’s aircraft.

Moilanen noted that this is a scenario where supplemental lift can be helpful to avoid such issues. He noted that many flight departments feel they have plenty of aircraft and question why they would go outside for carriage of their principals.

“Regardless of your wishes to have your travels and your tail number blocked, it is still accessible to the general public. So that in itself can generate the need for a supplemental lift,” he said. This could be through a variety of means, either via a Part 135 charter, a partnership, a fractional operation, or even just a close confidante/friend of the company with a Part 91 aircraft. But, Moilanen reiterated, when a flight department goes that route, it brings up the question of vetting and how well-known the entity is.

Foust called the tracking situation “a big issue.” He noted other precautions put in place such as the FAA’s Privacy International Civil Aviation Organization (ICAO) Address (PIA) program that allows aircraft owners to request an alternate, temporary IACO address that is not specifically assigned to the owner in the Civil Aircraft Registry. But he called the PIA process “kind of long and tedious to get it taken care of, and it’s very limited” in how far it extends.

Another tool is using double trusts. “There's multiple sources for that, that, but there’s no solid 100% solution against that tracking,” he said, noting that there is substantial criminal activity to ignore laws about this.

Until there is a foolproof solution, Foust added, “You’re going to have to stack up, you’re going to have to do multiple layers of protection.”

He cited as an example deceptive operations, such as swapping airplanes by entering a different hangar with a pre-vetted operation. “We all did it in the military,” he said, “and I've seen a company do this.”

Another example is in ground transportation, having multiple cars leave in different directions, obscuring the true path of the principal. “The hangar’s door is closed before the cabin door drops open, and then you have three different cars leaving in three different directions, and if anybody’s watching, they don’t know who went where. If somebody does, it’s probably an insider. And that’s a big threat right now too,” Foust said.

Cannon stressed that this all comes down to communication and preparedness. “It's just a matter of educating our flight department, educating our crews, getting over the ‘nothing’s ever going to happen’ routine,” he said. “Because every incident that we’ve ever talked about was the first time that it happened to that particular crew. And so first times do happen, and they can be pretty devastating…It comes down to just getting back to the basics of let’s get down to a security mindset and let's communicate across company lines and talk about this openly with our teams.“