Australia proposes reform to aviation, maritime transport security settings, seeks industry feedback

The Australian government released on Monday a discussion paper seeking aviation and maritime stakeholder views on a strategic reform agenda and new regulatory model. Acknowledging that the nation’s transport security is a joint effort between government and industry, the Department of Home Affairs is seeking views on the questions and issues raised in the discussion paper from interested parties and stakeholders to submit comments​ by May 12 1700 hrs AEST.

Released by Clare O’Neil, the Minister for Home Affairs, the discussion paper identifies five key areas of high impact in response to the recommendations that may be implemented soon. These include removing prescriptions in security programs, an outcomes and risk-based security management approach, the Department’s regulatory relationship with screening providers, screened and unscreened air services, and industry engagement and education to support performance and compliance.

The Minister may also direct the Inspector of Transport Security to conduct reviews or inquiries to strengthen Australia’s transport security.

In line with the 2021-22 Budget Deregulation Agenda, the Australian government had commissioned an independent review of Australia’s aviation and maritime transport security settings. The review considered reforms to the policy and legislative frameworks for transport security. This included but was not limited to, the range of measures as outlined in the Aviation Transport Security Act 2004 and the Maritime Transport and Offshore Facilities Security Act 2003.

In the final report, the independent review made 26 recommendations and 66 sub-recommendations across five key themes. These included updating legislative and policy frameworks to enable iterative, risk-based, and scalable regulation, raising integration of intelligence and data analysis for the CISC as the regulatory body, improving partnerships between the CISC and industry through better communication and engagement, re-designing of compliance processes and enforcement strategies; and raising, training and sustaining appropriate transport security capability for both the CISC and industry.

The final report of the Review was provided to the Department of Home Affairs last April. However, due to the sensitivity of the information it contains, the government will not release the final report publicly. 

Last month, the Australian Cyber and Infrastructure Security Centre (CISC) released a risk assessment advisory for critical infrastructure focused on the country’s transport sector. The CISC’s latest risk assessment advisory can assist the transport sector to help to determine which sites and components of an asset should be considered critical. It also offers assistance to understand which sites and components are critical and provides examples to help determine critical assets.

In the discussion paper, the proposed reforms include removing prescriptions in security programs, working towards an outcomes-and risk-based security management approach, the department’s regulatory relationship with screening providers, screened and unscreened air services, industry engagement, and education to support performance and compliance, and other issues. 

The review identified a key deregulation opportunity for both industry and the department by moving away from the prescriptive nature of Transport Security Programs (TSPs) or Security Programs (SPs) in the aviation sector, and Maritime, Ship, or Offshore Security Plans (MSPs, SSPs or OSPs) in the maritime sector (collectively ‘security programs’) towards an outcomes-focused approach. 

“The Review identified that these security programs, which are a foundational part of the regulations, are disjointed from practical outcomes –they may be shelved after approval and do not directly align with the highest harm risks and may be resource-intensive to complete,” the discussion paper said. “It is proposed that security programs would remain a regulatory requirement to continue to meet Australia’s international obligations, but the content would be less prescriptive and would be in part developed by the industry participant.” 

Under this proposal, the department would ensure the program exists and plan compliance activities against it; however, the majority of content will not need to undergo a formal approval process by the department. Certain information, for example, security zones and the local security risk context at airports, may still need to be submitted to the department. This would reduce the administrative burden for both the industry and the department, and minimize the current ‘back-and-forth’ approvals process. The onus would be on the industry participant to demonstrate they can deliver the security outcomes, which would be captured in regulations. 

The implementation of an outcomes-based framework may also require reconsideration of associated offense provisions to ensure that the regulatory structure includes an appropriate framework to respond to non-compliance. Currently, several strict liability offenses are tied to security programs and not obligations outlined directly in the legislation. Re-drafted strict liability offenses provisions could facilitate prompt and efficient issuing of infringement notices without the need to resort to prosecution. 

To reduce the prescriptive nature of security programs, the review suggests moving to a more risk-based and outcomes-based approach to the management of security issues. A more outcomes-focused approach to transport security regulations could be achieved by embedding security management into governance and operations in a similar way to safety. 

The Security Management System (SeMS) approach is a structured management system based on the widely-used Safety Management System framework, according to the discussion paper. “SeMS is being used more and more widely, including in the United Kingdom, which reported an uplift of security outcomes. A SeMS approach is also consistent with the transition to broadening security to an ‘all hazards’ approach as it encompasses risks, including cyber and supply chain, more generally. The interoperability of this approach with other safety regulators to allow for the management of risk rather than meeting prescriptive regulatory requirements would also allow for a more risk-based and scalable approach to aviation and maritime security,” it added. 

Under this proposal, the department would allow the industry to adopt a SeMS approach, where an entity’s SeMS would replace the current security program. Acknowledging that industry participants have differing levels of maturity, the option for the industry to adopt SeMS would be voluntary. “The Department would provide industry participants the flexibility and discretion to implement SeMS, subject to the nature of their organisation. For example, while SeMS can be implemented by organisations of all sizes, in the aviation context it may be more attractive for mature airlines and airports. The SeMS approach to managing security, which embeds security more deeply in an entity’s governance and day-to-day operations, would mean that industry takes greater ownership of security risks and outcomes,” according to the discussion paper.

The review also recommends retaining prescriptive standards on screening to ensure effective and consistent capability and performance. Most screeners are not directly employed by the screening authority but are instead employees or subcontractors of a contracted security provider. This means the department does not regulate screening providers in the same manner as it does screening authorities. This is also the case in the maritime sector. 

The review also supports a more direct relationship by the regulator with screening providers to achieve greater control over security standards and provide an avenue for feedback on screening performance to be delivered directly to the provider by the regulator. It is proposed a mechanism be introduced in legislation to enable the department to take a more direct approach with screening providers under certain circumstances: for example, when security outcomes are not being met.

“In aviation and maritime sectors, screening providers would still be contracted by screening authorities and reliant on infrastructure and technologies owned by the screening authority (aviation) or the facility operator (maritime),” the discussion paper said. “The Department proposes introducing a power to seek screening information directly from providers without the approval of the screening authority to identify and work directly with providers to remediate issues.”

The review also identified the introduction of the airport categorization model as a positive outcome, allowing for a more suitable and scalable security approach to be taken based on risk, including aircraft size and passenger numbers, and providing certainty to airports about requirements and where screening investment should be made. 

“Passenger screening at security-regulated screened airports is determined by aircraft seating capacity and passenger volumes, which means some airports manage both screened and unscreened services for similar sized regular public transport (RPT) and open charter flights,” the discussion paper said. “The delineation between screened and unscreened air services based on passenger capacity was identified in the Review as a regulatory burden without a security dividend, even acknowledging that the current regulations provide flexibility for airports to manage unscreened flights according to their individual operational needs.”

The department proposes to continue to broaden its current regulatory focus, which is on compliance monitoring (audit, inspection, testing, enforcement), to include greater compliance assistance activities such as outreach and education, risk communications, advice or informal guidance, and commissioned research. This activity should not limit the evaluation of security outcomes and regulatory requirements.

The discussion paper revealed that the department is using the newly established ‘performance scorecard’ framework to assist the aviation industry through transparency and a greater understanding of compliance results. “We will not share individual performance or compliance outcomes, but will more proactively share general trends and themes to identify priority areas for further attention. Greater sharing of data and information from industry would provide the Department with a more granular understanding of industry and assist the effectiveness of the Department’s outreach compliance activities,” it added.

Lastly, the review identified many systemic issues across legislative, policy, and compliance and included the 26 recommendations with a further 66 sub-recommendations covering a range of issues. 

The move by the Australian government comes at a time when the U.S. Transportation Security Administration (TSA) issued last month an emergency cybersecurity amendment to the security programs of certain TSA-regulated airport and aircraft operators. These measures work to enhance cybersecurity resilience by focusing on performance-based measures, necessitating regulated entities to develop plans to harden resilience, while also preventing disruption and degradation to their infrastructure.

The Cyberspace Solarium Commission has also published a report providing additional analysis of cyberattacks against the maritime transportation system (MTS) with recommendations to the U.S. Congress to resource the subsector’s cybersecurity more fully. It also highlights the need for better government-industry cybersecurity collaboration and better resourcing of government efforts to support the private sector.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.