Business Aviation Insider nameplate

Vetting Vendors

Ensuring the security of passengers and crew entails minimizing potential risks posed by service providers.

“If a business aircraft is arriving at an international destination, the people at the FBO, the contractors, the ground transportation providers, catering companies – everybody handling the aircraft – has a lot of advance information: the name of the company, the names of the crew members, arrival time, where you’re staying,” notes Greg Kulis, lead captain and security coordinator for a U.S. business aircraft operator. “Because of that advance knowledge, everybody involved [all vendors] should be carefully vetted.”

In this era of heightened social unrest and terrorism, companies are often targeted, especially their highly visible and symbolic resources, such as business aircraft, their passengers and even flight crews. In addition, there are always security threats from criminal elements, which seek anything of resaleable value that is not adequately protected.

The fact that activists, terrorists or crooks might be lurking within the ranks of vendors with ready access to your aircraft or personnel is disconcerting. It should be, says Charlie LeBlanc, vice president of global risk for UnitedHealthcare Global.

“Complacency is probably the hardest thing that we fight on a daily basis,” said LeBlanc. “We want to make sure that passengers understand that information is power. That at the locations they’re going to, situations change, and change quickly.”

Start Building a Risk Profile

How can business aircraft operators mitigate vendor security risks?

“We start from an intelligence view of a trip and focus on the profile of the passengers,” LeBlanc explains. “How high profile are they? What is the purpose of the trip? Opening a factory is going to have a much different risk profile than shutting down a factory.

“What’s going on in those locations that may cause additional problems?” continued LeBlanc. “Nationwide strikes could gridlock traffic. Large conferences or groups staying at the same hotel may raise the [risk] profile. We’re looking at all those things.”

Conceivably, an aviation operation, working with the company’s security team and combing through open-source information, including social media, could create a risk profile in two to three days.

But what if your company doesn’t have a security department? You could develop a risk profile by working with a security services provider.

Rick Snider, an NBAA Security Council member and former manager of compliance for ARINCDirect, a Collins Aerospace business, says one of the first actions his company takes on behalf of clients is a “denied party” screening of potential vendors, searching various databases for any criminal activity, questionable financial issues, even legal sanctions imposed by the U.S. or other governments. He says that understanding a vendor’s ownership also is important.

“When you outsource, you’ve got to maintain awareness of what has been done,” says Snider.

Check Every Box Every Time

Whether a business aircraft operator handles all its own vendor research in house or hires a trusted service provider, whoever does the vetting needs to be thorough.

“Regardless of the size or scope of the operation, a single flight goes through the same steps, and each step has its own security considerations,” says Kulis. “Most of those trip-planning steps involve third-party providers, so vetting of third-party providers is a very important component.”

A key question is, “How much do the vendors you work with represent you or have access to your private information?”

Doug Carr, NBAA’s vice president of regulatory and international affairs, recommends that operators screen vendors carefully before hiring them.

  • Review ownership and financial information to make sure you know who you are dealing with.
  • Develop questionnaires or interview questions to be answered by new vendors.
  • Review a vendor’s training requirements, certifications, etc. to make sure they are up to date.
  • Once hired, make periodic site visits to review vendors’ processes.

Carr adds, “Do not be afraid to ask questions of your FBO and how they manage the vendors they bring in to provide services for your flight.”

How Secure Is the Airfield, FBO?

Aircraft operators should assess the threat environment at the destination airport FBO, including:

  • Perimeter security
  • Access control for gates and doors (including control of keys and electronic badges)
  • Access to storage areas for food and tools
  • Baggage handling procedures
  • Video surveillance coverage, lighting and the hangar security system

“Is the facility attended 24 hours? Is it located behind locked fencing, with admittance tightly controlled? How are the aircraft secured?” These are some of the questions to be asked, says Kulis.

It’s also important to review incident reports for each airport or FBO and examine vendors’ security policies. When doing a site visit, look to see if the employees are abiding by established security standards and requirements, or showing signs of complacency.

Check a vendor’s certifications and personnel training requirements for aircraft servicing. Determine exactly what access vendors have to the aircraft, hangar, or the kitchen or offices inside the facility. Could vendors leave gates open or unlocked?

Don’t forget to ensure the security of the food being served aboard the aircraft. If ordering catering, know where the food is coming from and how it is prepared, stored, transported and handled. Use tamper-proof seals on all food containers.

“If you’re not dealing with a vetted caterer, have the crew order food from the hotel and take it back to the aircraft,” Kulis suggests.

Destination Dangers

When traveling overseas, Kulis says the U.S. embassy or consulate in the destination country can be a good source of security information, including travel warnings, entry/exit visa requirements, local laws and health resources.

In addition, Kulis recommends visiting the U.S. State Department’s Overseas Security Advisory Council (OSAC) website (osac.gov), which is always posting new alerts regarding security, public demonstrations and health concerns, along with travel advisories for various countries.

The biggest risk exposure that passengers face is usually ground transportation, warns LeBlanc. “That’s probably where they’re most vulnerable. It still amazes me that flight departments will pick ground transportation companies off a Google search,” LeBlanc laments.

Kulis recommends that travelers and flight crews should have information ahead of time on the vehicle and driver that’s picking them up – the license number, the driver’s photograph and license information, and the plan to get from the FBO to the hotel or meeting location.

“All that should be known in advance, and that transportation should be carefully vetted,” says Kulis, adding, “We do not advise that crews leaving international FBOs jump in a taxi. If something happens to the crew, the passengers are virtually stranded. Nobody goes anywhere.”

Naturally, the hotel should be vetted. Consider checking with the embassy as to which hotels are approved for visiting dignitaries. Key things to consider are access to emergency exits and the availability of room safes. Also, is there limited access to the interior of the hotel from outside?

Finally, be careful about walking around at a destination, even in areas that appear benign.

“Expect to be targeted and followed, particularly on foot,” cautions Kulis, whose first career was in law enforcement before transitioning to business aviation.

Secure Your Data

As important as it is to ensure physical security, it is equally important to protect data. This is more than a smart business practice; it is a requirement of the European Union General Data Protection Regulation (GDPR), which was implemented to protect EU citizens.

“The GDPR requires very clear consent by the data subject and the ability to withdraw consent to use that data,” explained Snider. Violations of the new data-privacy provisions can result in large penalties. Confirm with the destination FBO or handler how they manage GDPR and personal information.

Snider emphasizes, “Keep data close. We take care to only provide data to those who have a need [to know]. We don’t like to send hard copies of any manifest information because it can be left lying around. Then, you have no idea who could be getting hold of that data and what they might do with it.”

Review NBAA’s security resources at nbaa.org/security

Where To Start

A key security tool available to business aircraft operators is the 12-page Security Risk Assessment for Business Aviation developed by the NBAA Security Council. This document features a step-by-step worksheet on overall security, including specific issues related to third-party vendors, such as:

  • Do primary and secondary vendors have insurance/licensing to support risks from third-party vendors?
  • To what standards are all elements of the vendor chain held responsible?
  • Are regular checks/inspections carried out, including background checks of personnel with access to the aircraft and sterile area?
  • How often, if ever, are the vendors audited for performance and service level?
  • Are “secret shopper”-type inspections conducted for each vendor?

Avoid Complacency by Asking FBOs Questions

The levels of security available for business aircraft, flight crews and passengers can vary widely between large “Category X” airports and smaller, non-towered fields. This disparity requires dispatchers and flight crews to ask the right questions long before the aircraft arrives, says Craig Teasdale, Signature Flight Support’s director of operations – west.

At smaller airports, Teasdale said security complacency can be an issue, when ramp crews are used to seeing the same airport tenants, transient traffic and vendors coming and going all the time. This familiarity can lead to complacency. Unless all non-badged vehicles and people trying to access a ramp area are questioned, security can be compromised.

Even at larger airports, where higher levels of security are expected, it still pays to ask an FBO, prior to arrival, what protocols are in place. Then, upon arrival, make sure those protocols are actually being followed.

“When planning to arrive at an FBO your crew has never visited, ask what physical barriers the airport has,” recommended Teasdale. “Is there a fence, and if yes, who has access through that fence? Ask who will be watching your aircraft 24 hours a day. Will it be ramp workers, visible airport security or the county sheriff, who might be 30 minutes away? It’s easy for some ramp personnel to become complacent when it comes to asking why someone wants access to a secure ramp area. Even knowing if they ask for an N number before opening the gate is valuable security information.”

Sept/Oct 2020

Tips for Maintaining Hangar Security

As companies cope with added stresses to their finances, home lives and the reality of furloughs and layoffs, operators must be prepared to mitigate these security risks.
Read More

July/Aug 2020

Flight Crews: Line of Sight

Vigilance is the best of the best practices when moving baggage. It ensures that flight crewmembers always know what’s being loaded on the aircraft.
Read More

June 26, 2020

Virtual Maintenance Conference: Mitigating Business Aircraft Cybersecurity Vulnerabilities

Though business aircraft typically feature the most hardened cybersecurity systems, a breach could create a very real concern. Secure connectivity is the subject of the latest NBAA GO Virtual Maintenance Conference session, and those interested may join the live Q&A session at 3 p.m. (EDT) Monday, June 29, 2020.
Read More

May 26, 2020

TSA Releases Guide to Mitigating Insider Threat

The Transportation Security Administration has released a guide to mitigating the risk of insider threats in transportation.
Read More