Tag Archives: critical infrastructure

Checklist

2020 FSC Episode 4 Wrap: FDA: There’s a Strong Business and Public Health Case for Better Traceability

By Maria Fontanazza
No Comments
Checklist

One year ago the FDA held an at-capacity public meeting to discuss its latest initiative, the New Era of Smarter Food Safety. At the time, the agency was planning to release the blueprint for the New Era in the spring of 2020. In fact, the FDA was just days away from unveiling it when the COVID-19 pandemic hit in March. The blueprint was put aside and it was all hands on deck, as the agency worked with the food industry to ensure companies continued operating, as they were deemed a part of America’s critical infrastructure. From there, the agency navigated through uncharted waters with the food industry and its stakeholders. It signed an MOU with USDA in an effort to prevent disruptions at FDA-regulated food facilities and address shortages of PPE, disinfection and sanitation supplies. It announced that it would conduct remote inspections and extended the comment period for the Laboratory Accreditation Program Proposed Rule. It released a COVID-19 food safety checklist with OSHA to help guide companies through employee health, social distancing, and the operational issues that have entered into play as a result of the pandemic. Food companies and the supply chain were facing an enormous challenge.

“I always thought we had one of the best food systems in the world… by and large we have an amazing food system,” said Frank Yiannas deputy commissioner for food policy and response during last week’s keynote address at the 2020 Food Safety Consortium Virtual Conference Series. “We just experienced the biggest test on the food system in 100 years. Have we passed the test? I don’t think anyone would say we scored 100%… but by and large we passed the test.” Yiannas added that COVID-19 has exposed some strengths and weaknesses in the food system as well. He also emphasized a point that he has been driving home throughout the pandemic: “The virus that causes COVID-19 is not a virus that is transmitted by food. It is a respiratory virus and generally transmitted in very different ways.”

The FDA released the blueprint for the New Era of Smarter Food Safety, which incorporated some lessons learned from COVID-19, in July. Traceability is a big part of agency’s new era initiative, and the pandemic further put a spotlight on the need for better tracking and tracing in the food industry. And under FSMA, FDA is required to “establish a system that will enhance its ability to track and trace both domestic and imported foods”. In working to meet this requirement, FDA proposed the FSMA rule on food traceability last month.

Yiannas said the proposed rule has the potential to lay the foundation for meaningful harmonization and called aspects of the proposed rule game changing. It establishes two critical components that are the leading edge of food traceability: It defines critical tracking events (i.e., what are the types of events in the food system that required those events to be kept) and key data elements (i.e., the data elements that must be captured at those critical tracking events). “These two things are big ideas for traceability,” said Yiannas. “They will allow us to harmonize how traceability is to be done, allow us to scale and allow for greater interoperability.” The proposed rule also creates a traceability list that identifies foods based on a risk-ranking model for food tracing.

FDA is encouraging comments on the proposed rule and is holding three meetings (November 6, November 18 and December 2) to discuss the proposed traceability rule. “We are going to create the final rule together,” said Yiannas.

Follow this link to the 2020 Food Safety Consortium Virtual Conference Series, which provides access to 14 episodes of critical industry insights from leading subject matter experts! We look forward to your joining us virtually.

Karen Everstine, Decernis
Food Fraud Quick Bites

COVID-19 and Food Fraud Risk

By Karen Everstine, Ph.D.
No Comments
Karen Everstine, Decernis

While foodborne transmission of the novel coronavirus is unlikely , the virus has significantly affected all aspects of food production, food manufacturing, retail sales, and foodservice. The food and agriculture sector has been designated as a “critical infrastructure,” meaning that everyone from farm workers to pest control companies to grocery store employees has been deemed essential during this public health crisis.* As a society, we need the food and agriculture sector to continue to operate during a time when severe illnesses, stay-at-home orders and widespread economic impacts are occurring. Reports of fraudulent COVID-19 test kits and healthcare scams reinforce that “crime tends to survive and prosper in a crisis.” What does all of this mean for food integrity? Let’s look at some of the major effects on food systems and what they can tell us about the risk of food fraud.

Supply chains have seen major disruptions. Primary food production has generally continued, but there have been challenges within the food supply chain that have led to empty store shelves. Recent reports have noted shortages of people to harvest crops, multiple large meat processing facilities shut down due to COVID-19 cases, and recommendations for employee distancing measures that reduce processing rates. One large U.S. meat processor warned of the need to depopulate millions of animals and stated “the food supply chain is breaking.” (An Executive Order was subsequently issued to keep meat processing plants open).

Equally concerning are reports of supply disruptions in commodities coming out of major producing regions. Rice exports out of India have been delayed or stopped due to labor shortages and lockdown measures. Vietnam, which had halted rice exports entirely in March, has now agreed to resume exports that are capped at much lower levels than last year. Other countries have enacted similar protectionist measures. One group has predicted possible food riots in countries like India, South Africa and Brazil that may experience major food disruption coupled with high population density and poverty.

Supply chain complexity, transparency and strong and established supplier relationships are key aspects to consider as part of a food fraud prevention program. Safety or authenticity problems in one ingredient shipment can have a huge effect on the market if they are not identified before products get to retail (see Figure 1). Widespread supply chain disruptions, and the inevitable supplier adjustments that will need to be made by producers, increase the overall risk of fraud.

Reconstructed supply chain
Figure 1. Reconstructed supply chain based on recall data following the identification of Sudan I in the chili powder supply chain in 2005. Data source: Food Standards Agency of the U.K. National Archives and The Guardian. Figure from: Everstine, K. Supply Chain Complexity and Economically Motivated Adulteration. In: Food Protection and Security – Preventing and Mitigating Contamination during Food Processing and Production. Shaun Kennedy (Ed.) Woodhead Publishing: 26th October 2016. Available at: https://www.elsevier.com/books/food-protection-and-security/kennedy/978-1-78242-251-8

Regulatory oversight and audit programs have been modified. The combination of the public health risk that COVID-19 presents with the fact that food and agriculture system workers have been deemed “critical” has led to adjustments on the part of government and regulatory agencies (and private food safety programs) with respect to inspections, labeling requirements, audits, and other routine activities. The FDA has taken measures including providing flexibility in labeling for certain menus and food products, temporarily conducting remote inspections of food importers, and generally limiting domestic inspections to those that are most critical. USDA FSIS has also indicated they are “exercising enforcement discretion” to provide labeling flexibilities. The Canadian Food Inspection Agency (CFIA) announced they are prioritizing certain regulatory activities and temporarily suspending those activities determined to be “low risk.” GFSI has also taken measures to allow Certification Program Owners to provide certificate extensions due to the inability to conduct in-person audits.

While these organizations have assured stakeholders and the public that food safety is of primary importance, the level of direct regulatory and auditing oversight has been reduced to reduce the risk of virus transmission during in-person activities. Strong auditing programs with an anti-fraud component are an important aspect of food fraud prevention. Adjustments to regulatory and auditing oversight, as necessary as they may be, increase the risk of fraud in the food system.

There is a focus on safety and sustainability of foods. The food industry and regulatory agencies are understandably focused on basic food safety and food sustainability and less focused on non-critical issues such as quality and labeling. However, there is a general sense among some in industry that the risk of food fraud is heightened right now. Many of the effects on the industry due to COVID-19 are factors that are known to increase fraud risk: Supply chain disruptions, changes in commodity prices, supplier relationships (which may need to be changed in response to shortages), and a lack of strong auditing and oversight. However, as of yet, we have not seen a sharp increase in public reports of food fraud.

This may be due to the fact that we are still in the relatively early stages of the supply chain disruptions. India reported recently that the Food Safety Department of Kerala seized thousands of kilograms of “stale” and “toxic” fish and shrimp illegally brought in to replace supply shortages resulting from the halt in fishing that occurred due to lockdown measures.

High-value products may be particularly at risk. Certain high-value products, such as botanical ingredients used in foods and dietary supplements, may be especially at risk due to supply chain disruptions. Historical data indicate that high-value products such as extra virgin olive oil, honey, spices, and liquors, are perpetual targets for fraudulent activity. Turmeric, which we have discussed previously, was particularly cited as being at high risk for fraud due to “‘exploding’ demand ‘amidst supply chain disruptions.’”

How can we ensure food sufficiency, safety, and integrity? FAO has recommended that food banks be mobilized, the health of workers in the food and agriculture sector be prioritized, that governments support small food producers, and that trade and tax policies keep global food trade open. They go on to say, “by keeping the gears of the supply chains moving and actively seeking international cooperation to keep trade open, countries can prevent food shortages and protect the most vulnerable populations.” FAO and WHO also published interim guidance for national food safety control systems, which noted the increased risk of food fraud. They stated “during this pandemic, competent authorities should investigate reported incidences involving food fraud and work closely with food businesses to assess the vulnerability of supply chains…”.

From a food industry perspective, some important considerations include whether businesses have multiple approved suppliers for essential ingredients and the availability of commodities that may affect your upstream suppliers. The Acheson Group recommends increasing supply chain surveillance during this time. The Food Chemicals Codex group recommends testing early and testing often and maintaining clear and accurate communication along the supply chain.1 The nonprofit American Botanical Council, in a memo from its Botanical Adulterants Prevention Program, stated “responsible buyers, even those with relatively robust quality control programs, may need to double- or even triple-down on QC measures that deal with ingredient identity and authenticity.”

Measures to ensure the sufficiency, sustainability, safety and integrity of foods are more closely linked than ever before. In this time when sufficiency is critical, it is important to avoid preventable food recalls due to authenticity concerns. We also need to stay alert for situations where illegal and possibly hazardous food products enter the market due to shortages created by secondary effects of the virus. The best practices industry uses to reduce the risk of food fraud are now important for also ensuring the sufficiency, sustainability and safety of the global food supply.

Reference

  1. Food Safety Tech. (April 24, 2020). “COVID-19 in the Food Industry: Mitigating and Preparing for Supply Chain Disruptions “. On-Demand Webinar. Registration page retrieved from https://register.gotowebinar.com/recording/1172058910950755596

*Foodborne transmission is, according to the Food Standards Agency in the U.K., “unlikely” and, according to the U.S. FDA, “currently there is no evidence of food or food packaging being associated with transmission of COVID-19.”

Alert

Meat Shortage Threat, Facility Employees Can Still Work After Potential COVID-19 Exposure

By Maria Fontanazza
No Comments
Alert

–UPDATE April 29, 2020— Yesterday President Trump signed an executive order to keep meat and poultry processing facilities operational during the coronavirus national emergency. U.S. Secretary of Agriculture Sonny Perdue said the following in a USDA statement, “Maintaining the health and safety of these heroic employees in order to ensure that these critical facilities can continue operating is paramount. I also want to thank the companies who are doing their best to keep their workforce safe as well as keeping our food supply sustained. USDA will continue to work with its partners across the federal government to ensure employee safety to maintain this essential industry.”

–END UPDATE–

As critical infrastructure workers, employees at meat and poultry processing facilities have stayed on the job during the coronavirus crisis. Hundreds have fallen ill and many have died as a result; at least 100 USDA inspectors have tested positive for COVID-19 and at least one inspector has died, according to reports. Production facilities across the country have shut down over the past month, and the threat of a meat shortage is very close to becoming a reality, warns Tyson Foods Chairman John Tyson. “In small communities around the country where we employ over 100,000 hard-working men and women, we’re being forced to shutter our doors. This means one thing—the food supply chain is vulnerable. As pork, beef and chicken plants are being forced to close, even for short periods of time, millions of pounds of meat will disappear from the supply chain,” Tyson stated in a company blog. “As a result, there will be limited supply of our products available in grocery stores until we are able to reopen our facilities that are currently closed.”

Hog and cattle producers are altering rations to slow the growth of livestock. In Iowa, the National Guard was activated to conduct testing and contact tracing of plant workers from Tyson Foods and National Beef Packing Company.

Meat production is on a 25% decline and by the end of this week, America could be entering a meat shortage, according to Dennis Smith, an Archer Financial Services commodity broker and livestock analyst.

Access the COVID-19 Resource CenterProtecting Essential Employees

“To ensure continuity of operations of essential functions, CDC advises that critical infrastructure workers may be permitted to continue work following potential exposure to COVID-19, provided they remain asymptomatic and additional precautions are implemented to protect them and the community,” the CDC’s Critical Infrastructure Guidance states. The agency also notes that screening workers for COVID-19 symptoms is “an optional strategy”.

Meat processing workers are not exposed to COVID-19 through product handling; they can be exposed via close contact with other employees in a facility. The CDC and OSHA have released interim guidance for meat and poultry processing workers and employers that details how communal work environments should be laid out and how employers should be promoting social distancing. Engineering controls include the following:

  • Reconfiguration of workstations to allow employees to be six feet apart, if possible
  • Establishing physical barriers (i.e., plexiglass or strip curtains) to separate workers
  • Working with an HVAC engineer to establish proper ventilation that limits potential exposure to coronavirus; removal of any pedestal or personal fans
  • Setting up handwashing stations or hand sanitizer (60% alcohol) stations
  • Reconfiguring break rooms and other communal areas to promote social distancing

The CDC also recommends that workers wear cloth face coverings that fit over the mouth and nose.

For workers who have experienced COVID-19 symptoms and have self-isolated at home, the CDC advises they do not return to work until they meet specific criteria.

Read the CDC and OSHA interim guidance.

Craig Reeds
FST Soapbox

Cybersecurity for Food and Beverage Operational Technology (OT) Environments

By Craig Reeds
No Comments
Craig Reeds

Much of the attention that cybersecurity gets is on the IT or office network side of things, but recently people have begun paying more attention to operational technology (OT) systems that make up the country’s critical infrastructure. When people think of critical infrastructure, they automatically think of oil and gas, power generation, and water. Many people don’t realize that there are actually 16 critical infrastructure industries:

  • Energy
  • Financial
  • Dams
  • Defense
  • Critical Manufacturing
  • Water and Wastewater
  • Food and Agriculture
  • Healthcare
  • Government Facilities
  • Commercial Facilities
  • Transportation
  • Emergency Services
  • Chemical
  • Communications
  • Nuclear
  • Information Technology

One of the easily forgotten, but perhaps most important, is food and beverage manufacturing. A cyber attack on a food and beverage company might not result in the lights going out or clouds of toxic gas, but they could result in explosions, or tainted food. We need to start paying more attention to cybersecurity in the food and beverage industry. What would happen if a hacker got into the control system at a frozen foods distribution facility? They could raise the temperature in the freezers, thaw the food and then refreeze it. This could result in food poisoning for hundreds or thousands of people. Bad actors can do a lot of harm by targeting this sector.

Many companies are pushing to combine their IT and OT departments, something they call IT/OT convergence. This can be done, but you need to first understand that IT and OT have differing goals.

It is important to review the organizational structure. You will typically find that both IT and OT report organizationally to the CEO level. We also find senior management believes IT owns the industrial control system (ICS) networks and security—mainly because IT owns support, maintenance & operational budget for network and security (basically letting OT off the hook).

IT’s primary goals are confidentiality, integrity and availability, the CIA triad. While working toward these objectives IT also tries to make it possible for users to access the network from any location from which they are working, using whatever computing device they have with them. The goal is to make it as easy to work from an airport, hotel room or coffee shop as it is to work in the office itself. Technology is updated and replaced often. Service packs are loaded, new software releases are loaded, and bugs are fixed.

OT’s primary goals are availability, integrity and confidentiality—a complete reversal of the CIA triad. They strive to keep production running, be it an electric utility, an oil rig or a pop-tart factory 24/7/365. OT is all about what works, a “We’ve always done it that way” mentality. OT will always be reluctant to make any change that might bring down the production line. Remember, they are graded on widgets per minute. There must be trust and open communication between IT and OT if things are going to work properly.

When we are talking about OT cybersecurity, we usually use terms like secure or prevent, when we really should be thinking about words like containment. Securing the network and preventing attacks is important, but at some point, an attack will get past your defenses. Then it is a matter of containment: How do we keep the problem from spreading to other networks?

One thing to definitely avoid is the desire by IT to have bi-directional communications between the IT and OT networks—this should never happen. Also, avoid the desire to connect the ICS to the Internet so that you can control the process remotely. There is no reason for the plant manager to be able to go home, have a couple beers and then log on to see if he can make things run better. If the control system is going to be connected to the corporate IT or the Internet, it should only have out-going uni-directional data transmission to allow monitoring of the system.

Building a good OT cybersecurity program, you need to do three things:

  • Get C-Level support and buy-in for the changes to be made.
  • Communicate with stakeholders and vendors.
  • Make decisions as a team, make sure all the stakeholders, IT, OT, engineering are all involved.

After you have set up the structure and started communicating, you need to begin cybersecurity awareness training for the OT staff. This training should be focused on educating plant personnel on what cybersecurity is, both at work and at home, and how to respond or escalate something that seems wrong. They need to be trained what needs to be dealt with immediately and what can wait. Consider doing tabletop exercises where you practice what to do when certain things occur. This can act as a stress test for your incident response plan and help find the holes in your plan and procedures. These tabletop exercises should involve C-suite individuals as well as people from the plant floor, so everyone understand their part in a cyber-attack response.

If these concepts are followed, you will be well on your way to creating a much more cyber-secure production environment.