One year ago the FDA held an at-capacity public meeting to discuss its latest initiative, the New Era of Smarter Food Safety. At the time, the agency was planning to release the blueprint for the New Era in the spring of 2020. In fact, the FDA was just days away from unveiling it when the COVID-19 pandemic hit in March. The blueprint was put aside and it was all hands on deck, as the agency worked with the food industry to ensure companies continued operating, as they were deemed a part of America’s critical infrastructure. From there, the agency navigated through uncharted waters with the food industry and its stakeholders. It signed an MOU with USDA in an effort to prevent disruptions at FDA-regulated food facilities and address shortages of PPE, disinfection and sanitation supplies. It announced that it would conduct remote inspections and extended the comment period for the Laboratory Accreditation Program Proposed Rule. It released a COVID-19 food safety checklist with OSHA to help guide companies through employee health, social distancing, and the operational issues that have entered into play as a result of the pandemic. Food companies and the supply chain were facing an enormous challenge.
“I always thought we had one of the best food systems in the world… by and large we have an amazing food system,” said Frank Yiannas deputy commissioner for food policy and response during last week’s keynote address at the 2020 Food Safety Consortium Virtual Conference Series. “We just experienced the biggest test on the food system in 100 years. Have we passed the test? I don’t think anyone would say we scored 100%… but by and large we passed the test.” Yiannas added that COVID-19 has exposed some strengths and weaknesses in the food system as well. He also emphasized a point that he has been driving home throughout the pandemic: “The virus that causes COVID-19 is not a virus that is transmitted by food. It is a respiratory virus and generally transmitted in very different ways.”
The FDA released the blueprint for the New Era of Smarter Food Safety, which incorporated some lessons learned from COVID-19, in July. Traceability is a big part of agency’s new era initiative, and the pandemic further put a spotlight on the need for better tracking and tracing in the food industry. And under FSMA, FDA is required to “establish a system that will enhance its ability to track and trace both domestic and imported foods”. In working to meet this requirement, FDA proposed the FSMA rule on food traceability last month.
Yiannas said the proposed rule has the potential to lay the foundation for meaningful harmonization and called aspects of the proposed rule game changing. It establishes two critical components that are the leading edge of food traceability: It defines critical tracking events (i.e., what are the types of events in the food system that required those events to be kept) and key data elements (i.e., the data elements that must be captured at those critical tracking events). “These two things are big ideas for traceability,” said Yiannas. “They will allow us to harmonize how traceability is to be done, allow us to scale and allow for greater interoperability.” The proposed rule also creates a traceability list that identifies foods based on a risk-ranking model for food tracing.
FDA is encouraging comments on the proposed rule and is holding three meetings (November 6, November 18 and December 2) to discuss the proposed traceability rule. “We are going to create the final rule together,” said Yiannas.
With significant clusters of COVID-19 infection among employees—16,000 cases and 86 deaths documented by the CDC through May 2020 — the food processing and distribution industry faces significant challenges in reopening their facilities and ramping up to full capacity. Technology for health and safety access governance and intelligence, along with guidelines from the CDC and OSHA, can help support food companies in the automation of certain compliance activities and a safe return-to-work strategy.
Designated part of the essential critical infrastructure by the federal government at the onset of the pandemic in the spring of 2020, the food supply chain needs active solutions to protect its workforce. But there’s more to this back-to-work transition. Workers need to feel safe and trust that new security, safety and compliance processes have their best interests in mind—transferring to an overall positive experience with their employer.
In the age of contagion, the food industry requires ways to communicate better with the workforce, identify and isolate areas of contagion and also deal with the lingering presence of potential bioterrorism, insider threat and cyber-attack. It’s a multi-faceted and complex workspace we’re reentering, one that takes coordination of technology, people and processes. Without it, food suppliers risk plant shutdowns and loss of business continuity.
Bioterrorism and insider threat remain an active part of the supply chain landscape. In fact, according to a June 2020 Wall Street Journal Pro Research Survey of cybersecurity executives at nearly 400 companies, 67% were concerned about malicious insiders. Remote workers and lax controls have exacerbated the situation and rising threats include malicious employees, accidental negligence, contractor or vendor misuse and account compromise.
The Landscape of Collaboration
The ongoing coordination between human resources (HR) and security is a collaborative effort that bolsters food defense in a COVID-19 world. Fueled by digital transformation, converged physical security and HR management solutions are wound together tightly in a coordinated and analytical approach to keep food industry employees safe and operations running smoothly.
These departments, once siloed and co-existing without direct interaction, are benefiting from software’s move to the cloud and open operating platforms, which provides increased opportunity for real-time integration of HR, security and facilities technologies. Moving to a converged approach across all departments, including HR, IT/cyber and operational technology (OT)/SCADA—can effectively secure our most critical food production and distribution resources while actively enforcing compliance and company policies, including COVID-19 mandates. In addition, physical security access governance, in a holistic manner, protects food industry workers and processes from compromised identities, systems and insider threats.
HR and physical security now have the ability to share data-insights to prevent, detect and mitigate the spread of contagions. With this convergence, organizations have the information they need to actively defend and protect the workforce, focusing on the human side of security to yield a positive experience.
Enabling a Safe and Healthy Return to Work
This time of unprecedented change has triggered a tectonic shift in the way organizations have been dealing with the health, security and safety of their workforce. Sensing a coming tsunami, HR, corporate real estate and physical security leaders are realizing that they must stop operating in silos and embrace a holistic approach. Enterprise response and recovery plans have become a major catalyst for converged security, as it has proven to be the most effective way to manage workspace access, enforce workforce security, safety and privacy.
Reopening with Technology at Your Back
Physical identity access management (PIAM) software, including visitor identity management (VIM) are convergence platforms that deliver identity and access governance, health and safety intelligence and compliance validation across the enterprise. PIAM provides a safer work environment by managing physical, logical and operational technology access for employees and visitors, actively enforcing company policies, compliance and industry regulations with built-in best practices and regulatory controls. Automated policy-driven background checks yield real-time vetting of visitors, contractors and employees while validating and identifying any policy violations. PIAM and VIM keeps facilities and workers safe, making sure the employees and visitors only have access to the areas, data and assets they need, including vital food processing areas where deliberate sabotage needs to be kept at bay.
While prevention of bioterrorism and insider threat is ongoing at food distribution, production and processing facilities there’s been a notable shift during the pandemic that focuses on the health and safety of workers. Security is no longer simply about keeping the bad guys out; it’s about safety and protecting workers from unsafe behavior.
Workforce health and safety access governance software solutions help organizations open safely in a frictionless, controlled and secure way by automating and enforcing COVID-19 related policies and procedures. Automated batch email/text notifications with self-service links send requests to the remote workforce for self-attestation and self-reporting offsite and enable access by the worker to the facility based on health, travel and other company policies.
Here’s how it works: An employee completes the self-reporting health and travel questionnaire through a mobile app, which triggers automated workflows based on those answers. These health questionnaires collect data and document employee activity during lockdown, including infection, symptoms or exposure. The employee’s self-attestation request comes to the manager for action, and based on answers the worker is considered high risk and per policy their access to the facility is revoked for 14 days while they are in quarantine. A similar self-attestation and workflow then applies to reinstatement for the employee. This reporting and workflow can be configured specifically to the facility. Enterprises can further customize their visitor identity management to provide clear communication of current policies during the outbreak, reinforcing WHO best practices.
Focus on Health and Safety
Health and safety access governance and intelligence provides prescreening support of workforce site entry with automated policy enforcements. Pre-registered and onsite visitors/contractors check-in/check-out with prescreening, watch list and other checks prior to access. In the production or distribution facility, health and safety analytics track confirmed or potentially exposed COVID-19 workers, identify exposed areas for lockdown and/or sanitization, social distancing violation, location heat map and other actionable health & safety analytics.
PIAM also allows you to automate your communications and deliver clear expectations and procedures to your workforce, visitors and contractors pre-visit and onsite—adding to a seamless experience.
Security convergence delivers a comprehensive, holistic solution across the entire food value chain, from sourcing to production to retail distribution. Human resources and physical security have teamed up—yielding real-time data that can prevent, detect and mitigate the spread of contagions. With this convergence comes greater situational awareness that defends and protects the workforce, with a strong focus on safety and building trust between worker and employer.
While foodborne transmission of the novel coronavirus is unlikely , the virus has significantly affected all aspects of food production, food manufacturing, retail sales, and foodservice. The food and agriculture sector has been designated as a “critical infrastructure,” meaning that everyone from farm workers to pest control companies to grocery store employees has been deemed essential during this public health crisis.* As a society, we need the food and agriculture sector to continue to operate during a time when severe illnesses, stay-at-home orders and widespread economic impacts are occurring. Reports of fraudulent COVID-19 test kits and healthcare scams reinforce that “crime tends to survive and prosper in a crisis.” What does all of this mean for food integrity? Let’s look at some of the major effects on food systems and what they can tell us about the risk of food fraud.
Equally concerning are reports of supply disruptions in commodities coming out of major producing regions. Rice exports out of India have been delayed or stopped due to labor shortages and lockdown measures. Vietnam, which had halted rice exports entirely in March, has now agreed to resume exports that are capped at much lower levels than last year. Other countries have enacted similar protectionist measures. One group has predicted possible food riots in countries like India, South Africa and Brazil that may experience major food disruption coupled with high population density and poverty.
Supply chain complexity, transparency and strong and established supplier relationships are key aspects to consider as part of a food fraud prevention program. Safety or authenticity problems in one ingredient shipment can have a huge effect on the market if they are not identified before products get to retail (see Figure 1). Widespread supply chain disruptions, and the inevitable supplier adjustments that will need to be made by producers, increase the overall risk of fraud.
Regulatory oversight and audit programs have been modified. The combination of the public health risk that COVID-19 presents with the fact that food and agriculture system workers have been deemed “critical” has led to adjustments on the part of government and regulatory agencies (and private food safety programs) with respect to inspections, labeling requirements, audits, and other routine activities. The FDA has taken measures including providing flexibility in labeling for certain menus and food products, temporarily conducting remote inspections of food importers, and generally limiting domestic inspections to those that are most critical. USDA FSIS has also indicated they are “exercising enforcement discretion” to provide labeling flexibilities. The Canadian Food Inspection Agency (CFIA) announced they are prioritizing certain regulatory activities and temporarily suspending those activities determined to be “low risk.” GFSI has also taken measures to allow Certification Program Owners to provide certificate extensions due to the inability to conduct in-person audits.
While these organizations have assured stakeholders and the public that food safety is of primary importance, the level of direct regulatory and auditing oversight has been reduced to reduce the risk of virus transmission during in-person activities. Strong auditing programs with an anti-fraud component are an important aspect of food fraud prevention. Adjustments to regulatory and auditing oversight, as necessary as they may be, increase the risk of fraud in the food system.
There is a focus on safety and sustainability of foods. The food industry and regulatory agencies are understandably focused on basic food safety and food sustainability and less focused on non-critical issues such as quality and labeling. However, there is a general sense among some in industry that the risk of food fraud is heightened right now. Many of the effects on the industry due to COVID-19 are factors that are known to increase fraud risk: Supply chain disruptions, changes in commodity prices, supplier relationships (which may need to be changed in response to shortages), and a lack of strong auditing and oversight. However, as of yet, we have not seen a sharp increase in public reports of food fraud.
This may be due to the fact that we are still in the relatively early stages of the supply chain disruptions. India reported recently that the Food Safety Department of Kerala seized thousands of kilograms of “stale” and “toxic” fish and shrimp illegally brought in to replace supply shortages resulting from the halt in fishing that occurred due to lockdown measures.
High-value products may be particularly at risk. Certain high-value products, such as botanical ingredients used in foods and dietary supplements, may be especially at risk due to supply chain disruptions. Historical data indicate that high-value products such as extra virgin olive oil, honey, spices, and liquors, are perpetual targets for fraudulent activity. Turmeric, which we have discussed previously, was particularly cited as being at high risk for fraud due to “‘exploding’ demand ‘amidst supply chain disruptions.’”
How can we ensure food sufficiency, safety, and integrity?FAO has recommended that food banks be mobilized, the health of workers in the food and agriculture sector be prioritized, that governments support small food producers, and that trade and tax policies keep global food trade open. They go on to say, “by keeping the gears of the supply chains moving and actively seeking international cooperation to keep trade open, countries can prevent food shortages and protect the most vulnerable populations.” FAO and WHO also published interim guidance for national food safety control systems, which noted the increased risk of food fraud. They stated “during this pandemic, competent authorities should investigate reported incidences involving food fraud and work closely with food businesses to assess the vulnerability of supply chains…”.
From a food industry perspective, some important considerations include whether businesses have multiple approved suppliers for essential ingredients and the availability of commodities that may affect your upstream suppliers. The Acheson Group recommends increasing supply chain surveillance during this time. The Food Chemicals Codex group recommends testing early and testing often and maintaining clear and accurate communication along the supply chain.1 The nonprofit American Botanical Council, in a memo from its Botanical Adulterants Prevention Program, stated “responsible buyers, even those with relatively robust quality control programs, may need to double- or even triple-down on QC measures that deal with ingredient identity and authenticity.”
Measures to ensure the sufficiency, sustainability, safety and integrity of foods are more closely linked than ever before. In this time when sufficiency is critical, it is important to avoid preventable food recalls due to authenticity concerns. We also need to stay alert for situations where illegal and possibly hazardous food products enter the market due to shortages created by secondary effects of the virus. The best practices industry uses to reduce the risk of food fraud are now important for also ensuring the sufficiency, sustainability and safety of the global food supply.
*Foodborne transmission is, according to the Food Standards Agency in the U.K., “unlikely” and, according to the U.S. FDA, “currently there is no evidence of food or food packaging being associated with transmission of COVID-19.”
–UPDATE April 29, 2020— Yesterday President Trump signed an executive order to keep meat and poultry processing facilities operational during the coronavirus national emergency. U.S. Secretary of Agriculture Sonny Perdue said the following in a USDA statement, “Maintaining the health and safety of these heroic employees in order to ensure that these critical facilities can continue operating is paramount. I also want to thank the companies who are doing their best to keep their workforce safe as well as keeping our food supply sustained. USDA will continue to work with its partners across the federal government to ensure employee safety to maintain this essential industry.”
As critical infrastructure workers, employees at meat and poultry processing facilities have stayed on the job during the coronavirus crisis. Hundreds have fallen ill and many have died as a result; at least 100 USDA inspectors have tested positive for COVID-19 and at least one inspector has died, according to reports. Production facilities across the country have shut down over the past month, and the threat of a meat shortage is very close to becoming a reality, warns Tyson Foods Chairman John Tyson. “In small communities around the country where we employ over 100,000 hard-working men and women, we’re being forced to shutter our doors. This means one thing—the food supply chain is vulnerable. As pork, beef and chicken plants are being forced to close, even for short periods of time, millions of pounds of meat will disappear from the supply chain,” Tyson stated in a company blog. “As a result, there will be limited supply of our products available in grocery stores until we are able to reopen our facilities that are currently closed.”
“To ensure continuity of operations of essential functions, CDC advises that critical infrastructure workers may be permitted to continue work following potential exposure to COVID-19, provided they remain asymptomatic and additional precautions are implemented to protect them and the community,” the CDC’s Critical Infrastructure Guidance states. The agency also notes that screening workers for COVID-19 symptoms is “an optional strategy”.
Meat processing workers are not exposed to COVID-19 through product handling; they can be exposed via close contact with other employees in a facility. The CDC and OSHA have released interim guidance for meat and poultry processing workers and employers that details how communal work environments should be laid out and how employers should be promoting social distancing. Engineering controls include the following:
Reconfiguration of workstations to allow employees to be six feet apart, if possible
Establishing physical barriers (i.e., plexiglass or strip curtains) to separate workers
Working with an HVAC engineer to establish proper ventilation that limits potential exposure to coronavirus; removal of any pedestal or personal fans
Setting up handwashing stations or hand sanitizer (60% alcohol) stations
Reconfiguring break rooms and other communal areas to promote social distancing
The CDC also recommends that workers wear cloth face coverings that fit over the mouth and nose.
For workers who have experienced COVID-19 symptoms and have self-isolated at home, the CDC advises they do not return to work until they meet specific criteria.
Much of the attention that cybersecurity gets is on the IT or office network side of things, but recently people have begun paying more attention to operational technology (OT) systems that make up the country’s critical infrastructure. When people think of critical infrastructure, they automatically think of oil and gas, power generation, and water. Many people don’t realize that there are actually 16 critical infrastructure industries:
Water and Wastewater
Food and Agriculture
One of the easily forgotten, but perhaps most important, is food and beverage manufacturing. A cyber attack on a food and beverage company might not result in the lights going out or clouds of toxic gas, but they could result in explosions, or tainted food. We need to start paying more attention to cybersecurity in the food and beverage industry. What would happen if a hacker got into the control system at a frozen foods distribution facility? They could raise the temperature in the freezers, thaw the food and then refreeze it. This could result in food poisoning for hundreds or thousands of people. Bad actors can do a lot of harm by targeting this sector.
Many companies are pushing to combine their IT and OT departments, something they call IT/OT convergence. This can be done, but you need to first understand that IT and OT have differing goals.
It is important to review the organizational structure. You will typically find that both IT and OT report organizationally to the CEO level. We also find senior management believes IT owns the industrial control system (ICS) networks and security—mainly because IT owns support, maintenance & operational budget for network and security (basically letting OT off the hook).
IT’s primary goals are confidentiality, integrity and availability, the CIA triad. While working toward these objectives IT also tries to make it possible for users to access the network from any location from which they are working, using whatever computing device they have with them. The goal is to make it as easy to work from an airport, hotel room or coffee shop as it is to work in the office itself. Technology is updated and replaced often. Service packs are loaded, new software releases are loaded, and bugs are fixed.
OT’s primary goals are availability, integrity and confidentiality—a complete reversal of the CIA triad. They strive to keep production running, be it an electric utility, an oil rig or a pop-tart factory 24/7/365. OT is all about what works, a “We’ve always done it that way” mentality. OT will always be reluctant to make any change that might bring down the production line. Remember, they are graded on widgets per minute. There must be trust and open communication between IT and OT if things are going to work properly.
When we are talking about OT cybersecurity, we usually use terms like secure or prevent, when we really should be thinking about words like containment. Securing the network and preventing attacks is important, but at some point, an attack will get past your defenses. Then it is a matter of containment: How do we keep the problem from spreading to other networks?
One thing to definitely avoid is the desire by IT to have bi-directional communications between the IT and OT networks—this should never happen. Also, avoid the desire to connect the ICS to the Internet so that you can control the process remotely. There is no reason for the plant manager to be able to go home, have a couple beers and then log on to see if he can make things run better. If the control system is going to be connected to the corporate IT or the Internet, it should only have out-going uni-directional data transmission to allow monitoring of the system.
Building a good OT cybersecurity program, you need to do three things:
Get C-Level support and buy-in for the changes to be made.
Communicate with stakeholders and vendors.
Make decisions as a team, make sure all the stakeholders, IT, OT, engineering are all involved.
After you have set up the structure and started communicating, you need to begin cybersecurity awareness training for the OT staff. This training should be focused on educating plant personnel on what cybersecurity is, both at work and at home, and how to respond or escalate something that seems wrong. They need to be trained what needs to be dealt with immediately and what can wait. Consider doing tabletop exercises where you practice what to do when certain things occur. This can act as a stress test for your incident response plan and help find the holes in your plan and procedures. These tabletop exercises should involve C-suite individuals as well as people from the plant floor, so everyone understand their part in a cyber-attack response.
If these concepts are followed, you will be well on your way to creating a much more cyber-secure production environment.
Strictly Necessary Cookies
Strictly Necessary Cookies should be enabled at all times so that we can save your preferences for these cookie settings.
We use tracking pixels that set your arrival time at our website, this is used as part of our anti-spam and security measures. Disabling this tracking pixel would disable some of our security measures, and is therefore considered necessary for the safe operation of the website. This tracking pixel is cleared from your system when you delete files in your history.
If you visit and/or use the FST Training Calendar, cookies are used to store your search terms, and keep track of which records you have seen already. Without these cookies, the Training Calendar would not work.
If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.
A browser cookie is a small piece of data that is stored on your device to help websites and mobile apps remember things about you. Other technologies, including Web storage and identifiers associated with your device, may be used for similar purposes. In this policy, we say “cookies” to discuss all of these technologies.
Data generated from cookies and other behavioral tracking technology is not made available to any outside parties, and is only used in the aggregate to make editorial decisions for the websites. Most browsers are initially set up to accept cookies, but you can reset your browser to refuse all cookies or to indicate when a cookie is being sent by visiting this Cookies Policy page. If your cookies are disabled in the browser, neither the tracking cookie nor the preference cookie is set, and you are in effect opted-out.
In other cases, our advertisers request to use third-party tracking to verify our ad delivery, or to remarket their products and/or services to you on other websites. You may opt-out of these tracking pixels by adjusting the Do Not Track settings in your browser, or by visiting the Network Advertising Initiative Opt Out page.
You have control over whether, how, and when cookies and other tracking technologies are installed on your devices. Although each browser is different, most browsers enable their users to access and edit their cookie preferences in their browser settings. The rejection or disabling of some cookies may impact certain features of the site or to cause some of the website’s services not to function properly.
The use of online tracking mechanisms by third parties is subject to those third parties’ own privacy policies, and not this Policy. If you prefer to prevent third parties from setting and accessing cookies on your computer, you may set your browser to block all cookies. Additionally, you may remove yourself from the targeted advertising of companies within the Network Advertising Initiative by opting out here, or of companies participating in the Digital Advertising Alliance program by opting out here.