As we look to 2018, the need for food defense activity remains. Increased adulteration incidents in 2017, consumer purchasing trends and FSMA rules implementation drive this need and the work necessary to complete it in 2018.
Intentional Adulteration of Food. It was evident that intentional adulteration of food did not diminish over the past year and likely increased. Adulteration cases of spices with undeclared ingredients to extend the product or boost color were documented. Terrorists plans and food adulteration tests were uncovered and publicized. In Germany, a man threatened to put antifreeze in the nation’s baby formula supply chain. And disgruntled employees continued to adulterate food to get revenge on their employer or co-workers. Given the complexity of our food system and the limited transparency of supply chains from farm to fork, those willing and able to adulterate will continue to do so in 2018.
Consumer Demands. Look in your local grocery aisles and you will find an ever-increasing section of “freedom foods”. These are foods that claim to be free of something whether it be gluten, lactose, pesticides or GMOs. With increasing frequency consumers are also asking questions about the sustainability and agriculture practices of the food they buy. How have the oceans been fished? Are my eggs from cage-free chickens? Does the food I buy protect the environment. Based on current trends, consumers will continue to spend their food dollars on organic, free-of, and sustainability produced food. This means food defense needs to have a keen eye on where fraudsters could adulterate products representing these food trends.
Company Food Defense. Two things have increased in the requests we are getting from companies: New incidents and the nearing deadline for compliance of the FSMA Intentional Adulteration (IA) rule. First, adulteration incidents that affect your product or the ingredients you use changes the lens you see food defense through. Even an adulteration in an ingredient or product similar to yours makes you look twice at how protected you are. With the continued incidents, companies are taking a hard look at how they are affected. Second, food companies have completed their work to prepare for the early FSMA rules such as Preventive Controls and Foreign Supplier Verification moving their attention to the next rules. The IA rule compliance dates begin in July 2019, and we anticipate increased activities, questions and food defense efforts in 2018.
As you can see, there is a nexus of need to accomplish defense work in our food system. Perhaps 2018 will be “the” year of food defense where individually and collectively we close vulnerability gaps.
Agent detection to identify contamination of food products is required in food safety and defense programs. Detection typically involves laboratory methods or technologies, such as biosensors, that are used in close physical contact with food products. While the field of food protection has benefited from the development of novel agent detection methods in recent years, the challenge of determining which food products to test remains. The sheer volume of food produced within and traded across U.S. borders makes agent detection a daunting, time-consuming and expensive task. The decision of when to utilize detection methods depends on the risk of a particular product being contaminated. Contamination may be unintentional or intentional, including economically motivated adulteration (EMA).
The risk of contamination fluctuates over time and is a function of several factors. Risk depends on the biochemical makeup of the product, supply chain characteristics such as complexity and transport distance, and a wide range of natural or manmade events that may disrupt supply and potentially incentivize intentional adulteration. This is particularly true in the case of EMA. Events include but are not limited to natural disasters that destroy or reduce the usual supply of an ingredient, political instability that disrupts usual trade patterns, interruptions of routine food safety inspections, and market fluctuations that impact global prices. While data exists to monitor these risk factors of contamination, optimal use of this information by government and private industry is hindered by several challenges. For example, valuable data often exists across multiple data systems with data across systems appearing in inconsistent formats. In addition, the amount of data that must be reviewed to find a signal within the noise is frequently overwhelming.
To address finding signals within vast quantities of data sources and systems, the Food Protection and Defense Institute (FPDI) developed technology to curate and help make sense of this data. With support from both the FDA and the Department of Homeland Security, FPDI developed FIDES or Focused Integration of Data for Early Signals to perform “horizon scanning” of food system disruptions in support of food protection efforts, including agent detection. FIDES was designed to help users forecast, monitor and identify food system risk factors and adverse food events. The FIDES web application fuses multiple streams of data from disparate sources and displays information in the form of an online dashboard where users browse, search and layer both dynamic and reference data sets related to food system disruption events. Examples of data currently included in FIDES are import refusals, global disasters, animal health alerts, food defense incidents, historical food safety incidents, import data, price alerts and reference data on food production worldwide.
Events in recent years illustrate the value of gathering intelligence and utilizing data related to food system risks to inform decisions regarding product targeting. Tsunamis, crop failures and disease outbreaks in humans and animals around the globe have threatened supply of products such as shrimp, spices, cocoa and eggs. When supply is disrupted, companies are often forced to quickly identify new and sometimes previously unvetted suppliers, including spot market purchasing. Likewise, supply disruptions often lead to price increases. As prices increase in the absence of adequate supply, concerns about EMA also increase. In both of these instances, the risk of product contamination—both unintentional and intentional—may rise and an increase in product screening or a change in agent detection methods may be appropriate.
For example, the 2014–2016 Ebola outbreak had a significant impact on West Africa, the primary production region for the world’s cocoa supply. Disruptions from the outbreak, including border closures and other trade interference, led to uncertainty about supply availability and prices. This raised concern for EMA, particularly given that many cocoa products are sold as powders, butters and liquors— forms that are more vulnerable to EMA than raw ingredients. As a test case, FPDI reviewed FIDES data streams during the peak of the outbreak. Real-time data on the outbreak was layered with data on global cocoa production and import patterns. Import refusal data from multiple global systems was assessed to identify any concerning patterns. Historical food defense and food safety incidents were also reviewed to determine which cocoa products had been previously contaminated. A similar approach could be used by the food and agriculture sector to guide decisions about targeted inspections—which product(s) and region(s) to monitor, which method(s) to use and which contaminant(s) to test. FIDES could support targeted screening and enhanced awareness of product risk profile that would allow the food industry to assure continued supply of authentic and quality products.
Many foods, from honey to olive oil to spices, fall victim to fraudsters each year. Often a time-consuming process, conducting research about each product or ingredient can involve combing through many websites and databases for information. To save companies from doing all that heavy lifting, newer tools are aggregating the data into single platforms. One most recent example is the World Factbook of Food, developed by the Food Protection and Defense Institute (FPDI) and funded by the U.S. Department of Homeland Security. The tool was released earlier this year, and Erin Mann, project manager at FPDI, explains how it is helping food companies mitigate the risk of food fraud in their supply chain.
Food Safety Tech: What are the fundamental advantages of using the World Factbook of Food and how is it different from other tools that companies can use to assess their risk?
Erin Mann: The World Factbook of Food is a central reference location for data related for food. It pulls together a lot of high quality data points from a lot of different sources into a single tool.
Companies can look for information on a lot of different food products and a lot of different sourcing regions and countries. We have more than 125 food profiles (and growing) and more than 75 country profiles (also growing). [There are 10 food profiles and 10 country profiles that are available for free] Each of the profiles covers a large number of topics. On the food profile side, there are data points on how the product is used, codes, information about standards and grades; and a lot of data about trends and consumption, production and trade patterns; there’s information about processing and supply chain characteristics; and another section about food defense and food safety.
It’s a resource that can be used anytime a company needs to get up to speed quickly on a product, because it covers a lot of different types of risks. If a company wanted access to information related to risk about past economically motivated adulteration (EMA) or intentional adulteration (IA) incidents, the Factbook has that. There’s also data on past recalls, information about major producing countries around the world—a wealth of information in one place that companies can use broadly for risk assessment—basically any use case where they want access to a lot of information from lots of sources, the Factbook can be a great place for that.
FST: Can you expand on the food defense component of the Factbook?
Mann: One of the primary sources that we pull for the food defense section comes from a complementary tool that we use here at FPDI—our food adulteration incidence registry, called the FAIR tool, which is a database of past EMA and IA incidents. On the technology side, the Factbook is directly linked with the FAIR tool. If you’re looking at a profile for a particular product, it will access the FAIR tool and display relevant incidents for that product. It won’t give you access to the entire FAIR database, but it will give you a high-level summary of what food defense incidents have happened in the past with the product, where they happened, the year and a summary.
What we’ve seen with the FAIR tool is high incidents of food adulteration in products like oils, spices, seafood—those are the major products impacted by food adulteration, particularly EMA.
FST: From what sources are the data curated?
Mann: There’s a source list at the bottom of each profile and all the data points are referenced throughout. In terms of a high-level description of where we pull data from, it includes the USDA, FDA, Codex, the U.S. International Trade commission, United Nations data, and other industry and trade groups. It also pulls data from the World Bank and the FAIR tool.
TraceGains’ latest eBook, An Organic State of Mind, sheds light on the trends and demands that are shaping the organic industry today and how automation technology is changing the game for many organic food manufacturers and producers.
FST: How can companies use the Factbook as part of their overall risk mitigation process?
Mann: One of primary strengths of the Factbook is that companies can use it in many different ways. Our institute has done a lot of work with big data and using multiple data sources, and one of the biggest takeaways we learned through several years in this field is that whenever you use big data or you use lots of data sources, they must produce intelligence and information that is actionable. All of the data and information doesn’t do much good if there’s not a clear summary of what to do with that information.
The Factbook aims to do that. It’s a collection and synthesis of data and clean information that’s in an easy to use and easy to navigate user interface. From there, companies can take a look and see how to use the Factbook where they see a gap in their processes. It’s a great place to access lots of information about a food product in a single place. If we can see several points in an overall risk mitigation process where the Factbook can be used, it could be used to inform decisions related to procurement. [For example], if a company suddenly needed to procure a product from a new source region or if they were developing a new product and had to procure an ingredient that they hadn’t worked with before, the Factbook would be a great place to get smart quickly on that ingredient.
The Factbook could be used for understanding supplier review and specific risks related to that ingredient, or simply horizon scanning—if companies want to take a look at some of the products they’ve determined to be high risk and learn more about the product from a holistic perspective.
As stated in the Q&A, 10 food profiles and 10 country profiles are available for free. Subscribers to the World Factbook of Food pay $600 annually for full access to the tool, and bundled pricing is available for users who are interested in access to both the Factbook and the FAIR tool.
Food defense is the protection of food products from intentional contamination or adulteration, as well as biological, chemical, physical or radiological agents. It addresses additional concerns including physical, personnel and operational security. A traditional food defense program is generally perceived as a program that includes site security, visitors control or even on-site personnel monitoring. However, with the new FSMA Preventive Controls Rules and GFSI Guidance for all the recognized schemes, additional to consumer demand on product transparency, we must now take food fraud into consideration within our food defense program.
What is food fraud? According to the study from Michigan State University, food fraud is a collective term used to encompass the deliberate and intentional substitution, addition, tampering or misrepresentation of food, food ingredients or food packaging, or false misleading statements made about a product, for economic gain. It becomes not just a potential for food safety issues, but also a severe issue that could potentially damage your brand reputation. It is hence critical to have appropriate protection and prevention, as the umbrella encompasses both food defense and food safety.
What does this mean to food manufacturers? The awareness of traceability and transparency certainly should rise. Most facilities should have a food defense program in place to comply with any GMP or GFSI requirements. To make it more competent for food fraud, what could we do? Here are some quick tips to strengthen your food defense program with food fraud prevention:
Tip 1: Review your entire supply chain one more time, considering fraud risks
Tip 2: Use the HACCP concept for food fraud risk analysis
Tip 3: Double-check incoming goods
Tip 4: Make the entire supply chain transparent
Tip 5: Document all records
Tip 1: Review your entire supply chain one more time, considering fraud risks
The unknown could potentially hurt you or your program. You would prefer to be aware of what might go wrong before it goes wrong, which is why a review should be one of the key steps in your food safety program. It might be a familiar terminology in the industry; however, we could not eliminate its importance to your entire food safety management system. To maintain product authenticity, understanding where your ingredients come from and who your business partners and suppliers are become the first step to success. It also gives you an excellent opportunity to analyze the risks and potential risk sources. A thorough review should include all the approved suppliers and vendor information. Knowing the source of your product provides you with a good foundation for your food defense program. How can we efficiently review our own supply chain?
List all approved suppliers and contract vendors
Make sure all ingredients are used accordingly and as intended
Keep the supplier registration list up to date
The more you understand your own supply chain, the more helpful it will be to your food defense program.
Tip 2: Use HACCP concept for food fraud risk analysis within supply chain
Hazard Analysis Critical Control Point (HACCP), as defined by FDA, is a management system in which food safety is ensured by addressing through the analysis and control of biological, chemical and physical hazards throughout the entire supply chain. This mentality of HACCP could be used and very helpful to analyze the potential fraud risks. Its seven principles and 12 steps could be implemented to identify your own fraud risks. And it is important for us to identify the hazards from potentially adulterated ingredients to determine the next step for what needs to be controlled. Utilizing the 12 steps, we can list all the key points and steps that could potentially impact your products’ authenticity. The risks can come from personnel, visitors or the ingredients themselves. There are many resources out there; for example, US Pharmacopeia (USP) has developed a global food fraud database that is a good resource for all ingredients that have been falsely used in food products.
Ready or not – here comes organic demand! Consumers everywhere are demanding certified organic products in their homes and on their tables. TraceGains’ latest eBook, An Organic State of Mind, sheds light on the trends and demands that are shaping the organic industry today and how automation technology is changing the game for many organic food manufacturers and producers.
Tip 3: Double-check incoming goods
Many articles address the importance of vulnerability assessments to prevent food fraud plus any documentation your suppliers have provided. Yes, it is critical; however, as one of the important steps in the HACCP program, verification is also important to make sure what goes into your finished products is safe and guaranteed. This could be addressed and monitored by implementing genetic testing. Each product and ingredient has its own DNA, just like our fingerprints. Nowadays, there are many methodologies developed for this type of test. The DNA testing could be a helpful tool to help your facility verify the authenticity of your incoming raw materials. Genetic testing using techniques like polymerase chain reaction (PCR) technology to detect the DNA of the product upon receiving the incoming goods. Moreover, as fast as it can be, facilities can now receive the test results within one to two hours. The testing itself might seem like an extra step with more effort and labor. However, the return is a huge saving on damages caused by food fraud. You can now start to verify and control your supply chain from the beginning to avoid any potential adulteration.
Tip 4: Make the entire supply chain transparent
This transparency not only applies to internal employees but also outward to your customers and vendors. That way you can familiarize yourself with your own supply chain, while at the same time establish brand reputation and confidence to your customers.
Tip 5: Keep all records documented
The records you should keep, besides a registration list of all your ingredients and vendors, should include the inventory list, how ingredients are used, whether it is used outside of its intended use and authorized personnel signatures. The following are some tips for an efficient document control:
Make it clear and straightforward
Categorize it based on your own facility operations
Keep the records in the same order of your supply chain from ingredients to end consumers
After all, with the newly released requirements, as QA professionals, we need to start developing a mindset that considers food fraud as a type of hazard, and develop monitor and control strategies for mitigating it. Just like we are now so familiar with the physical, chemical and biological hazards within our production facilities compared to decades ago, food fraud will no longer be a scary term once it is proficiently understood and properly controlled.
FDA, as part of FSMA, released its rule titled “Protecting Food Against Intentional Adulteration” on May 27, 2016. This rule was proposed in 2013. FDA received and responded to 200+ comments prior to its final release.
FDA states that this rule “is aimed at preventing intentional adulteration from acts intended to cause wide-scale harm to public health, including acts of terrorism targeting the food supply. Such acts, while not likely to occur, could cause illness, death, [and] economic disruption of the food supply absent mitigation strategies.”1
The rule requires a documented “Food Defense Plan” that at a minimum includes the following:
Procedures for food defense monitoring
Food defense corrective action procedures
Food defense verification procedures
Records confirming implementation, maintenance and conformance to the defined requirements
Evidence of effective training
As a food safety professional with more than 30 years in the industry, reviewing this rule brought back many memories. These memories combined with information gained from a recently completed Food Defense/ Crisis Management workshop presented by Rod Wheeler really set my brain into motion.2
Years ago, industry focused on crisis management and product recall. Requirements included having a crisis management team that was led by associates representing both upper and middle management. In addition, most programs included the following:
Posted identification of the crisis management team (i.e., pictures, phone numbers, etc.)
Specific training for receptionist and guards
Mock crisis exercises (i.e., fire drills)
Planned crisis calls to the operation’s direct incoming phone numbers (i.e., receptionist and guards)
Mock recalls (from supplier through finished product and distribution)
Security inspections which may now be considered the pre-cursor to today’s “Vulnerability Assessment”
With the introduction of the GFSI approved schemes (FSSC 22000, BRC, SQF, GlobalG.A.P., Primus, etc.), requirements for crisis management, emergency preparedness, security programs, food defense training and continuity planning gained an increase focus. Do any or all of these programs meet the requirement for a “vulnerability assessment”?
In the 2013 publication, Food Safety Management Programs, this subject-matter chapter was titled “Security, Food Defense, Biovigilance, and Bioterrorism (chapter 14)”.3 An organization must identify the focus/requirements that are necessary for its operation. This decision may relate to many different parameters, including the organization’s size, design, location, food sectors represented, basic GMPs, contractor and visitor communication/access, traceability, receiving, and any other PRP programs related to ensuring the safety of your product and your facility. Requirements must be defined and associates educated to ensure that everyone has a strong and effective understanding of the requirements and what to do if a situation or event happens.
Confirming the security of a facility has always been a critical operational requirement. Many audits have been performed that included the following management statement: “Yes, of course, all the doors are locked. Security is achieved through key cards or limited distribution of door keys, thus no unwanted intruder can access our building.” This statement reminds me of a preliminary assessment that I did not too long after the shootings at a Pennsylvania manufacturer in September of 2010. The organization’s representor and myself were walking the external parameter of a food manufacturer at approximately 7:30 PM (still daylight). We found two doors (one in shipping and one accessing the main office), with the inside door latch taped so that the doors were not secure. The tape was not readily evident. The doorknob itself was locked, but a simple pull on knob opened the door. Our investigation found that a shipping office associate was waiting for his significant other to bring his dinner and was afraid that he would not be at his desk when she arrived. An office associate admitted that that door had been fixed to pull open without requiring a key several months earlier because associates frequently forgot their keys and could not gain access to start work.
Debby Newslow will present ” Sanitary Transportation for Human & Animal Food – Meeting the new FDA Requirements” at the Food Safety Supply Chain Conference | June 5–6, 2017 | Attend in Rockville, MD or via webcast | LEARN MORE
We also observed a large overhead door adjacent to the boiler room along the street side of the facility open, allowing direct access to the processing area by passing through the boiler room and then the maintenance shop. It was stated that the door had been opened earlier in the day waiting for the delivery of new equipment. No one at the time knew the status of the shipment or why the door was still open.
Finding open access to facilities is becoming more and more common. A formal vulnerability assessment is not necessary to identify unsecured doors (24/7) in our facilities. Education and due diligence are excellent tools for this purpose.
Another frequently identified weakness is with organization’s visitor and contractor sign-in prerequisite programs. What type of “vulnerability” are we creating for ourselves (false confidence) with these programs? Frequently these programs provide more questions than answers:
Does everyone really sign in?
What does signing the visitor log mean?
Are visitors required to show identification?
Are the IDs actually reviewed and if so, what does this review include?
Who is monitoring visitors and contractors and are they trained?
Do all contractors have to sign the log or are they allowed to access the building at different locations?
Do those contractors who make frequent or regular trips have their own badges and/or keys (keycards) so they don’t have to take the time to sign-in (i.e., pest control, uniform supplier vending services)?
How are contractor badges controlled?
Are visitors required to be accompanied during the visit or does it depend on the visitor and whom they are visiting?
Are visitors and contractors trained in company requirements?
Do visitors and contractors have an identifying item to alert your associates of their status (i.e., visitor badge, visitor name badge, specifically colored bump cap, colored smock, etc.)?
How are truck drivers monitored? Do they have a secured room for them or do they have complete access to the facility to access the restrooms and breakroom?
How are terminated associates or associates that have voluntarily left the company controlled?
Can these associates continue to access the facility with keys, access cards, or just through other associates (i.e., friends or associates that did not know that they were no longer an employee)?
The new food defense regulations have caused quite a stir in the food industry and have left many scratching their heads. Many companies are worried about how to implement these programs. The regulations have created a format and structure in which many companies can adapt within their existing food defense programs to comply with the new law. Still, one of the biggest challenges of food defense is merely the idea of developing the food defense plan and coming into compliance with the FDA’s new Food Defense rule. The FDA received many comments from industry in response to the draft guidance. Many of these comments asked the agency for additional time to come into compliance, and the FDA responded by delaying the compliance dates well beyond what was proposed in the draft rules.
According to the regulations, companies are required to implement a food defense plan that focuses on the vulnerabilities in their facility. If you follow the FDA’s template, a food defense plan will look very similar to the traditional HACCP plan. The term, VACCP, Vulnerability Analysis Critical Control Points, is a term that is being tossed around as of late. The FDA wants companies to make sure that they consider an internal attacker, one that has inside access to the buildings, processes and products that are being produced. For many companies, this is stretching them beyond their current paradigms and may force some to implement new procedures. In reality, this paradigm shift is not insurmountable when the items to be controlled are within the four walls of their facility. Even subcontractors, such as pest control providers, maintenance subcontractors, auditors, etc., can be included in these programs. However, is this enough to ensure the safety of the product you are selling, the one you are putting your name on, and the one you are personally standing behind?
The goal of current risk-based thinking is to find the weakest link in the process, evaluate the risk and likelihood of a threat to food safety, and respond appropriately to control the risk. Unlike the Preventive Controls rule and the FSVP rule, the Food Defense rule focuses on the processes occurring in a facility and does not take into account the processes involved in the supply chain. CargoNet Command Center found that there were 1500 security breaches in the transportation industry in the United States and Canada in 2015. The data was categorized by types of product and the highest percentage of any group of products was the food and beverage products which comprised 28% of the cargo thefts. On average, that is greater than one food or beverage cargo theft per day. CargoNet Command Center provides a nice map on their website showing the location of these instances and I encourage you to review this map. If your product passes along the hot spots of cargo theft, as well as having risk factors such as being valuable or in limited supply, it would be very beneficial to build systems and programs in place to address these additional risks to your product.
In another study presented at the Food Defense conference, there was a statistically significant link between breaches in IT systems to a follow-up cargo theft. Many quality and food safety professionals, much less executives, fully understand the interdependence of all business units on food safety. Many companies have problems with siloed departments, and unfortunately, this increases the vulnerabilities to attacks on the food we are trying to protect. This is a great example of how food safety is everyone’s job, and having this mentality is key to the success of food safety programs.
Of course, the requirement to the Food Defense rule must be addressed, but I challenge the industry to look beyond the walls of our facilities and instead, take a whole business approach and apply the principals of food defense to all inputs of the process that impacts the finished product. As food safety professionals, we need to work with our suppliers and our customers to ensure that the whole supply chain is protected from an attack.
SA Scott Mahloch will present FBI’s Role in Food Defense on November 29 at the 2017 Food Safety Consortium | Learn moreIn most cases, contamination that occurs within a food facility is unintentional. However, it’s been documented that terrorists are interested in targeting the food sector, and as lone wolf attacks gain popularity, companies need to be able to identify and protect themselves against the insider threat, said Special Agent Scott Mahloch, weapons of mass destruction coordinator for the Chicago division of the FBI, at the 2016 Food Safety Consortium.
In the following video, Mahloch talks about FBI’s role in the food industry, explains how food companies can protect themselves against terrorism by identifying the insider threat, and discusses some of the FBI’s initiatives surrounding food defense. “One of the biggest concerns that we have is the disgruntled employee and the FBI really isn’t in the position to identify these people,” says Mahloch. “That’s going to be the frontline supervisors, the coworkers that can see somebody’s behavior that maybe deviates outside anything that they would recognize as being baseline behavior.”
Many people associate terrorism with spectacular attacks such as those that occurred on September 11. However, lone wolf attacks are far more likely to happen in what has unfortunately become the new normal. “The last thing on your mind is a terrorist being interested in food. It does exist, and bad guys do have an interest in this area,” said Special Agent Scott Mahloch, weapons of mass destruction coordinator for the Chicago division of the FBI during the Food Safety Consortium last week. What does this mean for the food industry?
SA Scott Mahloch will present FBI’s Role in Food Defense on November 29 at the 2017 Food Safety Consortium | Learn moreAccording to the Department of Homeland Security, with 2.2 million farms and 900,000 restaurants in the United States, the food and agricultural sector accounts for 1/5 of the national economic activity. There are several industry targets for terrorism: Food processing facilities; food storage and distribution; restaurants, grocery stores and markets; commercial facilities; and cruise lines.
While Mahloch emphasized that there is no imminent threat to the food sector, one of the biggest areas of concern for this particular industry is the insider threat. “The insider threat is that person [who] knows the facilities, processes, distribution network and can cause the greatest impact,” said Mahloch. This can be in the form of a disgruntled employee who has or can gain access to equipment or other areas of a facility that would otherwise be secure and then introduce contaminants into food products. Mahloch stressed the important role that a food company plays in monitoring employees and reporting any deviation from normal behavior. This is not an easy task—in fact, it is the most difficult threat to detect, and the most difficult threat to protect against, Mahloch pointed out.
Insider Threat: The threat posed by an individual who exploits his/her position, credentials or employment to achieve trusted access to the means, processes, equipment, material, location, facility and/or target necessary to carry out a terrorist action.
The likelihood of an employee becoming an insider threat increases with a variety of personal factors, including financial need, feelings of anger or revenge, being a sympathizer with terrorist ideology, having problems at work, compulsive and destructive behavior, ego and family issues. Food organizations also open themselves up to vulnerabilities via the following:
Allowing easy access to restricted or sensitive areas within a facility (i.e., not limiting personnel access to certain areas or clearly labeling access controls)
Failure to have physical security controls over personal items that are either brought into or taken from the workplace
Vague security policies/Lax security perception
High employee turnover
Lack of proper employee vetting
Failure to train employees in proper security protocols
Failure to have consequences for violating security policy
When assessing the insider threat, what should food companies look for in an effort to protect their facility and products? “You’re the first line of defense,” said Mahloch. “We get a lot of phone calls where people run things by us. If something doesn’t seem right, say something.” He provided several key behaviors that may be characterized as suspicious in some instances:
Someone taking a photograph or video, or notes/sketches, of food processing operations or sensitive areas
Someone attempting to gain information about company operations, especially related to security and personnel, in person, or by phone or email
Someone conducting surveillance of self services areas such as salad bars, condiment stands or open bulk containers
Shipping area: Unscheduled deliveries, driver who is unfamiliar with facility delivery protocols, items left on dock at unusual hours, illegally parked or unattended vehicles, or shipping documents that don’t match
Companies can take several preventive steps to protect their facilities, products and personnel. Proactive measures include:
Monitoring products for evidence of tampering, resealing or damage
Securing open containers of food or ingredients in storage areas
Controlling access to specific areas of facility by delivery personnel, employees, vendors and contractors, and general visitors
Securing loading dock area, and standardize delivery and pickup protocol
Developing a written food defense plan
Training employees, contractors and vendors to recognize suspicious activity and report it accordingly
It’s important to stay alert and be aware—employee observations are critical, said Mahloch. Once suspicious activity is observed, the facility security officer or manager should be notified, and from there a decision can be made on whether external parties need to be involved. In general, state and local partners investigate an incident before the FBI gets involved.
“When it comes to intentional contamination [or a] terrorist incident—that’s an area that we investigate and ultimately prosecute,” said Mahloch. He emphasized the FBI is not a regulatory agency, so it would not show up at a facility due to a company’s lack of compliance to FSMA, for example. The agency is interested in food defense and intentional contamination that has the purpose of causing harm.
For more information about the FBI’s role in food defense, the agency has a document on its website that summarizes food defense for the industry, including some of the above-mentioned factors to look for when trying to identifying suspicious behavior. If a company wants to report suspicious activity that is not an emergency, it can call 1-855-TELL-FBI (1-855-835-5324).
FSMA rule for “Mitigation Strategies to Protect Food against Intentional adulteration” (or FSMA Intentional Adulteration rule) is aimed at protecting the U.S. food supply against acts intended to cause wide-scale harm to public health. The rule is a major breakthrough, since it takes food defense to a practical level, into the processes of a food facility. The notion of food defense has been around for many years, but it is safe to say that FSMA gave food defense a new momentum by incorporating it into a regulatory framework, hence facilitating its integration into the food system.
To understand intentional adulteration, it would be essential to cover the basics. PAS 96 and other schemes have taught us those basics, and FSMA created an environment for food defense notions to grow and evolve. Growth and evolution require a sustainable environment, a robust food defense system.
It is critical to consider threats and vulnerabilities in dealing with food defense at the planning stage. FSMA Intentional Adulteration rule makes reference mainly to vulnerabilities as a start. However, it is up to the facility to decide how far it would be willing to go to safeguard its food supply chain.
After all, the scope of food defense is not confined within the boundaries of the facility. An “inside-out” vulnerability assessment may prove to be effective, but a complementary outside-in analysis would render food defense more comprehensive, thus expanding its scope into critical areas within the supply chain.
Therefore, the Threat Assessment and Critical Control Point (TACCP) methodology of PAS 96 combined with the vulnerability assessment and food defense management requirements of FSMA Intentional Adulteration rule would be a winning combination in addressing FSMA compliance and mitigating intentional adulteration risks across the entire food supply chain.
With more than 130 years experience in Agriculture and Food businesses, we understand the challenges that you face. Protect your brand, build customer trust and open the door to a more profitable business with food industry solutions from SGS.
From training and inspection, audit and certification, testing and advisory services to retail store checks and mystery shopping our global team of industry experts help you guarantee that your operations meet the highest global standards.
Quality, safety and efficiency are key drivers in the food value chain. Each of these elements impacts on the sustainability of your business, the desirability of your products and the marketability of your business.
Hank Karayan, SGS North America, Inc. Global FSMA Program Director
Vulnerability assessments are a key provision of the FSMA final rule, Mitigation Strategies to Protect Food Against Intentional Adulteration. With this requirement comes the “identification of vulnerabilities and actionable process steps” that must be taken to mitigate potential threats. During the IAFP annual meeting Lance Reeve, senior risk management consultant for food safety and defense at Nationwide Agribusiness Insurance Co., reviewed the important and sometimes-overlooked areas that companies should be looking at when conducting vulnerability assessments.
Inside the Plant
To start, vulnerability assessments should be conducted at different times of the day, and the process should involve a team approach, said Reeve. Food defense cannot effectively be managed by a single person within a facility: It needs to involve all departments, from human resources to IT to production to warehousing, and extend to outside suppliers and vendors. How is the flow of employees and visitors around the facility managed? Do staff members wear color-coded badges? Some companies have a color-coding plan to prevent contamination, but it is also a useful tool to ensure that unauthorized employees, outside contractors and visitors aren’t in restricted areas. For example, the maintenance shop may contain deadly food contaminants—do you really want general employees to be able to get into this area? Consider using electronic technology such as biometric access control to limit access based on employee/security credentials.
Working with the human resources department is a critical part of protecting a facility. Does your company have the capability to conduct thorough background checks on all employees? In addition, with all the different types of contractors and vendors who enter your facility it’s important to find out whether your contracting companies are doing the same level of background checks as your organization when they hire employees. And finally, examine how the culture within the organization. Do employees challenge the presence of visitors who shouldn’t be on the premises?
Outside the Facility
In many cases, companies will look at the inside of their facility for potential hazards and vulnerabilities, but what about the perimeter? How are you controlling the people who are coming onto company property? While this may seem obvious, Reeve recommended physical objects to establish authority: Fences (establish physical border), signs (establish where control begins), and CCTV cameras (establishes security). And when looking at the outside of the building itself, how secure is the roof? What access does a potential attacker have into the facility via the roof? How often are security checks conducted here (if at all)?
Throughout any given day, a company can receive several cargo shipments from a variety of different suppliers. Are you familiar with the food safety programs of your suppliers? They play a critical role in food defense strategies. And when your company receives shipments, Reeve advised that companies go beyond looking at the seals on trucks and examine the transportation system itself. Is cargo removed in a secure area? Is an authorized employee supervising the process or is it left in the hands of the third-party driver?
And finally, a critical part of your mitigation strategy should be to challenge the system. Once you think you may have found all the vulnerabilities, conduct penetration testing.