Tag Archives: food defense

Cybersecurity

Food Defense in the Age of AI: Are We Prepared?

By Radojka Barycki
No Comments
Cybersecurity

I watched a movie last year where a woman was being framed for murder using her facial features that were captured by a technology used in a bus that allowed passengers to get in based on facial recognition. In the movie, the woman, who was a cop, was investigating suspicious activity relating to the research of the facial recognition self-driven bus that a high-profile tech company was trying to approve for massive production and introduction into the market. The cop was getting too close to confirm her suspicions. So, the tech company got her face profile and embedded it in a video where another person was killing an executive of the company. This got me thinking about how we use face recognition nowadays and how technology is included in everything we do. So, I pose the question: are we at risk in the food industry in terms of Food Defense?

Recent cybersecurity attacks in the food industry have highlighted the urgency of this question. For instance, in 2021, the world’s largest meat processing company fell victim to a ransomware attack that disrupted its operations across North America and Australia. The company had to shut down several plants, leading to significant financial losses and potential supply chain disruptions.

Similarly, earlier that year, a cyberattack targeted a U.S. water treatment facility, where hackers attempted to alter the chemical levels in the water supply. Although this attack was prevented, it underscored the vulnerabilities within critical infrastructure systems, including those related to food production and safety.

Additionally, in 2022, a large fresh produce processing company experienced a cyber incident that disrupted its operations. The attack temporarily halted production and distribution of packaged salads and other products, causing delays and financial losses. The company paid $11M in ransom to the hackers to restitute order for their operations. This incident further underscores the importance of cybersecurity in the food industry and the potential risks posed by inadequate security measures.

These incidents illustrate the growing threat of cyberattacks in the food industry and the potential consequences of inadequate cybersecurity measures. As technology becomes more integrated into food production, processing, and distribution, the need for robust food defense strategies that encompass cybersecurity has never been more critical.

Understanding Food Defense
Food defense refers to the protection of food products from intentional contamination or adulteration by biological, chemical, physical, or radiological agents. Unlike food safety, which focuses on unintentional contamination, food defense addresses the deliberate actions of individuals or groups aiming to cause harm. In an era where technology permeates every aspect of food production, processing, and distribution, ensuring robust cybersecurity measures is crucial for effective food defense.

The Intentional Adulteration Rule, part of the FDA’s Food Safety Modernization Act (FSMA), mandates measures to safeguard the food supply from deliberate adulteration aimed at causing large-scale public health harm. Key requirements of this rule include conducting vulnerability assessments, implementing mitigation strategies, performing monitoring, verification, and corrective actions, as well as providing employee training and maintaining thorough records.

The Intersection of Technology and Food Defense
The integration of advanced technology into the food industry brings numerous benefits, such as increased efficiency, improved traceability, and enhanced quality control. However, it also introduces new vulnerabilities that can be exploited by cybercriminals. As technology becomes more sophisticated, so do the methods employed by those who seek to manipulate or sabotage our food supply.

AI and Technology: A Double-Edged Sword
Artificial intelligence (AI) and other advanced technologies are revolutionizing the food industry. Automated systems, IoT devices, and data analytics enhance productivity and provide real-time monitoring capabilities. However, these technologies also present new avenues for white-collar crime and cyberattacks. For instance, a cybercriminal could hack into a food processing plant’s control system, altering ingredient ratios or contaminating products, which could lead to widespread public health crises.

Pros and Cons of Using AI and Technology in Food Safety
The adoption of AI and technology in the food industry has both advantages and disadvantages:
Pros:
1. Enhanced Efficiency: Automation and AI can streamline food production processes, reducing human error and increasing output. This leads to more consistent product quality and improved overall efficiency.
2. Improved Traceability: Advanced tracking systems allow for real-time monitoring of food products throughout the supply chain. This enhances the ability to trace the source of contamination quickly, thereby reducing the impact of foodborne illness outbreaks.
3. Predictive Analytics: AI can analyze vast amounts of data to predict potential risks and prevent contamination before it occurs. This proactive approach can significantly enhance food safety.
4. Real-Time Monitoring: IoT devices and sensors can provide continuous monitoring of environmental conditions, ensuring that food storage and transportation are maintained within safe parameters.

Cons:
1. Cybersecurity Risks: As seen in recent cyberattacks, the integration of technology introduces new vulnerabilities. Hackers can exploit these weaknesses to disrupt operations or intentionally contaminate food products.
2. High Implementation Costs: The initial investment in AI and advanced technologies can be substantial. Small and medium-sized enterprises may find it challenging to afford these technologies.
3. Dependence on Technology: Over-reliance on technology can be problematic if systems fail or are compromised. It is essential to have robust backup plans and manual processes in place.
4. Privacy Concerns: The use of AI and data analytics involves the collection and processing of large amounts of data, raising concerns about data privacy and the potential misuse of sensitive information.

The Role of Cybersecurity in Food Defense
To safeguard against such threats, the food industry must prioritize cybersecurity as an integral component of food defense strategies. Here are key strategies to consider:
1. Conduct Regular Risk Assessments: Identify potential vulnerabilities within your technological infrastructure. Regular risk assessments can help detect weaknesses and prioritize areas needing immediate attention.
2. Implement Robust Access Controls: Ensure that only authorized personnel have access to critical systems and data. Use multi-factor authentication and monitor access logs for suspicious activity.
3. Invest in Employee Training: Employees are often the first line of defense against cyber threats. Provide comprehensive training on cybersecurity best practices, including recognizing phishing attempts and other common attack vectors.
4. Update and Patch Systems Regularly: Ensure that all software and hardware are up-to-date with the latest security patches. Regular updates can mitigate the risk of exploitation through known vulnerabilities.
5. Develop Incident Response Plans: Prepare for potential cyber incidents by developing and regularly updating incident response plans. These plans should outline specific steps to take in the event of a security breach, including communication protocols and recovery procedures.
6. Utilize Advanced Threat Detection Systems: Employ AI-driven threat detection systems that can identify and respond to unusual activity in real-time. These systems can provide an added layer of security by continuously monitoring network traffic and system behavior.
7. Collaborate with Cybersecurity Experts: Partner with cybersecurity professionals who can provide insights into emerging threats and recommend best practices tailored to the food industry’s unique challenges.

Current Efforts to Standardize the Use of AI
Recognizing the critical role of AI and technology in modern industries, including food production, international efforts are underway to standardize their use and ensure safety, security, and reliability. Two notable standards introduced recently are ISO/IEC 23053:2022 and ISO/IEC 42001:2023.
• ISO/IEC 23053:2022: This standard focuses on the transparency and interpretability of AI systems. It aims to make AI-driven processes understandable and explainable to users, which is crucial for maintaining trust and accountability. In the context of food safety, this standard can help ensure that AI decisions, such as those related to quality control and contamination detection, are transparent and can be audited.
• ISO/IEC 42001:2023: This standard provides guidelines for the governance of artificial intelligence, ensuring that AI systems are developed and used responsibly. It addresses ethical considerations, risk management, and the continuous monitoring and improvement of AI systems. For the food industry, adhering to this standard can help ensure that AI technologies are implemented in a way that supports food safety and defense.

As the food industry continues to embrace technological advancements, the importance of integrating robust cybersecurity measures into food defense strategies cannot be overstated. By understanding the potential risks and implementing proactive measures, we can protect our food supply from malicious actors and ensure the safety and security of the public. The scenario depicted in the movie may seem far-fetched, but it serves as a stark reminder of the potential consequences of unchecked technological vulnerabilities. Let us learn from fiction to fortify our reality

The author will be presenting Food Defense in the Digital Era at the Food Safety Consortium Conference. More Info

2024 FSC animated banner

2024 FSC logo

Food Defense: Yesterday, Today and Tomorrow. 2021 FSC Episode 8

By Food Safety Tech Staff
No Comments
2024 FSC logo

In this archived recording, experts in food defense and security address a range of important issues in this area, including risk-based approaches to food defense, threat intelligence, cyber vulnerabilities and critical infrastructure protection.

The session, Food Defense: Yesterday, Today and Tomorrow, discusses pre-FSMA IA Rule voluntary food defense programs, compliance timelines, and regulatory compliance vs. enterprise risk based approaches to food defense. Presenters will address the status of Food Defense plan quick checks and share insights on Food Defense Plan reanalysis. Participants gain insights on threat intelligence sources and food defense-based research updates. Other topics to be covered include a brief overview of recently released insider risk mitigation reference material, cyber/IT “vulnerabilities”, critical infrastructure protection and how an all-hazards mindset to “all of the above” can help to contribute to a Food Protection Culture.

The following is the line up of speakers for this episode,

  • Jason Bashura, PepsiCo (moderator)
  • Food Defense Yesterday with Raquel Maymir, General Mills
  • FBI HQ Perspectives of Food Defense with Helen S. Lawrence and Scott Mahloch, FBI
  • Food Defense Tomorrow with Frank Pisciotta, ASIS Food Defense & Ag Security Community and Cathy Baillie, Mars, Inc.
  • Risk-based Food Defense with Jessica Cox, Department of Homeland Security, Chemical Security Analysis Center
  • Food Defense & Supply Chain Perspectives: Regional Resilience Action Plan with Jose Dossantos, Department of Homeland Security/CISA

Watch On Demand video:  https://attendee.gotowebinar.com/recording/2149120139973957136

 

Jim Jones, FDA

Jim Jones to Keynote 2024 Food Safety Consortium in October

By Food Safety Tech Staff
No Comments
Jim Jones, FDA

Food Safety Tech is thrilled to announce that James (Jim) Jones, Deputy Commissioner for Human Foods at FDA, will be the keynote speaker for the 2024 Food Safety Consortium, which will be held October 20-22 at the Crystal Gateway Marriot in Arlington, Virginia. Jones joined the FDA in September 2023 as the agency’s first Deputy Commissioner for Human Foods.

Now in its 12th year, the Food Safety Consortium brings together food safety and quality assurance professionals for education, networking and discussion geared toward solving the key challenges facing the food safety industry. In addition to two days of educational presentations and panel discussions, the Consortium will offer full-day pre-conference workshops, focused on topics including auditor training and food safety culture design, on Sunday, October 20.

This year’s session highlights include:

Navigating Global Food Systems: Insights and Strategies for Compliance with FDA’s Food Traceability Rule

Presenters: John Crabill, Director of Food Safety & Quality, Chipotle; Adam Friedlander, Policy Analyst, Coordinated Outbreak Response and Evaluation (CORE) Network, FDA; Julie McGill, VP of Supply Chain Strategy & Insights, Trustwell; and Sara Bratager, Sr. Food Safety & Traceability Scientist, Global Food Traceability Center at IFT

Are you the weakest link in the supply chain? Steps for bulletproofing your facility to become a major supplier

Presenters: Jorge Hernandez, VP of Quality Assurance, The Wendy’s Company; Tyler Williams, President, ASI

Next Level Preventive Controls

Presenter: Cathy Crawford, President, HACCP Consulting Group

Understanding Corrective Actions, Nonconformities and Root Cause Analysis

Presenter: Heather McLemore, Senior Accreditation Officer, A2LA

View the full agenda here.

Demonstrating Food Safety Culture

Presenters: Tia Glave and Jill Stuber, Co-Founders, Catalyst, LLC

The Internal Audit: Going Beyond the Certificate

Presenter: Cameron Prince, Executive VP, Regulatory Affairs, The Acheson Group (TAG)

Millions of Chemicals…But Which are Reasonably Likely to Occur?

Presenter: Tracie Sheehan, Technical Services, Mérieux NutriSciences

In-person and virtual registration available. Learn more about registration options.

Event Hours

Sunday, October 20: 8:30 am – 5:00 pm (Pre-conference Workshops)

Monday, October 21: 8:00 am – 6:30 pm

Tuesday, October 22: 8:30 am – 3:45 pm

Register now.

For sponsorship and exhibit inquiries, contact RJ Palermo, Director of Sales.

About the Food Safety Consortium

The Food Safety Consortium is an educational and networking event for Food Protection that has food safety, food integrity and food defense as the foundation of its educational content. With a unique focus on science, technology and compliance, the “Consortium” enables attendees to engage in conversations that are critical for advancing careers and organizations alike. Delegates visit with exhibitors to learn about cutting-edge solutions, explore high-level educational tracks, and network with industry executives to find solutions to improve quality, efficiency and cost effectiveness in the evolving food industry.

 

2024 Food Safety Consortium logo

Call For Abstracts: 2024 Food Safety Consortium

By Food Safety Tech Staff
No Comments
2024 Food Safety Consortium logo

Share your expertise, experience and/or research with fellow food safety and quality assurance professionals at the 2024 Food Safety Consortium, taking place on October 20-22, 2024, at the Crystal Gateway Marriott, near downtown Washington, DC.

We are seeking abstracts for educational presentations, panel discussions and Posters in the following categories:

Food Safety Hazards – Detection, Mitigation, Control, Regulations

Food Safety Culture – Best Practices and Techniques to advance a positive Food Safety Culture

Food Safety Supply Chain Management – Audits, Record Keeping, Logistics, etc.

Food Integrity – Food Fraud, Economically Motivated Adulteration, etc.

Food Defense – Strategies, Best Practices and Regulations

Compliance – Regulatory, FSMA, Standards, GFSI, etc.

Abstracts are due by December 15, 2023, and will be judged based on educational value. Poster submissions are due by June 30, 2024.

Submit abstracts here.

Presented by Food Safety Tech, the Food Safety Consortium is a business-to-business conference that brings together food safety and quality assurance professionals for education, networking and discussion geared toward solving the key challenges facing the food safety industry today.

For sponsorship and exhibitor inquiries, contact RJ Palermo, Director of Sales. Stay tuned for registration and early bird specials.

If you missed this fall’s Food Safety Consortium, don’t miss the latest episode of the “Don’t Eat Poop” podcast featuring Food Safety Consortium founder and Food Safety Tech publisher, Rick Biros, as he discusses the conference’s history and role in improving food safety, with hosts Francine Shaw and Matt Regusci.

 

 

Hacker

Ransomware: Lessons Learned from One Food Company’s Experience

By Food Safety Tech Staff
No Comments
Hacker

In fall 2021, G&J Pepsi-Cola Bottlers Inc, came face-to-face with a potential ransomware attack and was able to avert it. We spoke with G&J’s enterprise infrastructure director, Eric McKinney, and cybersecurity engineer, Rory Crabbe, to learn more about how they detected and responded to the attack, the steps they have taken to strengthen their cybersecurity, and what advice they have for other food companies in the wake of the near catastrophe.

What happened to G&J back in 2021, and when did you realize something was wrong?

McKinney: Around Labor Day of 2021, we received a really weird call. The callers were acting as if they were friends looking out for our best interest, and they alerted us to the fact that there may be compromises to our system. They showed us a spreadsheet of usernames in our active directory to verify that they were in our systems, and they said we could pay them to prevent an attack. We did not engage with them further—and we think they may have been part of it—but we believed that something was happening.

Eric McKinney
Eric McKinney

We went through all of our servers—we don’t have a large footprint, because we are a cloud first organization—but we did detect some software that should not have been installed on a couple of our servers. We removed that immediately, but we were unable to find the beacons that they leave behind that act as triggers to start encrypting your files.

We made the decisions that if anything happened, we were not going to negotiate, we were not going to try to get our systems back, we were going to shut everything down and roll back. I put myself on call and sure enough I got a call two days later at 3:00 a.m. from one of our people. He was logging in remotely to a server and he said, “Something don’t look right.” I go to his screen and I immediately see the locked files and realize this is really happening.

The thing that saved us ultimately is we use native platform backups. We use Microsoft Azure. So we immediately shut everything down and started rolling back our systems as far back as we could go. Those backup files were not compromised because we don’t leverage backups that tie to a file system within a server. The only way you can touch them is if you have our Cloud credentials, which are all multi-factored.

How did this affect operations?

McKinney: The net impact was our critical systems were down for about seven to eight hours, and we were recovering PCs for almost a week—there were 100 to 150 PCs that were impacted as it continued to move laterally through our organization, and we had to get them all flushed out. We had to roll the system back two weeks, so we lost two weeks of data. That impacted the accounting team the most.

We did experience an event—it was not an almost event. But we never lost a single case of sales and we never paid a single dollar. We took everyone’s computers and blew them away, handed them right back to them and said you’re starting fresh. Fortunately, this only affected employees’ files. They could still get their emails and the things that were in OneDrive.

The things that really worked in our favor were our Cloud-first strategy and getting away from a legacy client architecture. We were still able to communicate. We could send emails, we could set up Teams and we had all the tools to coordinate and get out of this and recover as quickly as we did. The second thing was having those native platform-based backups.

How did this change your digital and cybersecurity strategies?

McKinney: We were doing weekly backups, now we back up every day. And these are full system backups, which means that if you hit restore, the whole system lights back up not just the data but also your operating system that it runs on.

Crabbe: We also reached out to a lot of companies, including Arctic Wolf, who we ultimately began working with to help us figure out what we didn’t know. We worked with them to go through our environment and come up with ideas on how to improve. We are a big Microsoft shop, and we started utilizing a lot of the native tools that we already had such as Defender for Endpoint and the security portal. This addressed a lot of the low hanging fruit, such as automatic updates and not allowing outside vendors to contact us without going through a vetting process.

Rory Crabbe
Rory Crabbe

Arctic Wolf went through our system and sent us a list of recommendations, and a lot of what we did involved utilizing the native tools that we already had, shoring up our defenses, making sure the backups work and creating a disaster recovery plan.

McKinney:  We quickly went from being a business of convenience, where we said, “let’s allow USB drives,” to changing all of our technical policies by turning on all of our attack surface reduction rules. We blocked all logins from outside the U.S. and brought in new team members dedicated to cybersecurity.

I have some self-confidence issues due to this attack because your failures are put on display, and there is a feeling that if you were doing a better job this would have been prevented. But we were a very small team and we were responsible for cybersecurity, ERP (enterprise resource planning) initiatives, development initiatives, support and infrastructure initiatives and data initiatives. When you’re wearing all of these hats things do get missed, and in the end it ended up being one application update. One application patch was exposed, which set all of this off. in terms of where we’ve gotten better, we signed up with an MSP (managed service provider) to monitor our environment 24 hours a day seven days a week. In addition, these companies assist your team by keeping them up to date with the latest techniques and providing proactive communication on things that we should be doing to secure and protect our environment.

We’ve taken a lot of steps over the past two years and we still have a long way to go. We will never stop or become complacent.

There is a concern among some people that the Cloud is less secure, and it’s better to control your own servers. Is that a misconception?

Crabbe: When it’s on premise it is your responsibility. If something happens to your infrastructure, you’ve got to be on call and wake up to deal with that. So not only is the Cloud a reduction in personnel work; it’s also peace of mind. Microsoft has its own team of engineers, and they have physical security in place as well. The Azure building is protected by armed guards to protect the data from physical hackers. It’s a lot easier to apply security policies to something that’s in the Cloud because Microsoft can give you options for all kinds of things that you didn’t even know you needed. This makes it easier to visualize where you are and where you need to go.

McKinney: These are also publicly traded companies that have to follow all of the controls that come with being publicly traded. They’re going to do a better job than the one or two individuals that you have at your company who cannot work 24/7 365 days a year.

I appreciate you guys talking openly about this, because one of the issues that comes up in food defense and cybersecurity is people aren’t necessarily sharing information that could help others recognize vulnerabilities. Is it difficult to share this information?

McKinney: We didn’t want to talk about it for a long time. It’s hard to put your failures—or at least what is perceived as a failure—out there. But when you look around, you realize this can happen to anyone. It happened to MGM with all their resources. And one issue that isn’t discussed very often is, behind the business implications is an incredibly stressed out IT team that really is traumatized by an event like this.

In talking with others who have been through this, it’s often the most stressful thing that’s ever happened in their lives. It certainly is the most stressed out I’ve ever been. You’re thinking, I just cost my company millions of dollars. I shut down my business. We may not be able to get product to our people. So many things flash through your mind, and you really don’t want to talk about it or advertise it. Luckily for us, we had the right systems but most importantly we had really great executive support and great team members to help us recover.

When it comes to access management, companies have to balance convenience for their employees with the need for stringent security. Were employees understanding of the changes you had to make, and how did you communicate these changes in processes?

Crabbe: There was a lot of frustration with people saying this worked before, why can’t we do it now? One of the benefits of being a family-owned company is that we are a fairly small group, so we were able to deal with it on almost a case-by-case basis. We have an internal system that people can submit their issues or requests through, and we review them. For example, if somebody needs to move a device to a USB stick to take to an external vendor, we can look at that and say what alternatives do we have? Can we use OneDrive or another native tool to share that information? Does it have to be a USB stick? Or, if someone is going on vacation in Mexico, they can submit a ticket and we can allow them remote access from a specific country for a specific amount of time so they can log-in. We can tell them yes or no on a case-by-case basis and explain why we made the decision.

McKinney: This event also made us ask questions like, do we even need USB sticks? There are so many other tools we can use. A lot of the changes involved looking at more modern ways to collaborate. And a lot of that revolves around retraining and catching your workforce up with the new tools that we have available.

Based on your experience, what advice would you offer other companies?

McKinney: The IT spend in the food and beverage industry is typically small compared to industries like insurance or banking or health care. You need to capture all the signals from all your systems—emails being sent, open, received, etc.—and you must monitor those. Then you need the right algorithms and the right people to make sense of that data. If you are not able to maintain a large enough in-house team, investigate an MSP. They can ingest all the signals, funnel them and turn all that data into actionable items. Also, store your backups off site and limit access. Don’t store them with your production data.

Crabbe: Shore up your defenses using your native tools and create a disaster recovery plan. Those would be my two biggest recommendations for any company going forward. Dig deep and utilize what you’ve got. There’s probably a lot more available to you than you realize you have, and don’t be afraid to reach out to third-party vendors for help.

 

Different types of food

FDA, USDA and DHS Release Review on Emergent Risks Facing U.S. Food and Agriculture

By Food Safety Tech Staff
No Comments
Different types of food

The U.S. Food and Agriculture (FA) sector is facing significant risks that require improved communication and collaboration between industry and government agencies. On July 13, the FDA, USDA and Department of Homeland Security (DHS) released the 120 Day Food and Agriculture Interim Risk Review, which provides a review of critical and emergent risks to the FA sector, as well initial mitigation strategies, factors contributing to risk and proposed actions to address risks.

Risks identified in the review include:

Chemical, Biological, Radiological, & Nuclear (CBRN) Threats. CBRN threats are defined as “hazardous contaminants such as poisonous agents including toxic industrial compounds and materials, toxins, and chemical agents and precursors; natural or genetically engineered pests and pathogens of livestock, poultry, fish, shellfish, wildlife, plants, and insects; and physical effects of nuclear detonations or dispersion of radioactive materials.”

Initial Mitigation Strategies: Prevention of CBRN incidents may be achieved through expanding and enhancing existing physical security and administrative controls, including many food defense mitigation strategies, such as control of entry systems at critical points in production, processing, storage, and transportation, surveillance of critical points, pre-employment screening, and clear marking of employees who are authorized to be at critical points.

Cyber Threats. While these are not new risks, the review notes that as the food industry increases its dependence upon technology, including the move toward automation, precision farming and digital agriculture, the likelihood and severity of a crippling cyberattack increases.

Initial Mitigation Strategies: Some FA sector entities have assessed and mitigated cybersecurity vulnerabilities through entity-specific action, using and applying the National Institute of Standards and Technology Cybersecurity Framework or other actions. Future activities should include the reviewing and securing of interconnectivities between systems. To do this, all FA sector entities, both public and private, must improve their understanding of cyber threats and vulnerabilities and reduce their gaps in protection. Future efforts in cybersecurity in the FA sector should prioritize the sharing of information about cyberattacks, research into cybertheft of food and agriculture intellectual property, FA sector dependency on the energy sector and interdependencies within the FA supply chain. The review also highlights the need for funding for a program to assist small and medium size facilities to increase implementation of effective cyber security mitigations.

Climate Change: Natural disasters and extreme weather events, limited water resources, loss of pollinators and pollinator services, and increased exposure potential to pests and pathogens are among the threats to future agricultural productivity which may be exacerbated by climate change.

Initial Mitigation Strategies: Research on environmental hazards and degradation within the FA sector should include water use, irrigation system improvements, dryland management practices, and crop system utilization. Similarly, research targeting pollinator habitat, how climate change affects pollinators, pollinator forage, and pollination rates as it pertains to crop yield, and current and emerging pests and pathogens that negatively impact the optimal health outcomes of people, animals, plants, and their shared environments to include the health of pollinators is vital to long-term crop sustainability and food security. The use of improved monitoring systems, predictive modeling to inform surveillance, early warning systems, and better control options can help reduce the risk of pest and disease agricultural damage due to climate change.

Potential Factors Contributing to Risk

A “potential factor contributing to risk” is defined in the review “as features or operational attributes that render an entity open to exploitation or susceptible to a given hazard.” These include:

  • Food and Agriculture Industry Consolidation
  • Input Shortages, including labor, energy, IT/data, and consumables.
  • Aging and Insufficient Transportation Infrastructure
  • Trade Disruptions
  • Foreign Acquisition
  • Gaps in Preparedness

Proposed Actions

The FDA, USDA and DHS developed a timeline of proposed actions, which includes short-, mid- and long-terms strategies to enhance strategic planning, understanding of FA sector risks, and information sharing and engagement. Next steps include:

Threat Assessment: Identify potential actors and threats, delivery systems, and methods that could be directed against or affect the FA sector. (60 days and annually thereafter)

120-Day FA Risk Review: Identify risks to the FA sector from all hazards, identify activities to mitigate risks categorized as high-consequence and catastrophic, identify steps to improve coordination and integration across the FA sector, inform ongoing development of the Federal Risk Mitigation Strategy. (120 days)

Vulnerability Assessments: Identify vulnerabilities within the FA sector in consultation with state, local, tribal, and territorial (FSLTT) agencies and private sector partners. (180 days)

Risk Assessment: Prioritize by the highest risks for the FA sector, implement benchmarking off of results generated from the CBRN Strategic Risk Assessment Summary. The first draft would focus on CBRN and cyber threats with later iterations to include other threats (e.g., energy disruption, pandemics, catastrophic weather events, consequences of climate change). (365 days)

Risk Mitigation Analysis: This will include high-level actions for mitigating threats, a proposed timeline for their completion and a plan for sharing information. The analysis will identify strategies, capabilities, and areas of research and development that prioritize mitigation of the greatest risks as described in the risk assessment, and include approaches to determine the effectiveness of national risk reduction measures. (545 days)

A Unifying Food and Agriculture Community Architecture

Recognizing the need for improved coordination and communication, and an over-arching framework to direct and maintain a consistent

approach to preparedness and response to high-consequence and catastrophic incidents within the FA sector, the review also includes a proposed “Food and Agriculture Resilience Architecture.”

The proposed Architecture represents an “integrated, whole-of-community and whole-of-government system of stakeholders and capabilities” approach to strengthening the readiness and resilience of FA sector.

 

 

Cybersecurity

Food Protection: Challenges and Opportunities

By Food Safety Tech Staff
No Comments
Cybersecurity

The recent ransomware attacks on U.S. Government agencies and hundreds of private U.S. companies is a reminder that cybersecurity remains one of the most significant challenges facing the food and agriculture (Ag) industries today. It was a concern that took center stage at a recent OSPA (Outstanding Security Performance Awards) webinar entitled “Food Protection: The Ultimate Security Challenge?

Presenters Megan Francies, Food Protection Manager at LambWeston, Mark Wittrock, Assistant Director of Health, Food and Agriculture Resilience, Office of Health Security, U.S. Dept of Homeland Security, David Goldenberg, Chief of InfraGard National Sector Security and Resilience Program (NSSRP), Food and Agriculture Sector at UC Davis, Andy Griffiths, European Regional Security Director at Firmenich, Jason Bashura, MPH, RS, Sr. Manager of Global Food Defense at PepsiCo, and moderator Professor Martin Gill, Director of Perpetuity Research & Consultancy International (PRCI), addressed key questions, including:

  • How well protected is our food supply?
  • What are the risks and are we sure we are preparing and responding effectively?
  • How can increased information sharing between and amongst the public and private sectors help to reduce these risks?

Growing Risk for Food and Ag

Griffiths noted that due to hostile actors and regional conflicts, supply chains are seeing increased vulnerability making the implementation of effective transportation security and cargo theft mitigation more important—and more challenging—than ever.

In the U.S. there is a national response framework, but as Wittrock highlighted both public and private entities need to think broadly and holistically to prepare for and coordinate a response to attacks when they occur.

The need for strategic alliances and information sharing and analysis centers (ISACs) that allow organizations to share adverse events and strategies are important, but when there are many stakeholders with different—and often competing—interests, it is difficult to communicate in a language and in a timeline that meets the ideal requirements, added Wittrock. When living in an increasingly global world, we also must remember that “your friends today are not necessarily your friends tomorrow,” he said.

The risk of copycat attacks when an event occurs is also a concern, said Goldenberg.

The Need for Communication and Information Sharing

Francies championed the benefits of transparent and effective communication between government and the private sector. Her view was echoed by several panelists who encouraged more opportunities for organizations to share security breaches in a non-attributable manner to help others prepare for and reduce commonly experienced risks.

When asked, what is the biggest barrier to communication and information-sharing, Wittrock pointed to siloed discussion among key stakeholder groups. “When looking across the entirety of the food and Ag enterprise, it includes many different parts, pieces and stakeholders,” he said. “The communication happens largely in the vacuum of one particular discipline or stakeholder group. What’s lacking first and foremost is that strategic dialogue across communities.”

Efforts to improve communication are often challenged by lack of clear channels through which stakeholders can share information, said Francies. “A lot of times the communication goes out in a way that is not accessible to everybody, and it’s often last minute so people aren’t prepared to provide the insights that we need,” she said. “We need a defined way or area to communicate that is well known and publicly accessible to industry.”

In addition to clear channels, trust needs to be established among organizations and government agencies as well. “Industry has to have trust that the information they are sharing is going to be handled appropriately and that they are getting information that’s trustworthy from other sources,” said Goldenberg. “Unless there is trust across all the sectors and agencies among food and Ag, there is never going to be good communication.”

The need to protect brand reputation is often at the heart of unreported security incidents, said Griffiths. “But I do think there is a willingness to share certainly within industry and there is a need within law enforcement to obtain that information to determine how big the problem or issue is,” he added. “The problem is, there is no mechanism by which this information can be exchanged in a safe and confidential way that maintains the integrity of both the source and also the information that’s being shared. Yet, unless everyone shares across the board through collaboration or cooperation, we’re forever on the run.”

In light of the significant challenges raised related to communication and information sharing, Bashura shared successes that are taking place, including the ASIAS Aero Portal, which was developed by the FFA and Mitre to ensure security of the aviation industry, Operation Opson, a joint operation between Europol and INTERPOL developed to target fake and substandard food and beverages, the Food Industry Intelligence Network, and resources available through the Food Defense Resource Center. In terms of the importance of building trust among industry, Bashura encouraged leaders to reach out to each other. “Pick up the phone. Make a call, send an email, or shoot a text,” he said.

 

 

George Gansner

Now is the Time to Reassess the Food Industry’s Approach to Managing Risk

By George Gansner
No Comments
George Gansner

The food industry is under intense scrutiny, with concerns about food safety and quality making headlines around the world. Today, the industry faces unprecedented challenges when it comes to ensuring the safety and security of the global food supply chain. Leaders need to manage known concerns such as foodborne pathogens, food fraud and contamination, as well as emerging challenges, including ingredient scarcity and changes in consumer preferences that have created the need to reformulate recipes quickly, source from new suppliers, and increase imports—all of which contribute to increased risks.

Due to climate change and shifting environmental factors we are seeing crop failures, and new bacteria and antimicrobial resistance to foodborne pathogens, which increase the cost of managing food safety. As consumers demand greater transparency and look to place more trust in the food chain, changing buyer habits further compound these challenges by putting a greater onus on food handling, production, manufacturing, and supply companies to provide more education to consumers about foodborne illnesses.

Recalls are the biggest threat to a brand’s profitability and reputation, and this threat is growing. According to FDA reports, recalls increased by 700% in 2022, with undeclared allergens being the leading cause for the last five years. The Food Safety Authority in the UK tells a similar story with undeclared allergens accounting for 84 of the 150 recalls last year, followed by salmonella, listeria, and foreign body contamination.

As food regulations become more complex to navigate, it is now essential to reassess the industry’s approach to managing risk. Protocols such as VACCP and TACCP are regularly used as part of a solid food defense program to identify risks. But the traditional approach of relying solely on regulations and compliance-based systems is no longer sufficient to ensure food safety in today’s complex, volatile and globalized food supply chains. Now is the time to implement a more holistic and dynamic risk-based approach to managing food safety more effectively.

What Is a Risk-Based Approach to Food Safety?

A risk-based approach allows the industry to proactively identify potential food safety risks and take appropriate measures to mitigate them, rather than simply responding to problems as they arise. For example, mature food businesses are building on food safety management systems with food safety audits to identify and manage risk to stay ahead of the curve. A risk-based approach helps underpin the continuous improvement process and, by doing so, demonstrates the ability of a company to be a trusted partner in the global food supply chain.

One of the key aspects of a risk-based approach to managing food safety is proactive intervention and control, using relevant data analysis stored in a cloud-based platform. All stakeholders need access to accurate and actionable data during risk assessment and management to make informed decisions. However, there are many barriers to accessing risk-related data for smaller operators, many of which are still working in a largely manual way.

Data must be collated from across the business, and multiple data sources need to be collected and appropriately analyzed to protect both the brand and public health. It is estimated that we are at least 10 years away from any type of interoperability of industry data, which will allow better transparency and visibility of risk across the supply chain.

Stay Ahead of Emerging Legislation

Visibility of the emerging legislation in source countries of ingredients and raw materials is critical, as are contingency sourcing plans and good risk analysis protocols. Food integrity needs to be a standing agenda point as part of internal meetings, and ESG policies need to be visibly delivered. The industry needs to ensure that it is aware of changes in regulations that could impact the safety and quality of its products through horizon scanning tools. There is also an onus on the industry to make its risk assessments more dynamic to incorporate change at a frequency that is appropriate for risk evaluation with effective crisis management plans in place.

Supply Chain Management Is Critical

Sourcing raw materials and ingredients across supply chains requires best practices. You must ensure that your supply chain partners and suppliers know how to manage a crisis and that emerging risks are shared across the supply chain. Quality, food safety, and regulatory divisions must actively participate in risk assessments and receive relevant data and communication. ESG policies also need to include the supply chain; leaders in this space need to be able to verify that these policies are delivering.

Marketing claims must be vetted and aligned with regulations and markets where products are sold. Procurement, supply chain and communication, and external partners such as NGOs and consumer associations are important groups to involve in risk profiling and ongoing management. While managing emerging issues and horizon scanning is critical, it is also important to remain vigilant on the basics, as most food safety and allergen incidents are known risks.

Detecting Food Fraud

Opportunistic food fraud cases are rising in the high food inflation market, with recent examples including everything from adulterated honey to the mislabeling of beef. To deter food fraud, businesses need to focus on risk-based auditing and testing through sampling programs. Knowing your supply chain, shopping around safely, being vigilant about ingredients and specifications, utilizing training, and building awareness and readiness are imperative to deter food fraud and create a culture of confidence and greater food safety.

Think Differently About Managing Risk

Now is the time for the food industry to reassess its approach to managing risk. A risk-based approach focusing on prevention, continuous improvement, and stakeholder collaboration is necessary to ensure a safe and secure food supply chain in an increasingly complex and challenging environment. The industry must prioritize data accessibility and accuracy, have a crisis management plan, be aware of emerging legislation, and include ESG policies in its risk management strategies. By focusing on risk-based auditing and testing, the industry can deter food fraud and create a culture of confidence.

The probability of eliminating all risks is very low, so the food industry must pivot and be agile to challenge the traditional approaches to managing food safety. It is time to think differently about managing risk and adopt new practices that promote prevention and collaboration.

Joseph Carson

Strategies To Identify and Prevent Cyber Attacks

By Joseph Carson
No Comments
Joseph Carson

Managing and combating cybercrime is no small feat; it can take over 200 days for companies to detect a cyber breach. The reason being cyber criminals often stay hidden even after gaining access to systems. They lie in wait for the best moment to access the information they want. Once they have it, they may use it to steal money or proprietary information or to collect a ransom. They also may sell access and information to other criminals who will take more aggressive means to exploit the organization.

Preventing cybercrime requires education and cooperation throughout an organization. Following are seven key components of cybersecurity food businesses should embrace to protect their businesses and products.

1.   Education and Awareness

One of the most effective countermeasures to cybercrime is building a culture of cyber defense and awareness that empowers all employees to ask for guidance and speak up when they see a suspicious situation. Educate employees on how they can prevent nefarious activity on their computers by:

  • Identifying suspicious applications with warnings and popups
  • Flagging suspicious emails with hyperlinks, attachments or unknown senders
  • Not clicking on links or ads from unfamiliar sources
  • Verifying the trustworthiness of a site before inputting credentials
  • Limiting activities on unsecured public Wi-Fi networks

This helps employees not only avoid breaches, but identify and report suspicious activity to help prevent cyber attacks.

Training should be top-down, beginning with the executive suite and department heads. This ensures that there is always someone accountable for implementing and maintaining security measures. From there, the rest of the team can be trained to assess and prevent cybersecurity threats and risks.

2.   Implement and Enforce Mobile App Security

Mobile apps on smartphones and tablets are at risk of security breaches that can expose large amounts of user data. All mobile apps have security controls to help developers design secure applications, but it’s up to the developer to choose the right security options.

Common problems with mobile apps may include:

  • Storing or unintentionally leaking data that could be read by other applications
  • Using poor authentication and authorization checks that could be circumvented by bad actors
  • Using data encryption methods that are vulnerable or easy to break
  • Transmitting sensitive data without proper encryption online

A simple app may not seem like a big deal, but they can allow a hacker to gain access to employee computers and networks. The following measures help improve mobile app security:

Guard sensitive information. Confidential data stored in an app without security measures in place are a target for hackers using reverse-engineering codes. The volume of data on the device should be reduced to minimize the risk.

Consider certificate pinning. Certificate pinning is an operating process that helps with app defense against intermediary attacks that occur on unsecured networks. There are limitations to this process, however, such as lack of support for network detection and response tools. Certain browsers make certificate pinning difficult, making it more difficult for hybrid applications to run.

Minimize application permissions. Permissions allow applications to operate more effectively, but they also open vulnerabilities to cyber attacks. Apps should only be given permission for their key functions, and nothing more, to reduce this risk.

Enhance data security. Data security policies and guidelines should be implemented. Measures such as having well-implemented data encryption, security tools and firewalls can protect information that’s being transferred, for example.

Do not “save” passwords. Some applications allow users to save their passwords for convenience, but if a theft occurs, these passwords offer access to a lot of personal information. If the password is unencrypted, it has a better chance of being stolen. Ultimately, users should never save passwords on mobile apps.

Log out after sessions. Users often forget to log out of an app or website, which can increase the risk of a breach. Apps with sensitive information, such as payment or banking apps, often enforce session logouts after a certain period of time, but it’s important for users to also get in the habit of logging out of all apps when they’re finished using them.

Add multi-factor authentication. Multi-factor authentication adds another layer of security for users on an app. This method can also shore up security for users with weak or old passwords that are easy to breach. With multi-factor authentication, the user receives a code that needs to be entered with the password to log in. The code may be sent through email, the Google Authenticator app, SMS or biometric methods.

3.   Analyze Logs for Suspicious Activity

Companies should continuously analyze security logs to identify unusual or suspicious activities, such as logins or application executions that occur outside of usual business hours. These measures not only help identify criminal activities, they can help companies determine the root cause of a breach and how it can be prevented in the future.

4.   Keep Systems Patched and Current

Patches identify and correct vulnerabilities in software and applications that may make them susceptible to cyber attacks. All systems and applications should be kept up to date with the latest security patches to prevent hackers and cyber criminals from accessing systems through existing vulnerabilities. Patching and updates may also fix bugs, add new features or increase stability to help the app or software perform better and reduce access points for hackers.

5.   Use Strong Passwords and Protect Privileged Accounts

Any password used in your organization should be strong and unique to the account. It’s also important for employees to change their passwords often. Most applications do not alert users to older or weak passwords. Accountability for password protection falls on the user.

If employees have multiple accounts and passwords, companies can create an enterprise password and account vault to manage and secure credentials. Encourage employees to avoid using the same password multiple times.

If employees have local administrator accounts or privileged access, that has a huge impact on organizational security. If a single system or user account is compromised, it can put the entire organization at risk. Your company should continuously audit and identify privileged accounts and applications that require privileged access and remove administrator rights when they’re not needed. You should also adopt two-factor authentication to prevent accounts from being hacked.

6.   Do Not Allow Installation of Unapproved or Untrusted Applications

Organizations that allow users to have privileged access also allow these users to install and execute applications as needed, no matter where they source the installation. As a result, ransomware and malware are able to infect your system easily, and the cyber criminal can install tools to permit future access at any time.

Privileged users may read emails, browse sites, click on links or open documents that install malicious tools onto their devices. The criminal now has access and may be able to launch attacks throughout the organization’s system or demand ransom for unlocking proprietary data.

There are security controls that can prevent applications and tools from being installed. They include: Application Allowlisting, Dynamic Listing, Real-Time Privilege Elevation and Application Reputation and Intelligence.

7.   Be Deceptive

Whether online or in person, predictability is a boon for criminals. Burglars stake out houses and look for residents with predictable routines, and the same is true of cyber criminals. Automation makes this even easier with scans that are run on a routine, and patches that are implemented on the same day every month, for example.

A predictable company is a vulnerable one, so it is vital to be deceptive. Use random activities and an ad-hoc approach for updates and assessments. With this method, hackers have a more difficult time staying hidden and it’s easier to detect cyber attacks as soon as they occur to mitigate their effects.

Cybercrime is a risk facing all businesses, and the food industry is no exception. Companies that take a proactive approach are in a much stronger position to protect against cyber threats and shore up security. No method is foolproof, but if a breach does occur, identifying it early and mitigating its effects can make a world of difference for your company’s financial health and reputation.

Debra Freeman FPDI

Food Protection and Defense Institute Announces New Director

By Food Safety Tech Staff
No Comments
Debra Freeman FPDI

Debra Freedman, Ph.D., is the new director of the Food Protection and Defense Institute (FPDI) at the University of Minnesota. Dr. Freedman is an experienced educator, curriculum scholar and researcher. She has worked at FPDI since 2014, collaborating with researchers and scholars, government officials (USDA, FDA, DHS), food industry professionals, public school teachers and Emergency Responders (e.g., Rapid Response Teams, Law Enforcement). Her focus is on development of food defense curricula, online learning programs, learning objects, workshops, certificate programs, professional courses and training guides.

“Over the past four years, FPDI transitioned from a Homeland Security Center of Excellence with a large research portfolio to a successful, self-sustaining center focused on workforce development and education in the food defense and intentional adulteration arenas. Deb has been with FPDI for eight years leading the education portfolio so it is a natural evolution for her to assume the director role,” said outgoing director Jennifer van de Ligt, Ph.D. “I would also like to thank everyone for such an enjoyable tenure as FPDI director. The communities of expertise worldwide that this role has offered have been extraordinary. I will carry the experiences into my future endeavors as I transition to a regulatory and scientific affairs role in the private sector.”