You don’t want to miss this week’s episode of the 2021 Food Safety Consortium Virtual Conference Series. The session, Food Defense: Yesterday, Today and Tomorrow, will discuss pre-FSMA IA Rule voluntary food defense programs, compliance timelines, and regulatory compliance vs. enterprise risk based approaches to food defense. Presenters will address the status of Food Defense plan quick checks and share insights on Food Defense Plan reanalysis. Participants will gain insights on threat intelligence sources and food defense-based research updates. Other topics to be covered include a brief overview of recently released insider risk mitigation reference material, cyber/IT “vulnerabilities”, critical infrastructure protection and how an all-hazards mindset to “all of the above” can help to contribute to a Food Protection Culture.
The following is the line up of speakers for Thursday’s episode, which begins at 12 pm ET.
Jason Bashura, PepsiCo (moderator)
Food Defense Yesterday with Raquel Maymir, General Mills
FBI HQ Perspectives of Food Defense with Helen S. Lawrence and Scott Mahloch, FBI
Food Defense Tomorrow with Frank Pisciotta, ASIS Food Defense & Ag Security Community and Cathy Baillie, Mars, Inc.
Risk-based Food Defense with Jessica Cox, Department of Homeland Security, Chemical Security Analysis Center
Food Defense & Supply Chain Perspectives: Regional Resilience Action Plan with Jose Dossantos, Department of Homeland Security/CISA
The Fall program runs every Thursday from October 7 through November 4. Haven’t registered? Follow this link to the 2021 Food Safety Consortium Virtual Conference Series, which provides access to all the episodes featuring critical industry insights from leading subject matter experts!
Data breaches, ransomware attacks and now, operational shutdowns. Recent events bear out that cyber strikes are not reserved solely to data breaches and IT systems but now include Operational Technology (OT) and industrial controls to disrupt operations, distribution and the entire food supply chain.
JBS Foods, the one of the world’s largest meat producers, was leveled by a cyberattack in early June, affecting U.S. and Australia operations. In a public statement, the organization revealed that it paid the equivalent of $11 million in ransom in response to the criminal hack against its operations. “At the time of payment, the vast majority of the company’s facilities were operational. In consultation with internal IT professionals and third-party cybersecurity experts, the company made the decision to mitigate any unforeseen issues related to the attack and ensure no data was exfiltrated,” according to company documents.
There’s a security divide that shouldn’t be there—distinct lines between Cyber, OT and physical security teams that has resulted in disjointed and ineffective detection, mitigation and response to risk—forged by years of siloed departments.
It’s not a new problem—in fact the vulnerability of the critical infrastructure has been a discussion for decades. Moving to a converged approach across all departments, including HR, IT/cyber and OT/SCADA can effectively secure our most critical food production and distribution resources while actively enforcing compliance and company policies. Identity and Access is at the center of it all and the best way to holistically protect the enterprise.
In the example of high-profile enterprise Molson-Coors, a cyberattack in March centered on ransomware. In its SEC filing after the event, the beverage giant stated that the attack “has caused and may continue to cause a delay or disruption to parts of the company’s business,” which includes brewery operations, production and shipping.
The February attack on a Florida Water Treatment plant, hacked by compromise to a remote access software program on a facility computer, is still another stark reminder of the growing dangers of cyber-physical threats and that even employees can be part of the problem.
You can see just how fragile and vulnerable our supply chains and critical business processes have become. Cybercriminals now realize how disruptive and lucrative attacks targeting these systems can be so they will continue unabated without immediate stop-gaps.
Because these attacks have become blended and omni-present on every part of the critical infrastructure, executives need to move beyond IT-centric cybersecurity to minimize supply threats. This emergence of new attack vectors has other implications. It highlights the dire need to transition from siloed IT, OT, HR and physical security to a converged approach, yet executives remain at odds with how to execute this while working in their own bubbles.
The threat has become even greater than the organization itself. According to predictions by Gartner liability for cyber-physical security incidents will “pierce the corporate veil to personal liability,” for 75% of CEOs by 2024.
Security Convergence Key Ingredient to Digital Transformation
As the food industry continues to digitally transform, systems and processes move to rapidly connect. Security convergence, centered around identity and access governance, links all these separate departments and operations, so communications and processes actively and collectively address and shore up risk preemptively. Events, exceptions, alerts, alarms and targeted attacks on all points, including the network, control systems and physical security can be integrated for a coordinated and cohesive response.
Securing our most important critical resource—the food supply chain—means correlating threats across underlying HR, IT, physical security and OT used in production and processing. Physical access control and identity now links to specialized plant applications like manufacturing execution systems (MES), plant historians and demand management from ERP that can deliver information directly to production. Monitoring insider and contractor access to modifying batch recipes provides alerts and detection when the addition of a preservative has been suppressed, causing a contaminated batch to be produced, for example.
Integrating seamlessly with HR applications, converged software further prevents insider threat by automating background checks and risk analysis during the on-boarding and off-boarding process for employees and contractors.
The threat landscape today demands a single solution to manage operational risk and security. The following just one example of how this converged approach works.
A fictitious company named Big Food was dealing with disgruntled production foreman Tom. Tom not only had physical access to the production floor, but was intimately familiar with the control system settings to configure recipes for the MES.
Security software’s real-time link to SAP SuccessFactors HCM provided critical real-time data that identified Tom’s history of workplace issues. When Tom accessed the plant area after his normal shift hours, the security platform detected that he was making unusual changes to the production settings to eliminate the addition of preservatives. An alert was immediately sent to security operations staff as well as the plant manager. Incident prevented, with huge savings from avoided downtime and protection from loss of reputation to the company brand.
The food and beverage industry must meet high quality standards and adhere to rapid production cycles to preserve nutrition value and freshness. Convergence and automation are the keys to achieving these goals. As OT and IT networks become increasingly interconnected, OT environments become more exposed to cyber-physical attacks, which can result in tainted products, downtime and revenue losses. Security solutions secure enterprise IT applications and plant applications deliver continuous monitoring that prevents sabotage, acts of terrorism and other malicious acts. There’s also the ability to manage other supply chain risks, including changes to master data and transactions as well as the movement of goods and arrival notifications requirements by the FDA.
Today’s malicious actors don’t think in silos but most companies still do. As security and technology leaders we are compelled to rise and meet the challenge. It’s clear that only a converged approach, beyond IT-centric cybersecurity, is the way forward.
The recent cyberattack that shut down meat supplier JBS should be a wakeup call to the food industry. These attacks are on the rise across industries, and food operations both large and small need to be prepared. In a Q&A with Food Safety Tech, Brent Johnson, partner at Holland & Hart, breaks down key areas of vulnerability and how companies in the food industry can take proactive steps to protect their operations and ultimately, the consumer.
Food Safety Tech: Given the recent cyberattack on JBS, how vulnerable are U.S. food companies, in general, to this type of attack? How prepared are companies right now?
Brent Johnson: Food companies are in the same boat as other manufacturers. Cyber threats are constantly evolving and hackers are developing increasingly sophisticated delivery systems for ransomware. Food companies are obviously focused on making and delivering safe and compliant products and getting paid for them. Cybersecurity is important, but it’s difficult for manufacturers to devote the resources necessary to make their systems bulletproof when it’s an ancillary part of their overall operations and a cost driver. Unfortunately, hackers only have one job.
We tend to think of big tech and financial services companies as the prime targets for ransomware attacks because of the critical nature of their technology and data, but food companies are really no different. Plus, unlike tech companies and the financial services industry, food companies haven’t, as a general matter, developed the robust defenses necessary to thwart attacks, so they’re easier targets.
Food Safety Tech: What is the overall impact of a cyberattack on a food company, from both a business as well as a consumer safety perspective?
Johnson: It may come as a bit of a surprise to those who don’t work in the food industry, but food production (from slaughterhouses to finished products) is highly automated and data driven. That’s one of the lessons of the JBS ransomware attack. The attack shut down meat processing facilities across the United States and elsewhere. I work in Utah and the JBS Beef Plant in Hyrum was temporarily shut down. JBS cancelled two shifts at its meatpacking operation in Greeley, Colorado where my firm has a large presence as well, because of the ransomware attack. So, the impact on a food company’s business from a successful ransomware attack is dramatic.
On the consumer safety side, a ransomware attack that impacts automated safety systems would cause significant problems for a food manufacturer. Software controls much of the food industry’s safety systems—from sanitation (equipment washdowns and predictive maintenance) to traceability (possible pathogen contamination and recalls) to ingredient monitoring (including allergen detection). Every part of a food company’s production system is traced, tracked, and verified electronically. A ransomware attack on a food maker would very likely compromise the company’s ability to produce safe products.
Food Safety Tech:What proactive steps should food companies be taking to protect themselves against a cyberattack?
Johnson: I wish there was an easy and foolproof system for food companies to implement to protect against cyber attacks, but there isn’t. The threats are always changing. The Biden Administration’s recent memorandum to corporate executives and business leaders on strengthening cyber defenses is a good starting point, however. The White House’s Deputy National Security Adviser for Cyber and Emerging Tech, Anne Neuberger, reiterated the following “Five Best Practices” from President Biden’s executive order. These practices are multifactor authentication, endpoint detection and response, aggressive monitoring for malicious activities on the company’s networks and blocking them, data encryption, and the creation of a skilled cyber security team with the ability to train employees, detect threats and patch system vulnerabilities.
Food Safety Tech: Are there specific companies within the food industry that are especially susceptible?
Johnson: Not really. Hackers are opportunistic and look for the paths of least resistance. That said, as can be seen from the recent Colonial Pipeline and JBS ransomware attacks, hackers have transitioned from the early days of going after individuals and small businesses to whale hunting. The money is better.
It’s important to observe that the recent attacks have been directed at industries that present national infrastructure concerns (oil, the food supply). There’s no evidence of any involvement by a foreign government in these attacks, but it’s a fair question as to whether the hackers, themselves, expect that the federal government will step in at some point to assist the victims of cyber attacks financially due to their critical importance.
Food Safety Tech:Where do you see the issue of cybersecurity and cyberattacks related to the food industry headed in the future?
Johnson: Other than the certainty that the attacks will increase in both intensity and sophistication, I have no prediction. It’s not a time for complacency.
Yesterday marked the beginning of the 2020 Food Safety Consortium Virtual Conference Series. Episode 1 featured Food Defense Foundational Planning Elements: Strategies, Insights and Best Practices. Led by Jason Bashura, senior manager, global defense at PepsiCo, food defense experts from manufacturing, retail and the government shared different perspectives on the FSMA Intentional Adulteration rule; how to develop a food defense plan; the key role that food safety culture plays in food defense; education and training; and establishing awareness of and combating various threats to the food supply, including the insider threat.
Especially eye-opening was the information presented by Robert Norton, Ph.D. of Auburn University about the threats against the food supply (a “target-rich environment”) and the range of adversaries and their motivation for disrupting the food supply.
Almost everybody loves chocolate, an ancient, basic, almost universal and primal source of pleasure. “The story of chocolate beings with cocoa trees that grew wild in the tropical rainforests of the Amazon basin and other areas in Central and South America for thousands of years… Christopher Columbus is said to have brought the first cocoa beans back to Europe from his fourth visit to the New World” between 1502 and 1504.1
Unfortunately, the production of chocolate and chocolate products today is as complex as any other global food product with supply chains that reach from one end of the world to the other. The complexity of the supply chain and production, along with the universal demand for the finished product, exposes chocolate to increasing pressure from numerous hazards, both unintentional and intentional. For example, we know that more than 70% of cocoa production takes place in West African countries, particularly the Ivory Coast and Ghana. These regions are politically unstable, and production is frequently disrupted by fighting. While production has started to expand into more stable regions, it has not yet become diversified enough to normalize the supply. About 17% of production takes place in the Americas (primarily South America) and 9% from Asia and Oceania.2
In today’s world of global commerce these pressures are not unique to chocolate. Food quality and safety experts should be armed with tools and innovations that can help them examine specific hazards and fraud pertaining to chocolate and chocolate products. In fact, the global nature of the chocolate market, requires fast reflexes that protect brand integrity and dynamic quality processes supported by informed decisions. Digital tools have become a necessity when a fast interpretation of dynamic data is needed. If a food organization is going to effectively protect the public’s health, protect their brand and comply with various governmental regulations and non-governmental standards such as GFSI, horizon scanning, along with the use of food safety intelligent digital tools, needs to be incorporated into food company’s core FSQA program.
This article pulls information from a recent industry report about chocolate products that presents an examination of the specific hazards and fraud pertaining to chocolate and chocolate products along with ways to utilize this information.
Cocoa and chocolate products rely on high quality ingredients and raw materials, strict supplier partnership schemes and conformity to clearly defined quality and safety standards. During the past 10 years there have been a significant number of food safety incidents associated with chocolate products. The presence of Salmonella enterica, Listeria monocytogenes, allergens and foreign materials in cocoa/chocolate products have been reported on a global scale. Today, information on food safety incidents and potential risks is quickly and widely available by way of the internet. However, because the pertinent data is frequently siloed, food safety professionals are unable to take full advantage of it.
Top Emerging Hazards: Chocolate Products (2013-2018)
Publicly available data, from sources such as European Union RASFF, Australian Competition and Consumer Commission, UK Food Standards Agency, FDA, Food Standards Australia New Zealand (FSANZ), shows a significant increase in identified food safety incidents for cocoa/chocolate products from 2013 to 2018. For this same time period, the top emerging hazards that were identified for chocolate products were the following:
Allergens: 51.60%
Biological: 16.49%
Foreign bodies: 13.83%
Chemical: 7.45%
Fraud: 6.38%
Food additives & flavorings: 4.26%
Other hazards: 2.66%
By using such information to identify critical food safety protection trends, which we define to include food safety (unintentional adulteration) and food fraud (intentional adulteration, inclusive of authenticity/intentional misrepresentation) we can better construct our food protection systems to focus on the areas that present the greatest threats to public health, brand protection and compliance.
A Data Driven Approach
Monitoring Incoming Raw Materials
Assessment and identification of potential food protection issues, including food safety and fraud, at the stage of incoming raw materials is of vital importance for food manufacturers. Knowledge of the associated risks and vulnerabilities allows for timely actions and appropriate measures that may ultimately prevent an incident from occurring.
Specifically, the efficient utilization of global food safety and fraud information should allow for:
Identification of prevalent, increasing and/or emerging risks and vulnerabilities associated with raw materials
Comparative evaluation of the risk profile for different raw materials’ origins
Critical evaluation and risk-based selection of raw materials’ suppliers
A comprehensive risk assessment must start with the consideration of the identified food safety incidents of the raw material, which include the inherent characteristics of the raw material. Next, the origin-related risks must be taken into account and then the supplier-related risks must be examined. The full risk assessment is driven by the appropriate food safety data, its analysis and application of risk assessment scientific models on top of the data.
Using food safety intelligent digital tools to analyze almost 400 unique, chocolate product related food safety incidents around the globe provides us with important, useful insights about cocoa as a raw material, as a raw material from a specific origin and as a raw material being provided by specific suppliers. The graph below represents the results of the analysis illustrating the trend of incidents reported between 2002 and 2018. It can be observed that after a significant rise between 2009 and 2010, the number of incidents approximately doubled and remained at that level for the rest of the evaluated period (i.e., from 2010 to 2018), compared to the period from 2002 to 2005.
By further analyzing the data stemming from the 400 food safety incidents and breaking them down into more defined hazards, for incoming raw materials, we can clearly see that chemical hazards represent the major hazard category for cocoa.
Chemical: 73.46%
Biological: 16.49%
Organoleptic aspects: 5.93%
Other Hazards: 4.38%
Fraud: 2.32%
Foreign bodies: 2.06%
Food additives and flavorings: .77%
Allergens: .52%
Food contact materials: .52%
Using the appropriate analytical tools, someone can drill down into the data and identify the specific incidents within the different hazard categories. For example, within the “chemical hazard” category specific hazards such as organophosphates, neonicotinoids, pyrethroids and organochlorines were identified.
Comparative Evaluation of Risk Profiles for Different Origins of Raw Materials
The main regions of origin for cocoa globally are Africa, Asia and South America. After collecting and analyzing all relevant data from recalls and border rejections and the frequency of pertinent incidents, we can accurately identify the top hazards for cocoa by region.
The top five specific hazards for the regions under discussion are listed in Table I.
Africa
South America
Asia
1
Organophosphate
2,4-dinitrophenol (DNP)
2,4-dinitrophenol (DNP)
2
Molds
Pyrethroid
Poor or insufficient controls
3
Neonicotinoid
Aflatoxin
Aflatoxin
4
Pyrethroid
Cadmium
Spoilage
5
Organochlorine
Anilinopyrimidine
Salmonella
Table I. Top Five Hazards By Region
After the first level of analysis, a further interpretation of the data using the appropriate data intelligence tools can help to reach to very specific information on the nature of the incidents. This provides additional detail that is helpful in understanding how the regional risk profiles compare. For example, the prevalence of chemical contamination, as either industrial contaminants or pesticides, has been a commonly observed pattern for all three of the regions in Table I. However, beyond the general hazard category level, there are also different trends with regard to specific hazards for the three different regions. One such example is the increased presence of mold in cocoa beans coming from Africa.
The primary hazard categories for cocoa, as a raw ingredient were identified and a comparison among the primary hazards for cocoa by region (origin-specific) should take place. The next step in a data-powered supplier assessment workflow would be to incorporate our use of global food safety data in evaluating the suppliers of the raw materials.
The Role of Global Food Safety Data
This article has been focused on chocolate products but has only touched the surface in terms of the information available in the complete report, which also includes specific information about key raw materials. Let’s also be clear, that the techniques and tools used to generate this information are applicable to all food products and ingredients. As we strive to produce food safely in the 21st Century and beyond, we must adapt our methods or be left behind.
The regulatory environment the food industry must operate in has never been more intense. The threats to an organization’s brand have never been greater. This is not going to change. What must change is the way in which food companies confront these challenges.
Global food safety data can contribute to the establishment of an adaptive food safety/QA process that will provide time savings and improve a quality team’s efficiency and performance.
Based on the continuous analysis of food recalls and rejections by key national and international food authorities, a food safety / quality assurance manager could establish an adaptive supplier verification process and risk assessment process by utilizing the knowledge provided by such data. In that way, QA, procurement, food safety and quality departments can be empowered with critical supplier data that will inform the internal procedures for incoming materials and ingredients (e.g., raw materials, packaging materials) and allow for adaptive laboratory testing routines and compliance protocols. Moreover, food safety systems can become adaptive, enabling quality assurance and safety professionals to quickly update points of critical control when needed, and intervene in important stages of the chocolate manufacturing process.
Last week’s seventh annual Food Safety Consortium brought together a variety of industry experts to discuss key topics around regulation, compliance, leadership, testing, foodborne illness, food defense and more. The following are just a few sound bytes from what we heard at the event. (Click on any photo to enlarge)
“The food system today, while it’s still impressive, it still has one Achilles heel—lack of traceability and transparency.” – Frank Yiannas, deputy commissioner for food policy & response, FDA. Read the full article on Yiannas’ keynote session
“A typical food company only has about 5% visibility into known supply chain threats.” – Ron Stakland, senior business development, FoodChain ID, Inc.
“For most of us, our supply chain is a big black hole. Why are we so fearful of technology? Is it the implementation itself? What if technology could help us solve some of those perennial problems? There are resources available to help us get there.” – ¬ Jeremy Schneider, business development director, food safety and quality assurance, Controlant
“The records tell the story of how well the facility is being managed. It’s the first thing the regulators are going to look at.” – Glenn Black, Ph.D., associate director for research, CFSAN, FDA, on validation considerations and regulations for processing technologies in the food industry
“We’ll see more robotics enter the food space.” – Gina Nicholson Kramer, executive director, Savour Food Safety International
“Changes are happening; you can choose to face it or ignore it. We’re at least 10 years behind on technology. Automation/technology is not a new term in aerospace, etc., but to us [the food industry], it is. We will get there.” – Melody Ge, head of compliance, Corvium, Inc., on how industry should prepare for the data-driven transformation occurring in the smarter era of food safety
It’s okay to risk and fail, but how are going to remediate that with your employee? The more learners practice in different scenarios, the less they rely on specific examples. [They] become more adept with dealing with decision making.” – Kathryn Birmingham, Ph.D., VP for research and development, ImEpik, on employee training
“As a contract lab with the vision of testing for foodborne viruses for about 10 years—it wasn’t until about three or four years ago that we had the test kits to turn that into a reality. We also didn’t have a reference method.” – Erin Crowley, chief scientific officer, Q Laboratories, on the viral landscape of testing in the food industry
“You have to be strong and you have to believe in yourself before you get into any situation—especially as a food safety professional.” – Al Baroudi, Ph.D., vice president of quality assurance and food safety at The Cheesecake Factory, on what it takes to earn respect as a food safety professional
“’See something, say something’ is likely not enough. We recommend that companies develop a formal detection program that includes management buy-in, HR and governance, and policy documents, formal training and an awareness program…While FDA focuses on the insider threat, we feel that using a broader mitigation approach works best.” – R. Spencer Lane, senior security advisor, Business Protection Specialists, Inc. on lessons learned from food defense intentional adulteration vulnerability assessments
“Food safety is a profession, a vocation, [and] a way of life.” – Bob Pudlock, president of Gulf Stream Search
Sadly, more and more these days, terrorism has become a prevalent concern. The food sector is not immune to threats either, especially as soft targets and lone wolf attacks become more common.
Food Safety Tech discussed the issue with special agent Scott Mahloch, weapons of mass destruction coordinator for FBI Chicago, during a conversation leading up to this year’s Food Safety Consortium, where Mahloch will be speaking.
Food Safety Tech: In the past year, have there been any changes or new developments in the way in which the FBI conducts outreach to the food industry?
Scott Mahloch presented FBI’s Role in Food Defense on November 29 at the 2017 Food Safety Consortium | Learn moreScott Mahloch: The U.S. food system continues to be a soft target, largely unprotected from the insider threat. Since last year’s Food Safety Consortium we have done targeted outreach to the top dozen food processing facilities in the Chicago area. We worked with our intelligence team, came up with a list of questions and spoke with food safety managers and facility managers regarding the insider threat and educated them on the WMD [FBI’s Weapons of Mass Destruction] program.
FST: Do other divisions of the FBI work in a similar manner as the Chicago division?
Mahloch: It really depends on the office. We have 56 field offices around the nation. In every office we have a WMD coordinator, so it depends on his or her area of responsibility and what that area commands. For example, our office in Springfield [Illinois] is more agriculturally based than we are here in Chicago. Their food outreach would be very similar, but they might be looking at the farms and the agricultural aspect of food production.
FST: Are there any imminent threats to the food sector? Have you seen anything new over the past year?
Mahloch: No, we have not [seen] anything here in the homeland. The bad guys overseas have always expressed interest in attacking food and water, and that remains the same. It’s more the international terrorist groups that have always stressed this in the past. That’s one of the drivers of why we’re so involved in this outreach—we never want that to happen here in the United States. To get in front of the threat, we go out and talk to subject matter experts in this area, the facility managers and food safety managers to get the information out there.
FST: As FBI takes a proactive approach to food defense, what responses have you seen with food companies thus far?
Mahloch: It’s been very positive. People out there believe in our mission and in what we’re doing, and they want to ensure safety and security in their facilities. Communication has been great; they’ve welcomed us into their facility, taken us on facility tours, shown us production lines and answered our questions. It’s been a great relationship.
FST: Does the FBI concern itself with global food supply chain security in terms of how it affects the United States?
Mahloch: Yes, absolutely. What I do is more on a local level here in Chicago, and the same goes for my fellow coordinators in the field offices. We focus on our area of responsibility. The WMD director has a unit that deals with food and water safety. We also have an overseas lead attaché program that works—those folks are also involved in WMD.
FST: What can attendees look forward to hearing about during your presentation at this year’s Food Safety Consortium?
Mahloch: A lot of it will be education and just getting the word out there that the FBI has a role in food safety, food protection and water safety. A lot of people don’t realize the FBI is involved in this. Usually when you think food protection, you think the USDA, FDA, Homeland Security and other agencies that have programs. So a lot of it will be education and telling [attendees] what we do, what we’re about, and where they can turn in a time of need for additional resources. That’s probably the biggest takeaway from the FBI.
[In addition], on outreach and how the FBI is perceived, what we’ve noticed is that we’ve gone into facilities and their defenses are up a bit because they think the FBI is going to regulate, take a look at their processes and inspect. That’s really not what we’re about. We’re not a regulator—we don’t go in and try to change internal processes or rip apart what they’re doing. What we do is strictly education. There are other regulatory bodies that mandate how things are supposed to be shipped, stored and processed. That’s not the FBI. Sometimes there’s that misconception when we go in and want to do some outreach—that FBI is there to regulate. That’s not the truth. We’re a resource and we’re trying to open those doors of communication.
And as far as the threat in the homeland, right now there is none and we continue to try to stay ahead of the threat through education and being a resource.
Vulnerability assessments are a key provision of the FSMA final rule, Mitigation Strategies to Protect Food Against Intentional Adulteration. With this requirement comes the “identification of vulnerabilities and actionable process steps” that must be taken to mitigate potential threats. During the IAFP annual meeting Lance Reeve, senior risk management consultant for food safety and defense at Nationwide Agribusiness Insurance Co., reviewed the important and sometimes-overlooked areas that companies should be looking at when conducting vulnerability assessments.
Inside the Plant
To start, vulnerability assessments should be conducted at different times of the day, and the process should involve a team approach, said Reeve. Food defense cannot effectively be managed by a single person within a facility: It needs to involve all departments, from human resources to IT to production to warehousing, and extend to outside suppliers and vendors. How is the flow of employees and visitors around the facility managed? Do staff members wear color-coded badges? Some companies have a color-coding plan to prevent contamination, but it is also a useful tool to ensure that unauthorized employees, outside contractors and visitors aren’t in restricted areas. For example, the maintenance shop may contain deadly food contaminants—do you really want general employees to be able to get into this area? Consider using electronic technology such as biometric access control to limit access based on employee/security credentials.
Working with the human resources department is a critical part of protecting a facility. Does your company have the capability to conduct thorough background checks on all employees? In addition, with all the different types of contractors and vendors who enter your facility it’s important to find out whether your contracting companies are doing the same level of background checks as your organization when they hire employees. And finally, examine how the culture within the organization. Do employees challenge the presence of visitors who shouldn’t be on the premises?
Outside the Facility
In many cases, companies will look at the inside of their facility for potential hazards and vulnerabilities, but what about the perimeter? How are you controlling the people who are coming onto company property? While this may seem obvious, Reeve recommended physical objects to establish authority: Fences (establish physical border), signs (establish where control begins), and CCTV cameras (establishes security). And when looking at the outside of the building itself, how secure is the roof? What access does a potential attacker have into the facility via the roof? How often are security checks conducted here (if at all)?
Throughout any given day, a company can receive several cargo shipments from a variety of different suppliers. Are you familiar with the food safety programs of your suppliers? They play a critical role in food defense strategies. And when your company receives shipments, Reeve advised that companies go beyond looking at the seals on trucks and examine the transportation system itself. Is cargo removed in a secure area? Is an authorized employee supervising the process or is it left in the hands of the third-party driver?
And finally, a critical part of your mitigation strategy should be to challenge the system. Once you think you may have found all the vulnerabilities, conduct penetration testing.
Food businesses face a range of risks, from lack of consumer confidence to supply chain security. As FSMA regulations and issues such as climate change rise to the top of the list of priorities of global governments and regulators, food companies need to secure the reins on their businesses to ensure they can face these seven emerging risks in 2016 and beyond.
This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.
Strictly Necessary Cookies
Strictly Necessary Cookies should be enabled at all times so that we can save your preferences for these cookie settings.
We use tracking pixels that set your arrival time at our website, this is used as part of our anti-spam and security measures. Disabling this tracking pixel would disable some of our security measures, and is therefore considered necessary for the safe operation of the website. This tracking pixel is cleared from your system when you delete files in your history.
We also use cookies to store your preferences regarding the setting of 3rd Party Cookies.
If you visit and/or use the FST Training Calendar, cookies are used to store your search terms, and keep track of which records you have seen already. Without these cookies, the Training Calendar would not work.
If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.
Cookie Policy
A browser cookie is a small piece of data that is stored on your device to help websites and mobile apps remember things about you. Other technologies, including Web storage and identifiers associated with your device, may be used for similar purposes. In this policy, we say “cookies” to discuss all of these technologies.
Our Privacy Policy explains how we collect and use information from and about you when you use This website and certain other Innovative Publishing Co LLC services. This policy explains more about how we use cookies and your related choices.
How We Use Cookies
Data generated from cookies and other behavioral tracking technology is not made available to any outside parties, and is only used in the aggregate to make editorial decisions for the websites. Most browsers are initially set up to accept cookies, but you can reset your browser to refuse all cookies or to indicate when a cookie is being sent by visiting this Cookies Policy page. If your cookies are disabled in the browser, neither the tracking cookie nor the preference cookie is set, and you are in effect opted-out.
In other cases, our advertisers request to use third-party tracking to verify our ad delivery, or to remarket their products and/or services to you on other websites. You may opt-out of these tracking pixels by adjusting the Do Not Track settings in your browser, or by visiting the Network Advertising Initiative Opt Out page.
You have control over whether, how, and when cookies and other tracking technologies are installed on your devices. Although each browser is different, most browsers enable their users to access and edit their cookie preferences in their browser settings. The rejection or disabling of some cookies may impact certain features of the site or to cause some of the website’s services not to function properly.
Individuals may opt-out of 3rd Party Cookies used on IPC websites by adjusting your cookie preferences through this Cookie Preferences tool, or by setting web browser settings to refuse cookies and similar tracking mechanisms. Please note that web browsers operate using different identifiers. As such, you must adjust your settings in each web browser and for each computer or device on which you would like to opt-out on. Further, if you simply delete your cookies, you will need to remove cookies from your device after every visit to the websites. You may download a browser plugin that will help you maintain your opt-out choices by visiting www.aboutads.info/pmc. You may block cookies entirely by disabling cookie use in your browser or by setting your browser to ask for your permission before setting a cookie. Blocking cookies entirely may cause some websites to work incorrectly or less effectively.
The use of online tracking mechanisms by third parties is subject to those third parties’ own privacy policies, and not this Policy. If you prefer to prevent third parties from setting and accessing cookies on your computer, you may set your browser to block all cookies. Additionally, you may remove yourself from the targeted advertising of companies within the Network Advertising Initiative by opting out here, or of companies participating in the Digital Advertising Alliance program by opting out here.