The recent cyberattack that shut down meat supplier JBS should be a wakeup call to the food industry. These attacks are on the rise across industries, and food operations both large and small need to be prepared. In a Q&A with Food Safety Tech, Brent Johnson, partner at Holland & Hart, breaks down key areas of vulnerability and how companies in the food industry can take proactive steps to protect their operations and ultimately, the consumer.
Food Safety Tech: Given the recent cyberattack on JBS, how vulnerable are U.S. food companies, in general, to this type of attack? How prepared are companies right now?
Brent Johnson: Food companies are in the same boat as other manufacturers. Cyber threats are constantly evolving and hackers are developing increasingly sophisticated delivery systems for ransomware. Food companies are obviously focused on making and delivering safe and compliant products and getting paid for them. Cybersecurity is important, but it’s difficult for manufacturers to devote the resources necessary to make their systems bulletproof when it’s an ancillary part of their overall operations and a cost driver. Unfortunately, hackers only have one job.
We tend to think of big tech and financial services companies as the prime targets for ransomware attacks because of the critical nature of their technology and data, but food companies are really no different. Plus, unlike tech companies and the financial services industry, food companies haven’t, as a general matter, developed the robust defenses necessary to thwart attacks, so they’re easier targets.
Food Safety Tech: What is the overall impact of a cyberattack on a food company, from both a business as well as a consumer safety perspective?
Johnson: It may come as a bit of a surprise to those who don’t work in the food industry, but food production (from slaughterhouses to finished products) is highly automated and data driven. That’s one of the lessons of the JBS ransomware attack. The attack shut down meat processing facilities across the United States and elsewhere. I work in Utah and the JBS Beef Plant in Hyrum was temporarily shut down. JBS cancelled two shifts at its meatpacking operation in Greeley, Colorado where my firm has a large presence as well, because of the ransomware attack. So, the impact on a food company’s business from a successful ransomware attack is dramatic.
On the consumer safety side, a ransomware attack that impacts automated safety systems would cause significant problems for a food manufacturer. Software controls much of the food industry’s safety systems—from sanitation (equipment washdowns and predictive maintenance) to traceability (possible pathogen contamination and recalls) to ingredient monitoring (including allergen detection). Every part of a food company’s production system is traced, tracked, and verified electronically. A ransomware attack on a food maker would very likely compromise the company’s ability to produce safe products.
Food Safety Tech:What proactive steps should food companies be taking to protect themselves against a cyberattack?
Johnson: I wish there was an easy and foolproof system for food companies to implement to protect against cyber attacks, but there isn’t. The threats are always changing. The Biden Administration’s recent memorandum to corporate executives and business leaders on strengthening cyber defenses is a good starting point, however. The White House’s Deputy National Security Adviser for Cyber and Emerging Tech, Anne Neuberger, reiterated the following “Five Best Practices” from President Biden’s executive order. These practices are multifactor authentication, endpoint detection and response, aggressive monitoring for malicious activities on the company’s networks and blocking them, data encryption, and the creation of a skilled cyber security team with the ability to train employees, detect threats and patch system vulnerabilities.
Food Safety Tech: Are there specific companies within the food industry that are especially susceptible?
Johnson: Not really. Hackers are opportunistic and look for the paths of least resistance. That said, as can be seen from the recent Colonial Pipeline and JBS ransomware attacks, hackers have transitioned from the early days of going after individuals and small businesses to whale hunting. The money is better.
It’s important to observe that the recent attacks have been directed at industries that present national infrastructure concerns (oil, the food supply). There’s no evidence of any involvement by a foreign government in these attacks, but it’s a fair question as to whether the hackers, themselves, expect that the federal government will step in at some point to assist the victims of cyber attacks financially due to their critical importance.
Food Safety Tech:Where do you see the issue of cybersecurity and cyberattacks related to the food industry headed in the future?
Johnson: Other than the certainty that the attacks will increase in both intensity and sophistication, I have no prediction. It’s not a time for complacency.
Yesterday marked the beginning of the 2020 Food Safety Consortium Virtual Conference Series. Episode 1 featured Food Defense Foundational Planning Elements: Strategies, Insights and Best Practices. Led by Jason Bashura, senior manager, global defense at PepsiCo, food defense experts from manufacturing, retail and the government shared different perspectives on the FSMA Intentional Adulteration rule; how to develop a food defense plan; the key role that food safety culture plays in food defense; education and training; and establishing awareness of and combating various threats to the food supply, including the insider threat.
Especially eye-opening was the information presented by Robert Norton, Ph.D. of Auburn University about the threats against the food supply (a “target-rich environment”) and the range of adversaries and their motivation for disrupting the food supply.
Almost everybody loves chocolate, an ancient, basic, almost universal and primal source of pleasure. “The story of chocolate beings with cocoa trees that grew wild in the tropical rainforests of the Amazon basin and other areas in Central and South America for thousands of years… Christopher Columbus is said to have brought the first cocoa beans back to Europe from his fourth visit to the New World” between 1502 and 1504.1
Unfortunately, the production of chocolate and chocolate products today is as complex as any other global food product with supply chains that reach from one end of the world to the other. The complexity of the supply chain and production, along with the universal demand for the finished product, exposes chocolate to increasing pressure from numerous hazards, both unintentional and intentional. For example, we know that more than 70% of cocoa production takes place in West African countries, particularly the Ivory Coast and Ghana. These regions are politically unstable, and production is frequently disrupted by fighting. While production has started to expand into more stable regions, it has not yet become diversified enough to normalize the supply. About 17% of production takes place in the Americas (primarily South America) and 9% from Asia and Oceania.2
In today’s world of global commerce these pressures are not unique to chocolate. Food quality and safety experts should be armed with tools and innovations that can help them examine specific hazards and fraud pertaining to chocolate and chocolate products. In fact, the global nature of the chocolate market, requires fast reflexes that protect brand integrity and dynamic quality processes supported by informed decisions. Digital tools have become a necessity when a fast interpretation of dynamic data is needed. If a food organization is going to effectively protect the public’s health, protect their brand and comply with various governmental regulations and non-governmental standards such as GFSI, horizon scanning, along with the use of food safety intelligent digital tools, needs to be incorporated into food company’s core FSQA program.
This article pulls information from a recent industry report about chocolate products that presents an examination of the specific hazards and fraud pertaining to chocolate and chocolate products along with ways to utilize this information.
Cocoa and chocolate products rely on high quality ingredients and raw materials, strict supplier partnership schemes and conformity to clearly defined quality and safety standards. During the past 10 years there have been a significant number of food safety incidents associated with chocolate products. The presence of Salmonella enterica, Listeria monocytogenes, allergens and foreign materials in cocoa/chocolate products have been reported on a global scale. Today, information on food safety incidents and potential risks is quickly and widely available by way of the internet. However, because the pertinent data is frequently siloed, food safety professionals are unable to take full advantage of it.
Top Emerging Hazards: Chocolate Products (2013-2018)
Publicly available data, from sources such as European Union RASFF, Australian Competition and Consumer Commission, UK Food Standards Agency, FDA, Food Standards Australia New Zealand (FSANZ), shows a significant increase in identified food safety incidents for cocoa/chocolate products from 2013 to 2018. For this same time period, the top emerging hazards that were identified for chocolate products were the following:
Foreign bodies: 13.83%
Food additives & flavorings: 4.26%
Other hazards: 2.66%
By using such information to identify critical food safety protection trends, which we define to include food safety (unintentional adulteration) and food fraud (intentional adulteration, inclusive of authenticity/intentional misrepresentation) we can better construct our food protection systems to focus on the areas that present the greatest threats to public health, brand protection and compliance.
A Data Driven Approach
Monitoring Incoming Raw Materials
Assessment and identification of potential food protection issues, including food safety and fraud, at the stage of incoming raw materials is of vital importance for food manufacturers. Knowledge of the associated risks and vulnerabilities allows for timely actions and appropriate measures that may ultimately prevent an incident from occurring.
Specifically, the efficient utilization of global food safety and fraud information should allow for:
Identification of prevalent, increasing and/or emerging risks and vulnerabilities associated with raw materials
Comparative evaluation of the risk profile for different raw materials’ origins
Critical evaluation and risk-based selection of raw materials’ suppliers
A comprehensive risk assessment must start with the consideration of the identified food safety incidents of the raw material, which include the inherent characteristics of the raw material. Next, the origin-related risks must be taken into account and then the supplier-related risks must be examined. The full risk assessment is driven by the appropriate food safety data, its analysis and application of risk assessment scientific models on top of the data.
Using food safety intelligent digital tools to analyze almost 400 unique, chocolate product related food safety incidents around the globe provides us with important, useful insights about cocoa as a raw material, as a raw material from a specific origin and as a raw material being provided by specific suppliers. The graph below represents the results of the analysis illustrating the trend of incidents reported between 2002 and 2018. It can be observed that after a significant rise between 2009 and 2010, the number of incidents approximately doubled and remained at that level for the rest of the evaluated period (i.e., from 2010 to 2018), compared to the period from 2002 to 2005.
By further analyzing the data stemming from the 400 food safety incidents and breaking them down into more defined hazards, for incoming raw materials, we can clearly see that chemical hazards represent the major hazard category for cocoa.
Organoleptic aspects: 5.93%
Other Hazards: 4.38%
Foreign bodies: 2.06%
Food additives and flavorings: .77%
Food contact materials: .52%
Using the appropriate analytical tools, someone can drill down into the data and identify the specific incidents within the different hazard categories. For example, within the “chemical hazard” category specific hazards such as organophosphates, neonicotinoids, pyrethroids and organochlorines were identified.
Comparative Evaluation of Risk Profiles for Different Origins of Raw Materials
The main regions of origin for cocoa globally are Africa, Asia and South America. After collecting and analyzing all relevant data from recalls and border rejections and the frequency of pertinent incidents, we can accurately identify the top hazards for cocoa by region.
The top five specific hazards for the regions under discussion are listed in Table I.
Poor or insufficient controls
Table I. Top Five Hazards By Region
After the first level of analysis, a further interpretation of the data using the appropriate data intelligence tools can help to reach to very specific information on the nature of the incidents. This provides additional detail that is helpful in understanding how the regional risk profiles compare. For example, the prevalence of chemical contamination, as either industrial contaminants or pesticides, has been a commonly observed pattern for all three of the regions in Table I. However, beyond the general hazard category level, there are also different trends with regard to specific hazards for the three different regions. One such example is the increased presence of mold in cocoa beans coming from Africa.
The primary hazard categories for cocoa, as a raw ingredient were identified and a comparison among the primary hazards for cocoa by region (origin-specific) should take place. The next step in a data-powered supplier assessment workflow would be to incorporate our use of global food safety data in evaluating the suppliers of the raw materials.
The Role of Global Food Safety Data
This article has been focused on chocolate products but has only touched the surface in terms of the information available in the complete report, which also includes specific information about key raw materials. Let’s also be clear, that the techniques and tools used to generate this information are applicable to all food products and ingredients. As we strive to produce food safely in the 21st Century and beyond, we must adapt our methods or be left behind.
The regulatory environment the food industry must operate in has never been more intense. The threats to an organization’s brand have never been greater. This is not going to change. What must change is the way in which food companies confront these challenges.
Global food safety data can contribute to the establishment of an adaptive food safety/QA process that will provide time savings and improve a quality team’s efficiency and performance.
Based on the continuous analysis of food recalls and rejections by key national and international food authorities, a food safety / quality assurance manager could establish an adaptive supplier verification process and risk assessment process by utilizing the knowledge provided by such data. In that way, QA, procurement, food safety and quality departments can be empowered with critical supplier data that will inform the internal procedures for incoming materials and ingredients (e.g., raw materials, packaging materials) and allow for adaptive laboratory testing routines and compliance protocols. Moreover, food safety systems can become adaptive, enabling quality assurance and safety professionals to quickly update points of critical control when needed, and intervene in important stages of the chocolate manufacturing process.
Last week’s seventh annual Food Safety Consortium brought together a variety of industry experts to discuss key topics around regulation, compliance, leadership, testing, foodborne illness, food defense and more. The following are just a few sound bytes from what we heard at the event. (Click on any photo to enlarge)
“The food system today, while it’s still impressive, it still has one Achilles heel—lack of traceability and transparency.” – Frank Yiannas, deputy commissioner for food policy & response, FDA. Read the full article on Yiannas’ keynote session
“A typical food company only has about 5% visibility into known supply chain threats.” – Ron Stakland, senior business development, FoodChain ID, Inc.
“For most of us, our supply chain is a big black hole. Why are we so fearful of technology? Is it the implementation itself? What if technology could help us solve some of those perennial problems? There are resources available to help us get there.” – ¬ Jeremy Schneider, business development director, food safety and quality assurance, Controlant
“The records tell the story of how well the facility is being managed. It’s the first thing the regulators are going to look at.” – Glenn Black, Ph.D., associate director for research, CFSAN, FDA, on validation considerations and regulations for processing technologies in the food industry
“We’ll see more robotics enter the food space.” – Gina Nicholson Kramer, executive director, Savour Food Safety International
“Changes are happening; you can choose to face it or ignore it. We’re at least 10 years behind on technology. Automation/technology is not a new term in aerospace, etc., but to us [the food industry], it is. We will get there.” – Melody Ge, head of compliance, Corvium, Inc., on how industry should prepare for the data-driven transformation occurring in the smarter era of food safety
It’s okay to risk and fail, but how are going to remediate that with your employee? The more learners practice in different scenarios, the less they rely on specific examples. [They] become more adept with dealing with decision making.” – Kathryn Birmingham, Ph.D., VP for research and development, ImEpik, on employee training
“As a contract lab with the vision of testing for foodborne viruses for about 10 years—it wasn’t until about three or four years ago that we had the test kits to turn that into a reality. We also didn’t have a reference method.” – Erin Crowley, chief scientific officer, Q Laboratories, on the viral landscape of testing in the food industry
“You have to be strong and you have to believe in yourself before you get into any situation—especially as a food safety professional.” – Al Baroudi, Ph.D., vice president of quality assurance and food safety at The Cheesecake Factory, on what it takes to earn respect as a food safety professional
“’See something, say something’ is likely not enough. We recommend that companies develop a formal detection program that includes management buy-in, HR and governance, and policy documents, formal training and an awareness program…While FDA focuses on the insider threat, we feel that using a broader mitigation approach works best.” – R. Spencer Lane, senior security advisor, Business Protection Specialists, Inc. on lessons learned from food defense intentional adulteration vulnerability assessments
“Food safety is a profession, a vocation, [and] a way of life.” – Bob Pudlock, president of Gulf Stream Search
Sadly, more and more these days, terrorism has become a prevalent concern. The food sector is not immune to threats either, especially as soft targets and lone wolf attacks become more common.
Food Safety Tech discussed the issue with special agent Scott Mahloch, weapons of mass destruction coordinator for FBI Chicago, during a conversation leading up to this year’s Food Safety Consortium, where Mahloch will be speaking.
Food Safety Tech: In the past year, have there been any changes or new developments in the way in which the FBI conducts outreach to the food industry?
Scott Mahloch presented FBI’s Role in Food Defense on November 29 at the 2017 Food Safety Consortium | Learn moreScott Mahloch: The U.S. food system continues to be a soft target, largely unprotected from the insider threat. Since last year’s Food Safety Consortium we have done targeted outreach to the top dozen food processing facilities in the Chicago area. We worked with our intelligence team, came up with a list of questions and spoke with food safety managers and facility managers regarding the insider threat and educated them on the WMD [FBI’s Weapons of Mass Destruction] program.
FST: Do other divisions of the FBI work in a similar manner as the Chicago division?
Mahloch: It really depends on the office. We have 56 field offices around the nation. In every office we have a WMD coordinator, so it depends on his or her area of responsibility and what that area commands. For example, our office in Springfield [Illinois] is more agriculturally based than we are here in Chicago. Their food outreach would be very similar, but they might be looking at the farms and the agricultural aspect of food production.
FST: Are there any imminent threats to the food sector? Have you seen anything new over the past year?
Mahloch: No, we have not [seen] anything here in the homeland. The bad guys overseas have always expressed interest in attacking food and water, and that remains the same. It’s more the international terrorist groups that have always stressed this in the past. That’s one of the drivers of why we’re so involved in this outreach—we never want that to happen here in the United States. To get in front of the threat, we go out and talk to subject matter experts in this area, the facility managers and food safety managers to get the information out there.
FST: As FBI takes a proactive approach to food defense, what responses have you seen with food companies thus far?
Mahloch: It’s been very positive. People out there believe in our mission and in what we’re doing, and they want to ensure safety and security in their facilities. Communication has been great; they’ve welcomed us into their facility, taken us on facility tours, shown us production lines and answered our questions. It’s been a great relationship.
FST: Does the FBI concern itself with global food supply chain security in terms of how it affects the United States?
Mahloch: Yes, absolutely. What I do is more on a local level here in Chicago, and the same goes for my fellow coordinators in the field offices. We focus on our area of responsibility. The WMD director has a unit that deals with food and water safety. We also have an overseas lead attaché program that works—those folks are also involved in WMD.
FST: What can attendees look forward to hearing about during your presentation at this year’s Food Safety Consortium?
Mahloch: A lot of it will be education and just getting the word out there that the FBI has a role in food safety, food protection and water safety. A lot of people don’t realize the FBI is involved in this. Usually when you think food protection, you think the USDA, FDA, Homeland Security and other agencies that have programs. So a lot of it will be education and telling [attendees] what we do, what we’re about, and where they can turn in a time of need for additional resources. That’s probably the biggest takeaway from the FBI.
[In addition], on outreach and how the FBI is perceived, what we’ve noticed is that we’ve gone into facilities and their defenses are up a bit because they think the FBI is going to regulate, take a look at their processes and inspect. That’s really not what we’re about. We’re not a regulator—we don’t go in and try to change internal processes or rip apart what they’re doing. What we do is strictly education. There are other regulatory bodies that mandate how things are supposed to be shipped, stored and processed. That’s not the FBI. Sometimes there’s that misconception when we go in and want to do some outreach—that FBI is there to regulate. That’s not the truth. We’re a resource and we’re trying to open those doors of communication.
And as far as the threat in the homeland, right now there is none and we continue to try to stay ahead of the threat through education and being a resource.
Vulnerability assessments are a key provision of the FSMA final rule, Mitigation Strategies to Protect Food Against Intentional Adulteration. With this requirement comes the “identification of vulnerabilities and actionable process steps” that must be taken to mitigate potential threats. During the IAFP annual meeting Lance Reeve, senior risk management consultant for food safety and defense at Nationwide Agribusiness Insurance Co., reviewed the important and sometimes-overlooked areas that companies should be looking at when conducting vulnerability assessments.
Inside the Plant
To start, vulnerability assessments should be conducted at different times of the day, and the process should involve a team approach, said Reeve. Food defense cannot effectively be managed by a single person within a facility: It needs to involve all departments, from human resources to IT to production to warehousing, and extend to outside suppliers and vendors. How is the flow of employees and visitors around the facility managed? Do staff members wear color-coded badges? Some companies have a color-coding plan to prevent contamination, but it is also a useful tool to ensure that unauthorized employees, outside contractors and visitors aren’t in restricted areas. For example, the maintenance shop may contain deadly food contaminants—do you really want general employees to be able to get into this area? Consider using electronic technology such as biometric access control to limit access based on employee/security credentials.
Working with the human resources department is a critical part of protecting a facility. Does your company have the capability to conduct thorough background checks on all employees? In addition, with all the different types of contractors and vendors who enter your facility it’s important to find out whether your contracting companies are doing the same level of background checks as your organization when they hire employees. And finally, examine how the culture within the organization. Do employees challenge the presence of visitors who shouldn’t be on the premises?
Outside the Facility
In many cases, companies will look at the inside of their facility for potential hazards and vulnerabilities, but what about the perimeter? How are you controlling the people who are coming onto company property? While this may seem obvious, Reeve recommended physical objects to establish authority: Fences (establish physical border), signs (establish where control begins), and CCTV cameras (establishes security). And when looking at the outside of the building itself, how secure is the roof? What access does a potential attacker have into the facility via the roof? How often are security checks conducted here (if at all)?
Throughout any given day, a company can receive several cargo shipments from a variety of different suppliers. Are you familiar with the food safety programs of your suppliers? They play a critical role in food defense strategies. And when your company receives shipments, Reeve advised that companies go beyond looking at the seals on trucks and examine the transportation system itself. Is cargo removed in a secure area? Is an authorized employee supervising the process or is it left in the hands of the third-party driver?
And finally, a critical part of your mitigation strategy should be to challenge the system. Once you think you may have found all the vulnerabilities, conduct penetration testing.
Food businesses face a range of risks, from lack of consumer confidence to supply chain security. As FSMA regulations and issues such as climate change rise to the top of the list of priorities of global governments and regulators, food companies need to secure the reins on their businesses to ensure they can face these seven emerging risks in 2016 and beyond.
Strictly Necessary Cookies
Strictly Necessary Cookies should be enabled at all times so that we can save your preferences for these cookie settings.
We use tracking pixels that set your arrival time at our website, this is used as part of our anti-spam and security measures. Disabling this tracking pixel would disable some of our security measures, and is therefore considered necessary for the safe operation of the website. This tracking pixel is cleared from your system when you delete files in your history.
If you visit and/or use the FST Training Calendar, cookies are used to store your search terms, and keep track of which records you have seen already. Without these cookies, the Training Calendar would not work.
If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.
A browser cookie is a small piece of data that is stored on your device to help websites and mobile apps remember things about you. Other technologies, including Web storage and identifiers associated with your device, may be used for similar purposes. In this policy, we say “cookies” to discuss all of these technologies.
Data generated from cookies and other behavioral tracking technology is not made available to any outside parties, and is only used in the aggregate to make editorial decisions for the websites. Most browsers are initially set up to accept cookies, but you can reset your browser to refuse all cookies or to indicate when a cookie is being sent by visiting this Cookies Policy page. If your cookies are disabled in the browser, neither the tracking cookie nor the preference cookie is set, and you are in effect opted-out.
In other cases, our advertisers request to use third-party tracking to verify our ad delivery, or to remarket their products and/or services to you on other websites. You may opt-out of these tracking pixels by adjusting the Do Not Track settings in your browser, or by visiting the Network Advertising Initiative Opt Out page.
You have control over whether, how, and when cookies and other tracking technologies are installed on your devices. Although each browser is different, most browsers enable their users to access and edit their cookie preferences in their browser settings. The rejection or disabling of some cookies may impact certain features of the site or to cause some of the website’s services not to function properly.
The use of online tracking mechanisms by third parties is subject to those third parties’ own privacy policies, and not this Policy. If you prefer to prevent third parties from setting and accessing cookies on your computer, you may set your browser to block all cookies. Additionally, you may remove yourself from the targeted advertising of companies within the Network Advertising Initiative by opting out here, or of companies participating in the Digital Advertising Alliance program by opting out here.