Tag Archives: vulnerabilities

Lessons Learned from Intentional Adulteration Vulnerability Assessments (Part III)

By Frank Pisciotta, Spence Lane
No Comments

Food defense is the effort to protect food from intentional acts of adulteration where there is an intent to cause harm. Like counterterrorism laws for many industries, the IA rule, which established a compliance framework for regulated facilities, requires that these facilities prepare a security plan—in this case, a food defense plan—and conduct a vulnerability assessment (VA) to identify significant vulnerabilities that, if exploited, might cause widescale harm to public health, as defined by the FDA. Lessons learned during the conduct of food defense vulnerability and risk assessments and the preparation of the required food defense plan are detailed throughout this three-part series of articles. Part I of this series addressed the importance of a physical security expert, insider threat detection programs, actionable process steps (APS) and varying approaches to a VA. Part II reviewed access, subject matter experts, mitigation strategies and community drinking water. This final article reviews broad mitigation strategies, feasibility assessments, food defense plans, partial ingredient security and the “Three Element” approach through more lessons learned from assessments conducted for the largest and most complex global food and beverage facilities, but which can also be applied to the smaller facilities that are currently in the process of readying for the next deadline of July 26.

Lesson 14: When the final rule was released, the concept of using broad mitigation strategies was eliminated. That notwithstanding and realizing that many companies seek to operate at a stricter standard for food defense with a clear focus on brand protection, versus only those process steps that potentially could result in a “wide scale public health impact.” Broad or facility-wide mitigation strategies should not be abandoned, but are less likely to get you a lot of credit for IA compliance. Including existing food safety prerequisite programs (PRP), programs and practices that are put in place to maintain a sanitary environment and minimize the risk of introducing a food safety hazard, can, in some cases, also be included as security mitigation. PRP’s with slight modifications can also contribute to a good “food defense” posture. For example, one PRP addresses hazardous chemicals and toxic substances. In some cases, non-food grade substances that could result in product contamination (not necessarily wide-scale public health impact) might be available to a disgruntled insider. It is obvious companies are concerned about contaminants being brought into the plants, but please do not overlook contaminants that are already there and ensure that they are properly secured when not in use.

Other facility-wide programs (broad mitigation) that contribute to effective food defense might include site perimeter or building security, visitor and contractor management, pre-employment background checks, employee security awareness and food defense training and sanitation chemical management.

Lesson 15: If you are using the three elements approach (Guidance Chapter 2 Section G) or the hybrid approach (Guidance Chapter 2 Section H), you will be required to make an assessment on feasibility. In the early VA’s conducted, prior to the second installment of the guidance in March of 2019, feasibility was essentially an all or nothing proposition. One could argue that a judgment call was required as to whether an intentional adulteration incident could be accomplished given the inherent conditions. Those conditions might include a lot of coworkers who might be able to observe and serve as witnesses to deter the act. With the release of the second installment of the guidance from the FDA, a new tool was made available which would allow food and beverage companies to run a calculation and make a more accurate prediction of how much of an unnamed “representative contaminant” which is assumed to be highly lethal and heat stable it might take to contaminate a product batch. Typically, the larger the batch size, the higher the quantity of the “representative contaminant” would be required to achieve a lethal dose (LD) in a serving size. So, to provide an additional level of validation with identified actionable process steps, the use of the LD calculation might be considered to provide more realistic insight into the feasibility element. For instance, if it would require one hundred pounds of the “representative contaminant,” you might feel justified in concluding that it is not realistic to get that amount of contaminant into the batch at the process step and rule out the point, step or procedure as an APS. This can save money and ensure limited food defense resources can be channeled to the areas where legitimate risk can be reduced.

Lesson 16: After an APS is identified, sites will need to determine, as the rule states, whether the existing “mitigation strategies can be applied…to significantly minimize or prevent the significant vulnerability.” Simply stated, what is in place today for food safety, and the broad-based security measures in use, may or may not be enough when you consider an insider motivated to contaminate the product. The FDA’s mitigation strategies database may offer some insights into additional food defense measures to consider. Where additional mitigation strategies are identified, from the time of completion of the VA until a site’s regulatory compliance deadline arrives (next one is July 26, 2020), that change must be incorporated into the food defense plan and fully implemented. We recommend that a site make a list of new mitigation strategies after the VA is complete for tracking purposes during the implementation phase. No mitigation strategies should be included in the food defense plan that are not fully implemented and where records cannot be adequately produced.

Lesson 17: In the second installment of the guidance, the concept of partial ingredients was introduced. The key activity types (KAT) of secondary ingredients is now considered to include the storage of partially used, open containers of secondary ingredients where the tamper-evident packaging has been breached. Tamper evident tape looked to have promising benefits, but several of our clients have abandoned the use of this mitigation strategy, which has been proven repeatedly to be defeated without detection. It appears that using containers that can be secured with numbered seals might be a better option and even better if the seals would be metal detectable in the event one went astray in a product stream.

Lesson 18: Food defense plan unification. Facilities regulated under the IA rule are likely to already have a food defense plan for other initiates such as SQF or BRC. The IA Rule is not unlike other counter-terrorism regulations in potential to create challenges to meet voluntary and regulatory requirements without having multiple food defense plans. The IA Rule based on its modeling after HACCP creates some very specific requirements in terms of how data needs to be presented and records maintained. Sites may be doing other things to support food defense, and one strategy that might keep auditors in their lane would be to include any non-IA Rule food defense content (e.g., for SQF or BRC) in an appendix to the IA Rule Food Defense Plan.

Lesson 19: Under the VA method the FDA refers to as “the “Three Element” approach, suggestion is made in the guidance released in March 2019 that regulated facilities might consider creating stratified categories for each element of public health impact, degree of physical access and ability of the attacker to successfully contaminate product. This is asking regulated facilities to engineer their own vulnerability assessment methodology. It is our opinion that this is asking a lot from a food and beverage facility and that creating categories for each element (e.g., refer to Table 3 on page 54) will extend the time it takes to complete a vulnerability assessment, create a lot more uncertainty in the process and does not necessarily help companies to identify the areas where intentional adulteration risk is highest.

Conclusion

Organizations who have yet to execute vulnerability assessments (due July 26) or those who have already completed vulnerability assessments who may wish to reflect back on their existing VAs in an effort to eliminate unnecessary APS’s should find these strategies helpful in focusing limited resources to the areas where they can have the greatest effect. Since the initiation of this article series, the FDA has released its third installment of the guidance. Once we reflect on this new installment, we will address our thoughts in a future article.

FDA

FDA Updates Food Defense Plan Builder to Support Compliance with Intentional Adulteration FSMA Rule

By Food Safety Tech Staff
No Comments
FDA

Attend the Food Defense Plenary Panel Discussion at the 2019 Food Safety Consortium | Tuesday, October 1, 2019Today FDA released an updated version of its Food Defense Plan Builder in efforts to help companies comply with the International Adulteration FSMA rule. Version 2.0 of the tool includes the following sections to help food facility owners and operators in developing a facility-specific food defense plan:

  • Facility Information
  • Process/Product Description
  • Vulnerability Assessment
  • Mitigation Strategies
  • Food Defense Monitoring Procedures
  • Food Defense Corrective Action Procedures
  • Food Defense Verification Procedures
  • Supporting Documents
  • Signature

The tool is for use on a computer, and FDA states that it does not have access to any content or documents used with the tool, nor does it track or monitor how the tool is being used. The agency also emphasizes that use of this tool is not required by law and its use does not mean that a company’s food defense plan is FDA approved or compliant with the IA rule requirements.

The original version of this tool was released in 2013. FDA will be conducting a demonstration of the Food Defense Plan Builder v. 2.0 during a webinar on October 10.

Data protection, security

Threat of Cyberattacks to Food Safety on the Rise

By Food Safety Tech Staff
No Comments
Data protection, security

A new report released by the University of Minnesota’s Food Protection and Defense Institute warns that the food industry is vulnerable to cyberattacks, suggesting that food companies need to beef up their security and IT systems. According to the report, “Adulterating More Than Food: The Cyber Risk to Food Processing and Manufacturing”, the systems that food companies use for processing and manufacturing could be the most vulnerable and as such, serve as an attractive target for an attack—especially as industries that are currently common targets improve their cybersecurity.

“The food industry has not been a target of costly cyberattacks like financial, energy, and health care companies have,” said Stephen Streng, lead author of the FPDI report, in a news release. “However, as companies in those sectors learn to harden their defenses, the attackers will begin looking for easier victims. This report can help food companies learn about what could be coming their way and how to begin protecting themselves.”

The report calls out that in 2011, researchers and manufacturers found more than 200 vulnerabilities in industrial control systems. In addition to the fact that these vulnerabilities are in many components from different vendors, many of these systems have obsolete operating systems and passwords that are easy to hack. Compounding this issue, “Companies often lack knowledge about how their industrial control systems and IT systems interact and lack awareness about cyber risks and threats,” the FPDI release notes.

And if you’re a small company, don’t think you’re immune, the report cautions. It cites that 74% of U.S. food manufacturers have fewer than 20 employees—yet software company Symantec Corp. points out that small companies have been targeted as often, or sometimes even more, than large companies.

How can food companies address this risk? The report recommends the following “critical” steps all companies should take:

  • Bridge the gap and facilitate more communication between OT (operational technology) and IT (information technology) personnel
  • Conduct risk assessments of inventory control systems and IT systems
  • Ensure that staff with the cybersecurity knowledge is involved in procuring and deploying inventory control system devices
  • Incorporate cybersecurity into your food safety and food defense culture.

FPDI’s full report is available on the organization’s website.

Karen Everstine, Decernis
Food Fraud Quick Bites

It’s All About the Supply Chain

By Karen Everstine, Ph.D.
No Comments
Karen Everstine, Decernis

I recently attended two webinars that highlighted distinct perspectives on two challenging aspects of food fraud prevention. First, Chris Elliott from Queen’s University Belfast discussed the current situation with meat fraud. He cited his “top three” fraud-prone foods as meat, olive oil and honey. While we cannot determine the true scope of food fraud globally, looking at the data we have collected from the past 10 years, meat is also in our “top three.”

Commodities, food draud, Decernis
Top 10 Commodity Groups. Source: Decernis Food Fraud Database

Meat is prone to fraud in many ways, including misrepresenting the animal species, fraudulent labeling of production practices (organic, kosher, halal, etc.), the use of unapproved additives, the addition of non-meat-based protein ingredients, and misrepresentation of geographic origin (among others).

Elliott discussed some of the reasons that meat is prone to fraud, which included the fact that the industry is highly competitive, relies on low profit margins, and the supply network can be complex. Discussing specifically the horsemeat scandal in Europe a few years ago, he cited the “mess of subcontracts” involved in the adulterated meat, which were based primarily on price. He finished his presentation by noting that certain aspects of meat authentication are still challenging from an analytical perspective, such as ensuring country of origin and verifying the claims about animal feed consumption.

The final in a series of food fraud webinars sponsored by the IAFP Food Fraud Professional Development Group (PDG) focused on another aspect of food fraud: E-commerce. One of the big challenges with food fraud is the intentional nature of the crime, which can make anticipation of adulterants and fraud methods difficult.

GFSI has stated “any plans and activities to mitigate, prevent or even understand the risks associated with food fraud should consider an entire company’s activities, including some that may not be within the traditional food safety or even HACCP scope, applying methods closer to criminal investigation.” This is particularly true for fraud involving intellectual property (IP) infringement, which adds another layer of complexity to detection and prevention strategies. We have more than 200 records documenting fraud involving “counterfeit” products. Counterfeit products are a problem both because of the IP infringement and because, often, the actual contents of the product cannot be verified. Many of the records we have documented involve counterfeit vodka, whiskey, and wine, as well as non-alcoholic soft drinks.

As part of the IAFP webinar, Axel Hein from ApiraSol discussed their work using global customs data to detect counterfeit products, so-called “fantasy trademarks,” and geographical indication infringements.

Global customs data, food fraud
Slide used with permission from ApiraSol

Many countries provide public access to customs data which, when aggregated and combined with other sources (such as Alibaba transactions), allows mapping of supply chains and detection of unusual patterns that may indicate fraud. In school, I spent many months digging through U.S. customs data trying to uncover patterns that might indicate fraud, so I was very interested to see this being done on a larger scale.

Although each webinar was distinct in its focus, each highlighted the importance of supply chain control and monitoring in mitigating food fraud risk. To paraphrase a point made by Elliott, each arrow in a supply network is a potential vulnerability. The continued globalization of the food supply requires new and innovative ways to reduce these supply chain vulnerabilities.

FDA

FDA Says Routine Intentional Adulteration Inspections Will Start March 2020

By Food Safety Tech Staff
No Comments
FDA

Learn more about food fraud  at the Food Labs Conference | June 2–4, 2020 | Rockville, MDThis week FDA made an announcement during a public meeting that the agency’s routine inspection to verify compliance with the FSMA Intentional Adulteration rule will start next March.

The first compliance date for the rule is this July. It is a requirement for food facilities covered under this rule to develop and implement a food defense plan that identifies vulnerabilities and the consequent mitigation plan.

FDA stated that it has received feedback on the “novel nature” of the rule’s requirements and that stakeholders want more time to develop their food defense plans. “ To allow industry time with the forthcoming materials, tools, and trainings, and because the IA rule represents new regulatory territory for all of us, we will be starting routine IA rule inspections in March 2020,” FDA stated and added that it is working on developing more resources as well as the final part of draft guidance to continue to assist industry.

Bill Bremer is Principal, Food Safety Compliance at Kestrel Management LLC
FST Soapbox

FSMA Checklist: Intentional Adulteration Rule

By Bill Bremer
1 Comment
Bill Bremer is Principal, Food Safety Compliance at Kestrel Management LLC

The FSMA Intentional Adulteration rule is focused on preventing intentional adulteration from acts intended to cause wide-scale food safety impacts to public health, including acts of terrorism, economic adulteration and disgruntled employees. Such acts, while unlikely, could cause illness, death and economic disruption of the food supply absent mitigation strategies. This rule requires mitigation strategies to reduce risk versus specific food hazards.

How much do you know about the Intentional Adulteration Rule? Test your smarts by taking the FSMA IQ Test here The Intentional Adulteration rule is established to address large companies with products that reach many people, while exempting smaller companies. This rule requires covered facilities to conduct a “vulnerability assessment” to identify vulnerabilities and actions to take for each type of food manufactured, processed, packed or held at the food facility. For each point, step, or procedure in the facility’s process, these vulnerabilities must be identified and evaluated. Covered facilities must also prepare and implement a Food Defense Plan. This written plan must identify the vulnerabilities and actionable process steps; mitigation strategies; and procedures for food defense monitoring, corrective actions and verification. A reanalysis is required every three years or when certain criteria are met, including mitigation strategies that are determined to be improperly implemented.

Self-Diagnostic Assessment Tool

The following self-diagnostic assessment tool can help organizations better determine their current state of planning when it comes to implementing and managing FSMA Intentional Adulteration requirements. To complete your own assessment, review and compare your programs to the questions in Table I.

FSMA, Intentional Adulteration
Table I. Kestrel Management’s self-diagnostic tool can help a company assess its Intentional Adulteration program for FSMA compliance.

Get Compliance-Ready

Companies must have the appropriate systems in place to comply with FSMA Intentional Adulteration requirements or face possible willful non-conformance, which can include fines and criminal penalties under FDA enforcement. The questions in Table I will help companies identify areas to consider regarding their program. Kestrel can also help answer questions, provide input on solutions, discuss how to better manage all your food safety requirements, and change “No” responses into “Yes” responses that promote best practices for FSMA and food safety compliance.