Tag Archives: vulnerability

Cybersecurity

As Cyber Threats Evolve, Can Food Companies Keep Up?

By Maria Fontanazza
No Comments
Cybersecurity

The recent cyberattack that shut down meat supplier JBS should be a wakeup call to the food industry. These attacks are on the rise across industries, and food operations both large and small need to be prepared. In a Q&A with Food Safety Tech, Brent Johnson, partner at Holland & Hart, breaks down key areas of vulnerability and how companies in the food industry can take proactive steps to protect their operations and ultimately, the consumer.

Food Safety Tech: Given the recent cyberattack on JBS, how vulnerable are U.S. food companies, in general, to this type of attack? How prepared are companies right now?

Brent Johnson, Holland & Hart
Brent Johnson, partner, Holland & Hart

Brent Johnson: Food companies are in the same boat as other manufacturers. Cyber threats are constantly evolving and hackers are developing increasingly sophisticated delivery systems for ransomware. Food companies are obviously focused on making and delivering safe and compliant products and getting paid for them. Cybersecurity is important, but it’s difficult for manufacturers to devote the resources necessary to make their systems bulletproof when it’s an ancillary part of their overall operations and a cost driver. Unfortunately, hackers only have one job.

We tend to think of big tech and financial services companies as the prime targets for ransomware attacks because of the critical nature of their technology and data, but food companies are really no different. Plus, unlike tech companies and the financial services industry, food companies haven’t, as a general matter, developed the robust defenses necessary to thwart attacks, so they’re easier targets.

Food Safety Tech: What is the overall impact of a cyberattack on a food company, from both a business as well as a consumer safety perspective?

Johnson: It may come as a bit of a surprise to those who don’t work in the food industry, but food production (from slaughterhouses to finished products) is highly automated and data driven. That’s one of the lessons of the JBS ransomware attack. The attack shut down meat processing facilities across the United States and elsewhere. I work in Utah and the JBS Beef Plant in Hyrum was temporarily shut down. JBS cancelled two shifts at its meatpacking operation in Greeley, Colorado where my firm has a large presence as well, because of the ransomware attack. So, the impact on a food company’s business from a successful ransomware attack is dramatic.

On the consumer safety side, a ransomware attack that impacts automated safety systems would cause significant problems for a food manufacturer. Software controls much of the food industry’s safety systems—from sanitation (equipment washdowns and predictive maintenance) to traceability (possible pathogen contamination and recalls) to ingredient monitoring (including allergen detection). Every part of a food company’s production system is traced, tracked, and verified electronically. A ransomware attack on a food maker would very likely compromise the company’s ability to produce safe products.

Food Safety Tech: What proactive steps should food companies be taking to protect themselves against a cyberattack?

Johnson: I wish there was an easy and foolproof system for food companies to implement to protect against cyber attacks, but there isn’t. The threats are always changing. The Biden Administration’s recent memorandum to corporate executives and business leaders on strengthening cyber defenses is a good starting point, however. The White House’s Deputy National Security Adviser for Cyber and Emerging Tech, Anne Neuberger, reiterated the following “Five Best Practices” from President Biden’s executive order. These practices are multifactor authentication, endpoint detection and response, aggressive monitoring for malicious activities on the company’s networks and blocking them, data encryption, and the creation of a skilled cyber security team with the ability to train employees, detect threats and patch system vulnerabilities.

Food Safety Tech: Are there specific companies within the food industry that are especially susceptible?

Johnson: Not really. Hackers are opportunistic and look for the paths of least resistance. That said, as can be seen from the recent Colonial Pipeline and JBS ransomware attacks, hackers have transitioned from the early days of going after individuals and small businesses to whale hunting. The money is better.

It’s important to observe that the recent attacks have been directed at industries that present national infrastructure concerns (oil, the food supply). There’s no evidence of any involvement by a foreign government in these attacks, but it’s a fair question as to whether the hackers, themselves, expect that the federal government will step in at some point to assist the victims of cyber attacks financially due to their critical importance.

Food Safety Tech: Where do you see the issue of cybersecurity and cyberattacks related to the food industry headed in the future?

Johnson: Other than the certainty that the attacks will increase in both intensity and sophistication, I have no prediction. It’s not a time for complacency.

Lessons Learned from Intentional Adulteration Vulnerability Assessments (Part I)

By Frank Pisciotta, Spence Lane
No Comments

Food defense is the effort to protect food from intentional acts of adulteration where there is an intent to cause harm. Like counterterrorism laws for many industries, the IA rule, which established a compliance framework for regulated facilities, requires that these facilities prepare a security plan—in this case, a food defense plan—and conduct a vulnerability assessment (VA) to identify significant vulnerabilities that, if exploited, might cause widescale harm to public health, as defined by the FDA. Lessons learned during the conduct of food defense vulnerability and risk assessments and the preparation of the required food defense plan are detailed throughout this three-part series of articles. Part I of this series is intended to assist facilities that have not yet conducted vulnerability assessments or wish to review those already conducted, by leveraging lessons learned from assessments conducted for the largest and most complex global food and beverage facilities.

Lesson 1: VA outcomes are greatly enhanced if a physical security professional is consulted. In support of this contention, there are several physical security mitigation strategies, which can be employed to support a food defense program, that are frequently under-utilized and are not optimally managed by non-security staff. Also, the FDA seems to promote the use of cameras even though this equipment is unlikely to prevent an incident of intentional adulteration. For organizations that choose to use video surveillance, a competent security professional can help organizations engineer and operate video surveillance for maximum benefits and to meet challenging record-keeping requirements when this mitigation strategy is included in a food defense plan.

Lesson 2: Given the focus by the FDA on the insider, a formal insider threat detection program is highly recommended. Trying to promote the common, “See Something, Say Something” strategy may not be enough. For example, if employees are not clearly told what to look for in terms of uniform requirements, how to identify persons who do not belong or changes to a coworker’s baseline behavior, which may indicate moving toward a path to violence or sabotage, then “See Something, Say Something” may end up being no more than a catchy slogan.

A key element of an insider threat detection program is the completion of effective background checks for all persons who will be allowed in the facility unescorted. This includes temporary employees and contractors. A common theme in many of the recent, serious intentional adulteration incidents was that the person responsible was involved in some sort of grievance observable to coworkers and supervisors. In all insider threat detection programs, the grievance becomes an important trip wire. The Carnegie Mellon University Software Engineering Institute has published a document titled, “Common Sense Guide to Mitigating Insider Threats, Sixth Edition”. In this document is some particularly helpful guidance that can be used to stand up an insider threat detection program, but this is an effort that can take some time to fully implement.

Lesson 3: The FDA has made it abundantly clear that they believe the focus for the food and beverage industry should be the radicalized insider. A closer look at all the recently publicized contamination events suggests that there are other profiles that need to be considered. A good foundational model for building profiles of potential offenders can be found in the OSHA definitions for workplace violence offenders, which has been expanded to address ideologically based attacks. Table I applies those descriptions to the food and beverage industry, with an asterisk placed by those offender profiles that exist in recent incidents and discussed later in the text.

Class OSHA Workplace Violence Offender Description Motivation Translated to the Food and Beverage Industry
1 The offender has no legitimate relationship to the business or its employee(s). Rather, the violence is incidental to another crime, such as robbery, shoplifting, trespassing or seeking social media fame. Behavioral Health Patient *
Social Media Fame Seeker *
Copycat *
Extortion *
Economic motivation *
2 The violent person has a legitimate relationship with the business—for example, the person is a customer, client, patient, student, or inmate—and becomes violent while being served by the business, violence falls into this category. My load isn’t ready, you are costing me money
3 The offender of this type of violence could be a current employee or past employee of the organization who attacks or threatens other employee(s) in the workplace. I am upset with a coworker and adulterate to create problems for that person *
I am upset with the company and adulterate as retribution and to harm the brand *
Youthful stupidity
I am not paid enough *
4 The offender may or may not have a relationship with the business but has a personal (or perceived personal) relationship with the victim. I am upset with an intimate partner/ coworker and adulterate to create problems for that person
5 Ideological workplace violence is directed at an organization, its people, and/or property for ideological, religious or political reasons. The violence is perpetrated by extremists and value-driven groups justified by their beliefs. Radicalized Insider
Table I. A description of OSHA workplace violence offenders and how it can be applied to the F&B industry.

A supermarket in Michigan recalled 1,700 lbs. of ground beef after 111 people fell ill with nicotine poisoning. The offender, an employee, mixed insecticide into the meat to get his supervisor in trouble. In Australia, the entire strawberry industry was brought to its knees after a disgruntled supervisor “spiked” strawberries with needles. There were more than 230 copycat incidents impacting many companies. A contract employee in Japan, apparently disgruntled over his low pay, sprayed pesticide on a frozen food processing line resulting in illnesses to more than 2,000 people. A contract worker upset with a union dispute with the company at a food manufacturing plant videoed himself urinating on the production line, then uploaded the video to the Internet. Be cognizant of any grievances in the workplace and increase monitoring or take other proactive steps to reduce the risk of intentional adulteration.

Lesson 4: The IA Rule requires that every point, step and procedure be analyzed to determine if it is an actionable process step (APS). The Hazard Analysis Critical Control Point flow charts are a good starting point to comply with this element of the law but cannot be counted on completely to achieve the standard of analyzing every point, step or procedure. Critical thinking and persons familiar with the production process need to be involved to ensure that no steps are missed. Oftentimes companies modify the HACCP flow diagrams after a VA.

Lesson 5: The FDA states in the second installment of guidance (here’s the full copy) to the industry that, “There are many possible approaches to conducting a VA. You may choose an approach based on considerations such as the time and resources available and the level of specificity desired. You have the flexibility to choose any VA approach, as long as your VA contains each required component (21 CFR 121.130).”

The FDA further states that the Key Activity Type, or KAT method, is an appropriate method for conducting a VA because it reflects consideration of the three required elements and the inside attacker. Using this methodology alone, however, can result in substantially more APS’s, which might otherwise be ruled out for practical purposes such as a lack of accessibility or a lack of feasibility to contaminate the product at a point, step or procedure. We have experienced up to a 90% decline in APS’s by utilizing another FDA recommended assessment approach, the hybrid approach, which assesses each point, step or procedure as first whether it is a KAT. Then to qualify as an APS, it must also trigger positively for public health impact, accessibility and feasibility to contaminate the product.

Organizations who have yet to execute vulnerability assessments (due July 26, 2020) or who may wish to reflect back on their existing VA’s in an effort to eliminate unnecessary APS’s should find these strategies helpful to focus limited resources to the areas where they can have the greatest effect. The next two articles in this series will cover more information on electronic access, the value of site tours, comparisons to drinking water security strategies, dealing with multi-site assessments and more. Read Part II of this series on intentional adulteration.

Food Safety Tech

Call for Abstracts: Be a Part of the 2019 Food Safety Supply Chain Conference

By Food Safety Tech Staff
No Comments
Food Safety Tech

The supply chain is a potentially weak and vulnerable part of a company’s food safety plan. The annual Food Safety Supply Chain Conference is months away and we are accepting abstracts for presentations. The conference takes place May 29–30, 2019 in Rockville, MD.

If you have expertise in the following areas, we invite you to submit an abstract to present at the conference:

  • Food Safety Supply Chain Vulnerabilities & Solutions
  • Audits & Inspections
  • How to Write Supplier Specifications
  • Blockchain Technology
  • FSMA’s Sanitary Transportation Compliance Tools & Techniques
  • Supply Chain Traceability
  • FSMA’s FSVP Compliance Tools & Best Practices
  • Data, Predictive Analysis
  • Recalls: barcode labeling, case histories and lessons learned
  • Testing Strategies of the Supply Chain
  • Supplier Verification Best Practices
  • Supply Chain Risk Management
  • Food Safety Transportation, Distribution and Logistics
  • Food Authenticity
  • Food Safety/Quality Culture measurement in supplier management
  • Supplier Management Case Histories

Each abstract will be judged based on educational merit. The submission deadline is February 8, 2019.

Elise Forward, Forward Food Solutions
FST Soapbox

Take Food Defense Concepts Beyond Your Four Walls

By Elise Forward
No Comments
Elise Forward, Forward Food Solutions

The new food defense regulations have caused quite a stir in the food industry and have left many scratching their heads. Many companies are worried about how to implement these programs. The regulations have created a format and structure in which many companies can adapt within their existing food defense programs to comply with the new law. Still, one of the biggest challenges of food defense is merely the idea of developing the food defense plan and coming into compliance with the FDA’s new Food Defense rule. The FDA received many comments from industry in response to the draft guidance. Many of these comments asked the agency for additional time to come into compliance, and the FDA responded by delaying the compliance dates well beyond what was proposed in the draft rules.

According to the regulations, companies are required to implement a food defense plan that focuses on the vulnerabilities in their facility. If you follow the FDA’s template, a food defense plan will look very similar to the traditional HACCP plan. The term, VACCP, Vulnerability Analysis Critical Control Points, is a term that is being tossed around as of late. The FDA wants companies to make sure that they consider an internal attacker, one that has inside access to the buildings, processes and products that are being produced. For many companies, this is stretching them beyond their current paradigms and may force some to implement new procedures. In reality, this paradigm shift is not insurmountable when the items to be controlled are within the four walls of their facility. Even subcontractors, such as pest control providers, maintenance subcontractors, auditors, etc., can be included in these programs. However, is this enough to ensure the safety of the product you are selling, the one you are putting your name on, and the one you are personally standing behind?

The goal of current risk-based thinking is to find the weakest link in the process, evaluate the risk and likelihood of a threat to food safety, and respond appropriately to control the risk. Unlike the Preventive Controls rule and the FSVP rule, the Food Defense rule focuses on the processes occurring in a facility and does not take into account the processes involved in the supply chain.  CargoNet Command Center found that there were 1500 security breaches in the transportation industry in the United States and Canada in 2015. The data was categorized by types of product and the highest percentage of any group of products was the food and beverage products which comprised 28% of the cargo thefts.  On average, that is greater than one food or beverage cargo theft per day. CargoNet Command Center provides a nice map on their website showing the location of these instances and I encourage you to review this map.  If your product passes along the hot spots of cargo theft, as well as having risk factors such as being valuable or in limited supply, it would be very beneficial to build systems and programs in place to address these additional risks to your product.

In another study presented at the Food Defense conference, there was a statistically significant link between breaches in IT systems to a follow-up cargo theft. Many quality and food safety professionals, much less executives, fully understand the interdependence of all business units on food safety. Many companies have problems with siloed departments, and unfortunately, this increases the vulnerabilities to attacks on the food we are trying to protect. This is a great example of how food safety is everyone’s job, and having this mentality is key to the success of food safety programs.

Of course, the requirement to the Food Defense rule must be addressed, but I challenge the industry to look beyond the walls of our facilities and instead, take a whole business approach and apply the principals of food defense to all inputs of the process that impacts the finished product. As food safety professionals, we need to work with our suppliers and our customers to ensure that the whole supply chain is protected from an attack.

Resources

Food Fraud

PwC Partnership Fights Food Fraudsters

By Food Safety Tech Staff
No Comments
Food Fraud

Each year, food fraud costs the industry $30–$40 million worldwide, according to Michigan State University. In an effort to help food companies combat vulnerabilities in their supply chain, PricewaterhouseCoopers (PwC) and non-profit organization SSAFE have created a free tool to help detect food fraud. Developed in partnership with Wageningen University (The Netherlands), VU University Amsterdam and other industry experts, the tool consists of 50 questions and is available via a downloadable app or Excel spreadsheet. Upon completion, the tool provides a profile of the company’s potential for food fraud vulnerability in the form of a report that can be added to food safety documentation.  According to PwC, the assessment is confidential, and while the profile doesn’t offer any mitigation techniques, it provides links on where and how a company can find solutions to the issues mentioned.  

“Beyond the economic cost, food fraud can harm public health and damage consumer trust,” said Craig Armitage, PwC’s Global Leader of Food Supply and Integrity Services in a press release. “Food frauds, such as horse meat being passed off as minced beef or the addition of melamine in dairy, have increased the urgency with which the food industry is taking action.”

Companies can begin using the Excel spreadsheet, which is available on PwC’s website. The app will be available in February.

Food Defense Culture is Coming

By Maria Fontanazza
1 Comment

FSMA’s proposed rule on intentional adulteration isn’t the only reason companies should be paying attention to food defense.

Establishing metrics in food defense, similar to the growing awareness around the importance of measuring behaviors in a food safety culture, was a topic recently brought up at FDA’s FSMA public meeting in the spring. The agency acknowledged that it will need to both clearly define what exactly is intentional adulteration and how it can be measured.

While food safety involves assessing and mitigating hazards, food defense is all about the threat and protection against intentional contamination. “The threat of fraud is a growing problem as supply chains get more complex, resources grow scarcer and the cost of food increases. All this provides more opportunity and potential reward for food adulterers,” stated a recent PwC report on food trust.

The FSMA final rule Focused Mitigation Strategies to Protect Food Against Intentional Adulteration is scheduled to be published in spring 2016, and companies need to be revisiting and revamping their food defense plans to prepare.

Prevention is the key word and on the most fundamental level of a food defense plan, businesses need to have management commitment before building, or even revisiting, a food defense plan—do they understand the resources, time and cost involved?

Conducting a vulnerability assessment is the first step in finding the gaps and examining whether a facility is secure. Beyond the standard questions that companies may ask when embarking on this assessment, businesses should identify potential attackers, asking how an attacker could have access to a product or process and what would be the outcome of an attack. Then look at the protective measures that are already in place—would these act as a deterrent? And if deterred, would the attacker proceed to the next target or would he or she stop? What measures are in place to find the attacker before there is an effect on the product?

When developing a food defense plan, there are several areas of potential vulnerability:

  • Shipping and receiving and packaging
  • Laboratories and testing sites
  • Recall and traceability programs and processes
  • Water used in processing/manufacturing—what is its origin?
  • Employees—what are the health risks? Is there a process for employee health reporting? Is there a process for reporting disgruntled employees?
  • Security personnel

With food fraud on the rise, it’s important for companies to continue to revisit and update their food defense plans, considering changes to facility designs or strategies, packaging changes, security improvements, etc. Companies should also be proactive in monitoring their employees both from a satisfaction (reducing the incidence of a disgruntled employee) and awareness perspective. FDA has initiatives to help companies build a food defense culture and employee awareness, including the ALERT training course for owners and operators of food facilities and Employees FIRST, and the National Center for Food Protection and Defense has programs aimed at workforce training as well as undergraduate and graduate curriculum on food defense.