The potential for malicious behavior in food manufacturing is an ongoing issue, but security concerns also extend to workers and the controls that run today’s plants.
Lock boxes and access control to shipping and receiving areas are fundamental elements of a food-defense plan, along with driver sign-in and access, and refusal to accept unscheduled deliveries.
Security and safety were two sides of the same food-defense coin when the US Congress approved the Public Health Security and Bioterrorism Preparedness and Response Act in June 2002. The nation was groping for ways to respond to possible terrorist threats, and the act outlined the broad parameters of an effective defense plan, including rapid recall of contaminated products.
Accidental product contamination emerged as a continuous improvement focus in the ensuing years. Malicious contamination, on the other hand, has become a background concern, in part because of the absence of dramatic, widely publicized events like this year’s Salmonella-and-eggs event. But terrorists are only one security issue. Food manufacturers also must be concerned with the security of their workers and the automation infrastructure that drives production. Security is a multidimensional concern, and companies are taking a holistic approach to it.
Both FDA and USDA issued voluntary security guidelines for food processors in 2002, setting the stage for a wave of assessments of the vulnerabilities of the nation’s 158,000 registered food and beverage facilities. Plant managers were encouraged to assess vulnerabilities in outside security, inside security, storage security and shipping and receiving, and then identify cost-effective actions to address them.
As with HACCP, a food-defense plan is specific to the plant, and the guidelines do not proscribe specific actions. Most new and many older facilities include security fencing on the perimeter and card readers inside, but if a hog plant on the Plains affords a clear view to Canada, managers are free to forego fencing and deploy limited resources on other safeguards, such as tamper-evident seals on outbound and incoming shipments. The regulators’ goal was to raise awareness, and facility managers can access security checklists and software programs to assess risk.
Three years ago, FDA partnered with the Institute of Food Technologists and Sandia National Laboratories to create a computerized assessment tool called CARVER + Shock, a 100-plus question risk-assessment tool adapted from the US military’s method of evaluating targets’ vulnerabilities. CARVER is an acronym for six attributes: criticality (the impact of an attack), accessibility, recuperability, vulnerability (the ease of an attack), effect (loss of production) and recognizability of the target by a terrorist. The psychological impact of an attack also is addressed. An attack is a reasonable expectation for a military base, but the public would be shocked if an iconic food brand were compromised.
In a security-conscious age, video cameras are becoming commonplace in meat and poultry plants. When production started in August 2009 at Keystone Foods’ Gadsden, AL poultry plant, 89 cameras monitored movements inside and outside. Wherever work in process is exposed to the production environment, a camera is trained on it. Food safety and enforcement of hygienic behavior are the justification for the capital cost and monitoring expense of such a system, but security objectives also are served.
Mount Kisco, NY-based Arrowsight Inc. couched its “third-party remote video auditing” service in positive-reinforcement terms when it entered the food sphere. Plumrose USA installed 25 cameras in its Council Bluffs, IA meat plant in January 2005, becoming Arrowsight’s first food client. Cameras had been used before, but after the novelty wore off, no one reviewed the videotape, the plant’s general manager explained.
Food defense as well as safety was emphasized in the Food Safety Modernization Act approved by the 111th Congress. That reinforced the belief by Adam Aronson, Arrowsight’s CEO, that the time was right to adapt his service to more overt security purposes, focusing on raw material storage areas, holding rooms for finished goods and other places that a CARVER + Shock assessment would flag as vulnerable to attack. Aronson expects to begin two pilots of the Arrowsight Food Defense solution in the first quarter of 2011, one at a meat plant and the other at a spice company.
Security, not positive behavior reinforcement, distinguishes the new service. Hardware is provided by ADT Security Services, which augments cameras with motion sensors and RFID card readers to better monitor both authorized and unauthorized visitors to high-risk areas. Unauthorized entry triggers an immediate alert to plant management and remote monitoring of the individual’s movements. Authorized personnel, including sanitation crews, are not necessarily subject to video surveillance unless they approach or handle any sensitive materials.
“The facilities in general are very good at ensuring that the wrong people don’t get in the place,” says Aronson, “but once they’re in the plant, there is very little control.” Checkpoints and other restrictions on workflow would be impractical, making passive monitoring a realistic option. Just as cameras ensure compliance with standard operating procedures, remote monitoring with cameras, sensors and card readers can constrain acts of sabotage. “Most workers would be unlikely to commit an act of tampering under these conditions,” he says.
Almost 100 video cameras monitor the interior and exterior of Keystone Foods’ Gadsden, AL poultry facility, though quality assurance, more than biosecurity, drives camera placement in processing areas.
It's in the cards
Proximity cards are used in many plants to control entranceways and restrict access to sensitive areas, though the early 125 kHz cards with 26-bit encryption are going the way of the time clock. Smart cards with multiple applications and 128-bit encryption for sensitive information are available for a small premium, and they can be upgraded for advanced security while coexisting with more basic systems.
“It’s simply too easy for unauthorized people to duplicate and use another person’s proximity card,” laments Raj Venkat, a marketing vice president with Ingersoll Rand Security Technologies, Carmel, IN. With smart cards like the recently introduced aptiQ card from Schlage, “the workforce is effectively managed” and multiple levels of security and functionality can be delivered, he says. aptiQ readers also can process simple proximity cards and can be integrated with biometric systems, such as hand readers.
Two-way, secure RFID communication is one enhancement provided by smart cards. Others are the audit trail and exception reports that are automatically generated. Smart cards also can be used to debit or credit cafeteria and vending machine transactions. But the ability to hold a biometric template is perhaps the most meaningful security enhancement and one that addresses access control on multiple levels. Biometric readers can be placed at entranceways for the general workforce, eliminating the possibility of “buddy swiping” of absent employees’ cards, while maintaining smart card control for sensitive areas in the plant.
“The hand geometry reader is well suited to harsh industrial environments,” says Venkat, and it accommodates “a spectrum of credentials” in the plant. Biometric options such as fingerprint readers are not robust enough to survive in food production, he insists.
Not so, maintains Philip Scarfo, vice president-worldwide sales & marketing at Lumidigm Inc. “For years now, biometrics has had tremendous promise, but the real world performance has been less than satisfactory,” he acknowledges. Read-error rates of 20 percent dogged fingerprint systems, with dirty, moist and even excessively dry fingertips defeating the readers. Complete contact with the sensor is necessary for systems based on total internal reflectance (TIR). Lumidigm’s technology, on the other hand, is based on multiple spectrums of light and advanced polarization techniques to model both the surface and subsurface of the skin. Read errors are less than 1 percent, Scarfo says, and reliability can be improved by simply profiling more fingers for each person.
The Albuquerque, NM company was founded in 2001. Multispectral imaging was conceived as a way to measure glucose on skin. It proved a poor fit, but researchers observed that light waves in the red spectrum penetrated below the surface of the skin. “If you shine a flashlight with a red emitter, you can see the penetration,” says Scarfo. Lumidigm reinvented itself as a biometric technology firm in mid-decade and is in preliminary discussions with food manufacturers, after successfully deploying systems overseas. More than 400,000 people a day pass through multispectral imaging sensors at the Hong Kong border crossing.
Dispensing drugs to nursing home patients is fraught with risk, given the need for positive patient identification to ensure the correct medications are being administered. A San Diego-based medical supply firm called CareFusion tried fingerprint recognition in a system installed in Asia, but TIR readers were not picking up the patients’ prints. Multispectral imaging proved extremely effective, Scarfo says, and it was accepted by medical professionals who are very averse to security technology.
“Security is always a layered approach,” he adds, “and having a non-repudiated way to validate who performed an operation is increasingly important in creating an audit trail. This technology makes security more of a guardrail, rather than a barrier.”
Pepperl+Fuchs’ Tim Cicerchi will reserve judgment on the ruggedness of biometric readers until he sees one withstand high-pressure washdown. RFID readers are “hardened industrial scanners,” the manager of industrial bus & ID systems says, and they may be the only solution for an access control system that protects critical machinery.
Routine maintenance and simple repairs are being pushed down to the operator level at many plants, blurring the line between those workers and maintenance professionals. To limit access to sensitive components that could take a machine down, Cicerchi advocates installation of RFID systems that also record the person’s name, time of access and total downtime. Such applications already exist in automotive and specialized material handling, and the focus on overall equipment efficiency makes machine security an issue in food and beverage, according to Cicerchi, who is based at the firm’s Twinsburg, OH headquarters.
Hand scanners and other biometric devices have found limited acceptance in food and beverage plants, where RFID cards provide an industrially hardened option for controlling worker and visitor access. Source: Ingersoll Rand Security Technologies.
Stuxnet in the house
Guns, guards and gates always will be central to security, particularly when the objective is to prevent acts of mayhem. Radicals and malcontents are not the only security concerns, however. Criminals and industrial spies also must be held in check, and the tools of bioterrorism security aren’t particularly effective. Armored cars still transport large caches of cash, but that is the economy’s pocket change. The financial services industry is on edge about computer-based theft, making risk analysis and risk management a daily priority. Large food companies also must guard against complacency and probe for weaknesses in their automation networks, advises security expert Eric Byres.
A process engineer, Byres developed a firewall for OPC-based industrial automation systems while heading a British Columbia, Canada research lab. Marketed as Tofino, Byres’s firewall exemplifies the cyber gatekeepers that isolate a manufacturing automation network from other data connections, including a manufacturer’s business systems. It’s an essential element of a defense in-depth approach to computer security, though the level of protection depends on how well users understand their own network. Recalling an evaluation he performed of a petroleum plant’s industrial automation, Byres says, “I found 17 points of inter-connectivity. They thought they had one.”
The Stuxnet worm provides a dramatic example of network vulnerability. Studies by the security software firm Symantec Corp. determined the worm infected Siemens S7 and STEP7 PLCs and WinCC HMI software, but the ultimate target was Vacon and Fararo Paya drives. This hardware configuration runs the uranium enrichment centrifuges used by the Islamic Republic of Iran in its nuclear armaments program. In November, Iranian President Mahmoud Ahmadinejad acknowledged the Stuxnet attack succeeded: By seizing control of the drives, the worm was able to oscillate the VFDs from 2 Hz to 1,000 Hz, eventually causing the equipment to disintegrate.
Stuxnet had a specific target, “but like all attacks, there is collateral damage along the way,” points out Byres, chief technology officer at Vancouver Island, BC-based Byres Security Inc. “We know of other sites in North America that had equipment controlled by Siemens PLCs that were reconfigured by Stuxnet, probably by accident. No real damage, but a lot of labor changes and shutdowns.”
A USB flash drive is believed to be the Trojan Horse that brought Stuxnet into Iran’s nuclear facilities. An infected USB stick handed out at a trade show could have brought Stuxnet into North American plants, he speculates. Regardless, no defense is foolproof, and cyber attacks are on the rise. Many of them are catalogued by the Repository for Industrial Security Incidents, a Philadelphia area organization that includes ConAgra Foods in its membership, along with automation suppliers and electronics manufacturers. Undisclosed attacks on members are chronicled, along with well-known events, such as the Zotob worm that briefly shut down 13 US Daimler Chrysler plants in 2005, resulting in estimated losses of $14 million.
Virtual private networks, isolation zones within the automation network to minimize an attack’s impact, read-only command protocols: Useful tools all, says Byres, but computer security is multi-dimensional. “The average plant is facing criminals or highly motivated special-interest actors,” he says. “There are very few kids left in the hacking business.” RFPs for viruses and worms are posted on shadowy sites, with hired-gun hackers providing Stuxnet-like solutions to criminals and industrial spies.
People are a more likely target than products or plant technology. The Bioterrorism Act casts workers as suspects. In reality, they often are victims of harassment or worse (see related story on page 72). Productivity suffers, with absenteeism and turnover compounding the effects of on-the-job stress. The remedies are well known, says forensic psychiatrist Park Dietz, but food production “is an industry that’s falling behind in using them, and it wasn’t always that way.”
Dietz traces his involvement in consumer packaged goods to the 1984 Tylenol poisonings. He assisted the FBI in profiling suspects in product tampering cases, crimes that involved about 3,500 mostly food and pharmaceutical items a year at their peak. In every case where a suspect was identified, the individual had been involved in prior violent incidents. The same pattern existed with workplace violence. Dietz founded Threat Assessment Group Inc., Newport Beach, CA to help employers weed out violent job applicants and, if they are on staff, minimize their impact.
Proper pre-employment screening can secure the workplace, though effective screening services are few and far between. In-house verification of an applicant’s last employer and where he or she last attended school often reveals “an alarming rate of liars and criminals, in the order of a 10-20 percent hit rate,” he says. That element knows when a company conducts even cursory background checks and will quickly gravitate to employers who don’t, says Dietz.
Stress can cause previously stable individuals to become aggressive and even violent, and plant managers and line supervisors need training in what to look for and how to react. To ignore violent behavior is to condone it. Given the proper tools, supervisors begin to hear “hair-raising stories of what has been tolerated,” Dietz adds. “There isn’t a business that couldn’t save money and improve productivity by learning to manage aggressive acts well.”
Employee well-being and network security are not addressed in the Bioterrorism Act or the Food Safety Modernization Act, though securing people and data systems requires the same proactive approach as securing the food supply. Under the Modernization Act, “People are going to be personally and criminally liable if they do not address security issues brought to their attention,” suggests Arrowsight’s Aronson. Penalties for ignoring non-product security issues don’t include jail time, but the consequences for an organization can be dire.
For more information:
Adam Aronson, Arrowsight Inc., 866-261-5656
Eric Byres, Byres Security Inc., 250-390-1333, email@example.com
Jim Brooks, Control Risk Group, 213-996-7560
Raj Venkat, Ingersoll Rand Security Technologies, 317-810-3074, firstname.lastname@example.org
Philip Scarfo, Lumidigm Inc., 505-730-4949, email@example.com
Tim Cicerchi, Pepperl+Fuchs, 330-486-0117
Park Dietz, Threat Assessment Group Inc., 949-723-2220, firstname.lastname@example.org
Cameras, motion detectors and video recorders are part of the hardware supporting a new plant security system built around the risk assessment tool CARVER Shock, a food industry adaptation of the US military’s vulnerability methodology that FDA and USDA modified to include the psychological impacts of an attack. Source: Arrowsight Inc.
Workplace stress and lost productivity
By early September, the year 2010 was well established as another bloody year in the American workplace. The second shooting rampage in six weeks involving a food or beverage facility occurred September 9 when a suspended Kraft Foods worker drove through a security gate soon after being escorted from a Philadelphia biscuit and cracker plant and shot three fellow workers, two fatally, before being taken into custody. In early August, a fired worker at a Manchester, CT beer distributorship fatally shot eight before taking his own life.
Workplace shootings killed 421 US workers in 2008, according to the US Bureau of Labor Statistics. Throw in those killed by knives, heavy equipment and the closest available blunt instrument, and the toll climbed to 526, about 10 percent of work fatalities. The mayhem isn’t limited to homicides, of course, with beatings, bullying and verbal berating also disturbing the workforce and diverting attention from the job at hand.
Deploying metal detectors to plant entrances might mitigate the most sensational incidents, but that would only treat a symptom. Maintaining workplace tranquility is the goal, and pre-employment screening is the first step in achieving it, according to Park Dietz, president and founder of Threat Assessment Group Inc., Newport Beach, CA. But unless supervisors and other managers are trained to detect warning signs and act on staff complaints, psychological profiles are of little use.
“Supervisors who look the other way or feel uncomfortable about taking action against a problem worker end up undermining confidence in workplace violence-prevention programs,” says Dietz. “If you want workers to have a safe environment, people need to be comfortable reporting incidents.”
At least one in 20 women subjected to domestic abuse also is harassed by her abuser at work, and the effects are felt by at least three of her coworkers. “The impact of that alone is quite disruptive,” Dietz observes. “When you add all the other problems, the costs to production begin to look astronomical.”
Workplace homicides numbered about 1,200 a year when OSHA began tracking them in 1984, and a decade later they had leveled off at 800. “But that is such a miniscule part of the overall problem,” Dietz says. Instead of focusing on homicide prevention, he advises food companies to confront workplace security issues such as aggravated assaults (up to 2 million per year) and the more than 10 million incidents of bullying, harassment and verbal threats.
Safeguarding your process
Due to recent high-profile quality and consumer food safety issues, the food & beverage industry is undergoing changes and increased scrutiny. With the federal government on the verge of passing new legislation, regulation and penalties for non-compliance will likely increase. In light of these new regulations the challenge is to reduce your exposure risk, be more proactive and leverage your existing infrastructure investments. Increased regulatory scrutiny and the susceptibility of food and beverage industry puts processors in defensive mode. “Going forward, new standards for food safety, inspections and enforcement of food regulation will come into play,” states Phil Atteberry, director of managed security services for Siemens Industry, Inc. “Food defense is going to be a requirement as even a slight lapse can cause a serious public health threat or an issue with compliance, and a widespread lapse could weaken national security,” Atteberry adds.
A food defense program (FDP) is a holistic approach to security that protects every component of an enterprise: people, products, customers, assets and brand. FDP also communicates a company’s understanding of its responsibility to protect consumers and others in the food industry from intentional tampering. Physical security measures, policy changes and operational practices that enhance food defense are among the many factors affecting the design and implementation of a comprehensive FDP.
By creating food defense programs, growers, producers, processors, packaging suppliers, distributors, retailers and food service companies can be more confident that the food they provide meets the highest possible quality standards. When considering FDP, it is important to seek qualified guidance and support from partners who understand food defense and food safety and who have the technical expertise to develop comprehensive solutions in the following areas:
• Understanding government regulations
• Conducting threat vulnerability assessments
• Developing written enterprise-wide policies and procedures
• Developing crisis management and emergency response plans
• Providing employee screening and workplace violence prevention training
• Offering employee security awareness programs, and
• Performing comprehensive audits.
Physical security integration for food defense requires extensive technical expertise and experience. A security integrator must:
• Possess deep market knowledge of the food and beverage industry
• Design solutions rather than simply sell products
• Have access to emerging technology
• Offer exceptional customer service
• Provide local, national and global capabilities
• Provide ongoing service and support beyond installation, and
• Be a recognized thought leader in the security industry
Designing and implementing FDP requires a thorough understanding of the company’s business goals and budget, in addition to regulatory requirements. “The solution can be as simple as adding a basic access control and video system that helps on-site or remote security to better manage the security access for these facilities”, says Atteberry. Relying on the right partners will help companies achieve their business goals while defending the supply chain. “Siemens managed services offers a multi-tiered solution of hosted, managed or hosted/managed service options, which supports companies by effectively meeting these government regulations and achieving their short and long-term goals while reducing their upfront capital expense, lowering overall service costs, and better executing the management and monitoring of their security systems,” Atteberry states.