"Nobody expects the Spanish Inquisition” is a line made famous by the Monty Python troupe. And nobody expected what happened on 9/11 either. But the advent of terrorism on American soil made everyone keenly aware of several open avenues to mass terrorism, including tampering with America’s food and beverages.
FDA says on its FSMA website, “Intentional adulteration of the food supply with intent to cause public harm is unlikely to occur.” But in the next sentence, it states, “However, intentional adulteration of the food supply could have catastrophic results including human illness and death, loss of public confidence in the safety of food and significant adverse economic impacts, including trade disruption, all of which can lead to widespread public fear.”
While the possibility of someone maliciously tampering with food products seems remote, the potential for the intentional poisoning of consumer products is never completely out of consumers’ minds. In late March of this year, an FDA Med-Watch recall went out for GlaxoSmithKline’s alli weight loss products sold by US and Puerto Rico retailers. Tamper-resistant seals of pill containers were not authentic, and various colors and shapes of pills were reported to be found in bottles consumers had purchased. In addition, some labels were missing from inside the outer carton. Currently, it’s too early to tell where or when the tampering took place.
Intentional food tampering incidents are few and far between, but the ones that do occur are often politically motivated or are due to disgruntled employees—and can happen at any level.
• In 2007, a Chinese food plant worker, who wasn’t happy with his pay, poisoned frozen dumplings with insecticide to grab his managers’ attention, according to the Chinese newspaper Xinhua.
• In 2009, a cotton glove was found in a meat grinder, placed there by a disgruntled employee. Production stopped at the meat processor while employees spent hours hunting through product for fabric materials.
• In 2003, a former supermarket employee poisoned more than 100 people after mixing insecticide into about 250 pounds of ground beef. The employee said he did it to get his boss in trouble.
Acts of intentional adulteration can take on many forms, as seen in these examples. Typically, acts of disgruntled employees, competitors and consumers tend to be focused on smaller targets, often attacking the reputation of a company.
FSMA requires study of vulnerable processes
Prior to 2001, security departments in the food industry were primarily concerned with protecting people and assets, according to the Deloitte white paper, “The need for food defense in the post-9/11 era: Can the risk be ignored?”1 Unfortunately, for many processors, protecting their products from intentional contamination wasn’t a priority for the security department, if such a department even existed at the facility. FDA’s FSMA food defense rule has changed the game.
According to the Deloitte paper, by 2010, both FDA and USDA had begun using the same definition for food defense: the protection of food from intentional contamination by biological, chemical, physical or radiological agents that are not reasonably likely to occur in the food supply.
FDA’s proposed rule on food defense, whose comment period has been extended to the end of June, requires domestic and foreign facilities to address vulnerable processes in their operations to prevent acts on the food supply intended to cause large-scale public harm. The rule requires the largest food processors to have a written food defense plan that addresses significant vulnerabilities in a food plant.
“Each food company is always responsible to have its own food safety program and security plan,” says Lisa Ciappetta, senior director marketing & technology, Protection 1 Security Solutions. “Responsible processors will use consultants to specify and determine their risk assessments—and where they may be vulnerable—such as accessibility where building issues need to be fixed.” These include entrance doors, the location of product storage and access-controlled gates at vehicle entrances.
A vulnerability assessment is an important tool to determine existing risks and weaknesses in the physical site, programs and operational procedures that might increase exposure to a terrorist event, workplace violence situation or other incident.2 Auditors such as AIB can help processors with vulnerability assessments, focusing on key areas including employee training in food defense, individual site access privileges, incoming raw materials, packaging materials, storage of chemicals and hazardous materials, and a recall program that includes procedures and practices for handling acts of intentional contamination.
Fortunately, many free tools are available to help processors get started on developing food defense plans, and there’s no better place to look than the USDA and FDA. In March 2008, USDA’s FSIS released a check-off list to help a processor determine the steps that it needs to take in conducting a food defense assessment. Entitled “Guide to Developing a Food Defense Plan for Food Processing Plants,” the paper guides a processor in determining its outside and inside security needs; shipping, receiving and mail handling security; and personnel security. Through check-offs and fill-in-the-blanks, processors can develop a food defense plan.3
Another free tool, which is available from FDA, is the CARVER + Shock software tool. According to Don Hsieh, Tyco Integrated Security director, commercial and industrial marketing, this tool helps a processor analyze its security risks in much the same way a terrorist or criminal would size them up.
The CARVER + Shock Vulnerability Assessment Tool is a no-cost software program processors can download and use independently; it generates results, customized to a processor’s specifications. No one else, including FDA, has access to the results or other confidential information entered into the program. The program is easy to use and contains a tutorial. It is free and available to the industry through the CFSAN Food Defense website. 4
Another tool—primarily designed with the intention of assisting government regulatory and public health agencies in assessing existing food emergency response plans, protocols and procedures, or revising and developing new procedures—is called FREE-B (Food Related Emergency Exercise Bundle). Although it’s designed for emergency responders, the tool gives processors a good idea of how government agencies will work in case of a contamination crisis. 5
Preventing exploits: Who
“Most security individuals and law enforcement people say the disgruntled employee is probably the most common and likely [security] threat,” says Tyco’s Hsieh. Though this threat may not involve massive public harm like a terrorist attack, the results may be deadly to coworkers or the general public.
“Employees or contractors who seek revenge or are disgruntled with the facility, management or their own personal lives could be threats,” says Jim Otte, SSOE Group data/fire/security specialist. According to Otte, several methods for developing a character profile exist, including background checks and other testing. But most of all, fellow employees need to be vigilant and watch for changes in a worker’s attitude or perception that could be potentially dangerous.
An event that occurred in a Philadelphia, PA Kraft Foods plant in 2010 demonstrates the need for employees to be keenly aware of personality changes and issues with coworkers. A 15-year employee of the company, whose coworkers said she was troubled—to the point of believing her coworkers were out to get her and were spraying chemicals on her—was suspended from her job and escorted from the plant. Later, she went back to the plant with a .357 pistol, pointed the gun at the guard and gained access to the building. She went to the third-floor mixing area where she worked and found four coworkers in a break room. She opened fire, killed two and injured a third. She had also fired at a plant manager and a mechanic, who called 911.6
Protection 1’s Ciappetta notes that disgruntled employees have an advantage over a total outsider, and that advantage is knowing the “lay of the land,” the vulnerability points inside the plant, where the doors are located and where the guards and video cameras might be looking.
Preventing exploits: Where
Several questions come to mind in the Philadelphia incident. The suspended employee gained access to the building by threatening the guard, but how was she able to get into the mixing area? Was there a security door? Did she still have a key or card to allow access, in spite of being suspended? Was the building older, with entryways that had no access control? What if instead of shooting, she had thrown chemicals or poison into food in the mixing area? These are questions that can only be answered by those at the site. However, these same questions are contained in most surveys and audits to ascertain a plant’s security.
Where are perpetrators likely to contaminate food products? A short, but easy, answer is wherever it takes the least effort to gain access. “Mass contamination is generally performed in areas that are not under surveillance by CCTV [closed-circuit TV] or other employees,” says SSOE’s Otte. “These areas can be internal or external. This is why monitoring and strict control of areas where mass contamination could occur are so important.”
Mixing contaminants into raw ingredients that are added into the process without being tested is another problem area, and this includes products being delivered in large tanks or via rail. Supervision of raw product unloading is strongly advised, as well as validating seals are in place and show no signs of tampering. RFID tagging with dual-seal tag procedures also is strongly suggested, says Otte.
Perpetrators who are serious about contaminating a processor’s product will scope out a plant and look for vulnerabilities, says Tyco’s Hsieh. They observe shift changes, look for doors/gates left open, locate unguarded places and determine where batch processing/mixing takes place because these areas are often large and relatively unprotected.
But human nature being what it is, Hsieh says criminals will not work hard for a difficult-to-reach target if there’s an easier or “soft” one in view. “I think a lot of perimeter objects [fences and concrete barriers] are about making it harder for the criminals, creating enough risk that their effort is not worth the gain.” For example, Hsieh knows of a bakery that had no perimeter fencing until a new high school was built across the street. Then, the bakery put in perimeter fencing, creating a hurdle high enough to prevent vandalism by the students.
Another easy way for some nefarious individuals to gain access to a building is by closely following an employee through an access door, a practice known as “tailgating,” says Protection 1’s Ciappetta. Employees should never hold the door for someone they don’t know or who doesn’t have a legitimate badge. Speaking of badges, they should not have the company name on them in case they are lost or stolen; it makes it too simple for someone to use a “lost card” to gain access. When it comes to third-party vendors, most processors are already on top of who’s coming to work in their facilities, and many require that a third-party technician’s credentials be sent before the time of work so his or her identity can be verified.
Criminals can find other ways to sneak into a facility, says Otte. Often, large vents, roof hatches and grates are overlooked as a means of intruder entry. Water and fresh air intakes are other areas that often remain unsupervised. In addition, tagging, securing and supervising the delivery of ingredients from the manufacturer’s dock and from the plant to the client’s dock should be reviewed.
Another area for entrance into a plant is through the loading docks. Truck drivers can be validated by having them input a bill of lading number into a touch pad after hours, and they should report to a shipping and receiving office during normal business hours, says Otte.
Truckers should also have restroom facilities and cafeteria services that are separate from other locations in the plant, adds Ciappetta. All visitors including contractors should have escorts and wear proper identification at all times. Security guards, when confronted by the “ice cream vendor,” should not allow a third-party into the plant without proper identification and authorization.
Outside the plant, unexpected things can happen where the supply chain begins. “Theft of discarded product is also a concern,” says Otte. “When products are disposed of, they should be discarded with the packaging destroyed. Several companies have found products they have thrown away ending up on distribution shelves.”
Cargo theft is another big problem for the food and beverage industry—so much so that for four years running, it has had the highest number of incidents of any industry, according to Tyco’s Hsieh. Cargo theft happens when fraudulent truckers arrive onsite ahead of regularly scheduled truckers, pretending to be the one that’s expected. If a processor has a refrigerated load that is stolen and placed into a non-refrigerated truck, the food will spoil, but the cargo thief isn’t likely to care. His or her only concern is selling the product as soon as possible, whether it’s been handled correctly or not. But if the lot is spoiled and makes it way to the retail market, it’s the processor’s brand at stake, warns Hseih.
Preventing exploits: How
There’s a lot of common sense to security and preventing exploits. It starts with processors knowing their own staff and keeping track of every visitor who comes to their premises. Basic things like signage let employees and visitors know the rules. In addition, perimeter and interior doors must be numbered and restricted and have access control. Outdoor lighting should be sufficient and located in the right areas, especially if video cameras are co-located outside. Processors also need to set up mock evaluation planning and training, including evacuation routes, with employees.
Guard services are very effective, but they also are expensive, says Otte. “Even with guard services, physical and electronic security systems are required. Electronic security methods are very effective if used and installed correctly.”
Otte also recommends the following:
• Access control systems that restrict and validate authorized staff and can limit entry to the facility through gates and doors during operating hours
• Intrusion systems to ensure unauthorized access is detected after hours
• Perimeter fencing as a means to secure exterior plant facilities and limit access to cars, trucks and tankers
• CCTV systems designed to assist a security team with faster response times and to review an event after it has occurred.
Although many companies believe the installation of a CCTV system will prevent tampering and security issues, this is not the case, even if the system is closely monitored. Designing a functional security program involves a layered approach and interfacing different systems together in a combined solution, says Otte.
The problem with video cameras is that all too often, no one monitors them at night, according to Ciappetta. It just isn’t financially practical. Video as an investigative tool is more worthwhile than stopping someone from coming into the building. However, video cameras outfitted with analytics can be used to detect motion from an individual or a vehicle.
Inside a plant, say in the mixing area, a video camera can serve multiple purposes. Obviously, it can record someone who doesn’t belong there and may potentially spoil a batch. In addition, the camera can serve as both a training and quality tool to make sure operators have taken the right steps and added the proper ingredients to the batch, adds Ciappetta.
The physical locks on the doors used in combination with an access control system are frequently overlooked, says Otte. For instance, the security of a door with electrified hardware or a strike is only as good as the security of the keys that can also unlock the door. Every key can be copied, and stamping “Do Not Duplicate” on the key is not an effective method of preventing this from happening. When manual keys are used, they must be restricted in a secure cabinet where the physical keyway is kept locked.
Access control systems are the main method of validating people entering a facility. Access cards should be used in conjunction with a touch pad for dual verification. However, iris verification is the best solution in lab and production areas, adds Otte.
Finally, employees can be trained to detect, foil or stop an event involving the contamination of a food product in several ways. For example, when they encounter a stranger, they should escort him or her to the office. If they bring in visitors, they should accompany them throughout the facility at all times. Consequently, processors need to provide ongoing employee training on how to identify potential threats and remain vigilant for suspicious activities and how to react to these situations. Employees must understand their participation in protecting the facility and its products is necessary to protect their jobs.
For more information:
Lisa Ciappetta, Protection 1 Security Solutions, 866-687-3778,
Don Hsieh, Tyco Integrated Security, 561-226-8249, firstname.lastname@example.org
Jim Otte, SSOE Group, 567-218-2433, email@example.com
1“The need for food defense in the post-9/11 era: Can the risk be ignored?” Deloitte Development LLC, 2013.
2“Food Defense Program: Feeling Vulnerable?” Kerry Beach, AIB Update, Jan./Feb. 2012.
3“Guide to Developing a Food Defense Plan for Food Processing Plants: March 2008,” Adapted from information provided by the USDA Food Safety and
Inspection Service, (March 2008).
4CARVER + Shock Vulnerability Assessment Tool, Download: www.accessdata.fda.gov/scripts/email/CFSAN/reg_feedback/carverdl.cfm.
5Food Related Emergency Exercise Bundle (FREE-B), FDA, www.fda.gov/Food/FoodDefense/ToolsEducationalMaterials/ucm295902.htm.
6“Two killed, woman arrested after Kraft plant shooting,” WPVI, Sept. 10, 2010, http://abclocal.go.com/wpvi/story?section=news/local&id=7659454.
|Proposed rule on protecting food from intentional adulteration|
FDA’s proposed rule on food defense requires domestic and foreign facilities to address vulnerable processes in their operations to prevent acts on the food supply that would cause large-scale public harm. The rule would require the largest food businesses to have a written food defense plan in place that addresses significant vulnerabilities in a food operation. The proposed rule was published on December 24, 2013; comments are due by June 30, 2014.
With some exceptions, the proposed rule applies to both domestic and foreign facilities that manufacture, process, pack or hold food and are required to register as a food facility under section 415 of the FD&C Act.
FDA has identified four key activities within the food system that are the most vulnerable to adulteration:
1. Bulk liquid receiving and loading
2. Liquid storage and handling
3. Secondary ingredient handling (i.e., the step where secondary ingredients of a food are handled before being combined with the primary ingredient)
4. Mixing and similar activities.
Each facility covered by this rule would be required to prepare and implement a food defense plan including:
• Actionable process steps: Identifying these steps using FDA-identified key activity types or by conducting their own facility-specific vulnerability assessments
• Focused mitigation strategies at each actionable process step
• Monitoring: Establishing and implementing procedures for monitoring the focused mitigation strategies
• Corrective actions: Executing remedial steps if mitigation strategies are not properly implemented
• Verification: Ensuring monitoring is being conducted and appropriate decisions and corrective actions are being made
• Training: Providing training in defense awareness for personnel and supervisors assigned to actionable process steps
• Recordkeeping: Establishing and maintaining records related to the above steps and points.
Depending on the size of the business, compliance dates would vary. Very small businesses would have three years to comply; small businesses, two years; and other businesses, one year after publication of the final rule.
For more information or to download the document, visit www.fda.gov/Food/GuidanceRegulation/FSMA/ucm378628.htm