Food processors balance cyber, physical security
Processors have to focus on cybersecurity without sacrificing physical security
What exactly falls under “security” can vary from company to company, facility to facility or even department to department. That doesn’t even begin to touch the complexities involved with existing and upcoming regulations.
However, there is one universal truth of security: The more variables you have, the higher the chance is that something will go wrong. And as more and more buildings, equipment and job responsibilities are becoming connected as part of the Internet of Things, the variables are rapidly increasing at an exponential rate.
The consequences of security failures go beyond something being stolen or someone being hurt. Security also plays a role in protecting the company from damaging PR hits, says Evan Baker, data/fire/security systems department manager, SSOE.
“Your company’s name has a reputation,” says Baker. “If there’s some kind of security event that causes your name to be mentioned in the news in some kind of negative way, it’s going to affect your business.”
The good news is that this is a manageable challenge. But to do so, processors have to understand that “security” and “cybersecurity” are no longer separate concerns, and that every department—not just security and IT—has a role to play in an effective security plan.
Laying the groundwork
Security—or at least enhanced security—is often reactionary, says R.J. Hope, CPP (Certified Protection Professional), manager, security consulting, Burns McDonnell. A security plan may seem sufficient, but not be able to cover all the bases when something happens.
“Two things generate security spending,” says Hope. “Ink on paper, meaning a regulation that requires you to do so, or blood on the pavement.”
Regardless of whether your security plan is driven by a reaction to events or a desire to get out in front of potential issues, it needs to be as comprehensive as possible. As with most initiatives, the start of a good security plan and the first step to successfully implementing it is bringing together everyone who will be affected to make sure they’re on the same page. In the case of security, “everyone who will be affected” can be summed up as “everyone.”
Developing the initial plan can be tricky because every facility is different, says Hope. There are also fewer regulations governing security than there are for something such as cooking temperatures.
“Because it’s not regulated, a lot of plants struggle with standardization because security can be seen as a production inhibitor,” says Hope.
Hope offers the example of security cameras, which seem like a pretty straightforward security measure. But if they’re put up with no input from employees, they can easily be misconstrued.
“If you start putting cameras up, a lot of times, a representative of the workforce can say, ‘Well, you’re just spying on me. You’re just wanting to make sure I’m working,’” says Hope. “But if they’re all in the decision-making process in the beginning, it will help put those [cameras] up in the right spot so they don’t inhibit production, as well as get that whole company buy-in.
“Once the process is set up with everybody involved, it then becomes part of the culture of the organization.”
Cost will, of course, be a primary concern from the beginning. It’s a hard reality that even in an area such as security, the bottom line matters and will dictate much of what you do, so you may not get everything you want up front.
That doesn’t mean you can’t ever get it, though. Tim Clark, CPP, director, security, health and safety for SugarCreek Packing, says that when a system is put in place, he does an evaluation of what the system might be able to do down the road and lays as much groundwork as possible to be able to take advantage of future capabilities.
For example, when SugarCreek installed access control turnstiles, capabilities, such as iris scanning, weren’t really an option at this point, but might be in the future, so the company installed some of the components that will be necessary when the time comes to add that functionality. By doing so, it will end up saving money down the road because it won’t have to do extensive retrofits.
“What may make sense to me may not make sense overall with the finances [right now],” says Clark. “My priorities may be more expensive than what the company is willing to invest at that time, but if there’s a way for us to prepare for having that investment going forward, then we do that.”
Twenty years ago, security was a bit less complicated than it is now. After all, your freezers weren’t connected to the Internet then. But as more devices come online, and more data moves to local servers or the cloud, more opportunities for theft of important information arise. Data collection is great for operational efficiency, but can also be a juicy target.
Jason Rosselot, director of product cybersecurity for Johnson Controls, points out that what may seem like nuts and bolts information, such as temperature set points, can be vital information that you don’t want ending up in the wrong hands. Because of this, evaluating even seemingly simple information becomes an important aspect of deciding how to implement security plans and procedures.
In the case of something like set points, “Is that considered highly sensitive? Is that part of the intellectual property or the trade secrets that the food processing organization has?” Rosselot asks. “Maybe they found a way to do things at a different temperature set than their competitors, and so that is really key to them.”
Another kind of information to keep in mind is the information collected and used by the security apparatuses themselves. Access control systems are common, but are you aware of exactly what information they contain? If the access control system contains floor plans or similar information, it can reveal exactly where food processing, food storage or any other part of the operation is located.
Regardless of whether a piece of equipment is part of the security apparatus or day-to-day operations, understanding what protections are in place for it and how it fits into the overall security plan is crucial, says Rosselot.
“We’re not going to put a $10,000 control on a $1,000 asset,” Rosselot says. “But if we don’t know what our assets are, and we don’t know what the risk is and the impact of a potential exploit of that asset, we can’t make those good decisions.”
Security and cybersecurity
Any security plan now has to include cybersecurity, and in most cases, cybersecurity is driving much of the security strategy. When cameras and access control systems are all linked to a network, cybersecurity is important; when almost everything in the building and even the building itself is connected, cybersecurity becomes critical.
“There are really two aspects [to cybersecurity efforts],” says Josh Newton, senior architect, network and security services for Rockwell Automation. “Number 1, protecting the intellectual property; Number 2, keeping the manufacturing process up and running.”
Newton’s second point gets to the inherent tension between security and operations: It’s possible to make an area or a building completely secure, but not if you actually want to accomplish anything in terms of production. There will always be trade-offs, but they don’t have to involve completely sacrificing one or the other.
Almost everything to do with security has an Internet component. Cameras and access control systems are tied into networks. Proprietary processing information is often, if not always, shared between multiple physical locations. All of this information flowing around means that not only does IT have a role in making sure it gets where it needs to go, but also making sure it stays secure.
To achieve the necessary balance, production and IT all have to be on the same page. While IT is constantly becoming a more important part of security efforts, there is still a gap to be bridged, says Newton.
“Sometimes, we have to play marriage counselor,” he says, describing the different viewpoints that IT and operations may have on exactly what role cybersecurity should play. “IT is much more mature [on cybersecurity], but they don’t necessarily understand the nuances of the manufacturing environment. That’s a really critical piece of this.”
Another complicating factor in cybersecurity efforts is legacy systems. In any given plant, Newton says, there can be not only five or six different control systems, but two or three generations of any one of those control systems. If a control system isn’t supported on any operating system newer than Windows XP, and another isn’t supported on anything older than Windows 8, getting them to talk to each other can be tricky.
Ultimately, viewing IT and production as equal partners is the first step to successfully implementing a cybersecurity plan that meets everyone’s needs. With security concerns ranging from laptops to building automation systems to processing equipment, a comprehensive cybersecurity plan is critical.
“Manufacturers understand that in this day and age, security is really more of a lifestyle,” says Newton. “It never ends.”
Protecting data is important, but so is protecting the physical plant and the people in it. In food processing, there are multiple potential trouble spots.
The most obvious one is the raw materials receiving area. While you may have a good idea of what’s coming in, there’s only so much you can do to be absolutely certain that the truck is carrying only what it’s supposed to be carrying or that what’s on the truck hasn’t been tampered with in any way.
With something like seasonings or another material that’s processed, you have the advantage of being able to have a scheduled delivery time. You know what’s coming, where it’s coming from and what time it’s supposed to arrive, and that information makes it easier to detect variations that can be a warning sign.
But if material is coming straight from the field, it’s a little trickier. A load of potatoes may be scheduled for noon on Wednesday, but if it’s late, is it because of a real delay or because the driver who shows up isn’t who he says he is?
To combat this, pay close attention to the details of how materials are coming in and where the people making deliveries can go. You can’t just have a load dumped at the front gate and handle it from there with your own people, but you can limit the in and out access of the trucks and restrict the areas of the plant the driver can access. You can also make sure that paperwork is in order at the front gate instead of at the loading deck, which can help ensure that nothing weird is going on when a delivery shows up.
One other strategy that can help is Crime Prevention Through Environmental Design, or CPTED, says Baker.
“It’s essentially allowing the natural environment to provide some level of barrier between public space and private space,” says Baker.
Cutting berms or digging ditches can help guide vehicle traffic, ensuring that it only goes where it’s supposed to go. Landscaping and design can also be used to guide vehicle or foot traffic to stay only in certain areas, allowing for security without sacrificing aesthetics.
“It provides a level of security without looking like a secure facility,” Baker says.
Once the delivery actually makes it to the receiving area, there are other steps you can take to provide an extra layer of security. Having everything drivers need close to the unloading area prevents allowing them access to the entire facility. Devices, such as smartphones and tablets, allow receiving workers to quickly check material and delivery information to be sure it matches up with what is expected. And, of course, cameras and visible security staff help show a potential thief or troublemaker that the site isn’t a soft target. Sometimes, overt security measures work best by simply encouraging people to find an easier nut to crack.
“I know if I put up a 10-foot fence, you can show up with an 11-foot ladder,” says Hope. “But me putting up a 10-foot fence means you’re going to go next door to the guy who has an eight-foot fence.”
While security, IT and production may have different perspectives and different goals, they all have one thing in common: Their plans are only as good as the people who carry them out. If a security plan is ignored by the people who need to be paying attention to it, it’s not going to be a very effective plan.
One way to mitigate this concern is by involving employees from all departments in your ongoing testing and evaluation of your security plans. One of Hope’s clients uses a challenge competition, where outsiders try to enter the facility and see how far they get before they are challenged by an employee. The first employee to challenge them gets a $100 gift card, and a yearly drawing gives one of the challengers $1,000 cash.
“When it comes to testing the system, you’re really only limited by your creativity,” says Hope.
Non-security employees are helpful in other ways, as well, because they’ll often be the first to point out that something is wrong. They know their workspaces better than anyone, so if something is missing or not in its proper place, they’re the first line of defense. Instilling a “see something, say something” mindset helps ensure that they’ll report anything that’s out of the ordinary, instead of just assuming they misplaced something.
Effectively involving employees in security is not only a bottom-up process. Working from the top down is important as well. If you have a badge program, the CEO or other upper management shouldn’t be exempt; if employees see the CEO wearing a badge, they don’t really have an excuse for not wearing theirs.
“The best spend for your money is your people,” says Hope. “If you have 100 employees, and you get them to be 10 percent more aware, you’ve added 10 security officers for free.”
Success is a non-event
Ideally, your security plan will end up being a lot of time and money spent on something that never has to be used, because a good day for the security team is a day where nothing happens. But in reality, there will almost always be some sort of event that requires you to react.
Whether it’s workplace violence, a disgruntled ex-boyfriend, theft of trade secrets or even a random, indiscriminate attack, a good security plan will allow you flexibility and a rapid response time. But it has to be well thought-out from the beginning, implemented with buy-in from all departments and tested regularly to be sure it’s still meeting your needs.
As connectedness increases, so does the complexity of security. In many ways, that’s a benefit, because security staffs have tools available now that offer far more functionality than even five years ago. But it also means that both security options and threats will become more complicated in the future as technology continues to improve.
Keeping that in mind by preparing for future options, such as Clark’s example of a building infrastructure that needed to support iris scanners, can help offer better security in the future without sacrificing security now. Just keep in mind that there’s only so much you can predict because the pace of change is impossible to know.
“I would love to have chips in everyone’s arms,” Clark says, laughing. “But you have to think, ‘Where are we going to be in five years, 10 years?’ and prepare for that. I can’t prepare for 50 years down the road.”
For more information: