Site and Supply Chain Security Management

Who May Want to Contaminate or Sabotage Foods?

When evaluating the potential Site and Supply Chain Security exposure of any food business, the Senior Management should consider a large variety of people who may potentially execute an attack from both inside and outside the business operation. Potential attacks may include both opportunistic attacks by single individuals and planned attacks by organized groups.

The following listing provides some examples of people who may be motivated to contaminate or sabotage food products from both internal and external sources:

Internal Sources

• Disgruntled employee;
• Visitors or Contractors;
• Temporary or casual employees;
• Members of organized groups posing as employees.

External Sources

• Organized groups;
• Transport drivers;
• Visitors or Contractors;
• Raw Material Suppliers.

Additional threats are often identified through internal sources as perpetrators often have access to food business procedures and protocols that may make their goals more readily achievable. Food businesses should liaise with relevant regulatory authorities regarding potential local threats to their operation.

Site and Supply Chain Security Management Risk Assessment

The following may be considered when conducting a Site and Supply Chain Security risk assessment for your food business:

Define What Needs to be Protected

A clear understanding of potential threats and what needs to be protected will assist in ensuring that effective and appropriate control measures can be applied. It is important to identify the most vulnerable elements of any food business operation. Historical or current Site and Supply Chain Security incidents built from within your business and externally can be used as resources to ensure you are considering an appropriate range of potential Site and Supply Chain Security hazards.

Application of Site and Supply Chain Security Management Control Measures

The application of the Site and Supply Chain Security Management control measure within any food business operation should be applied according to the defined severity of outcomes related to each nominated control measure. As with most business management systems, it is important to consider that the identified potential Site and Supply Chain Security risks should be controlled in order from the one with the most severe potential outcomes, to the one with the least severe potential outcomes. This method generally facilitates a practical approach to resource allocation as applicable to each unique food business operation. Contemporary Site and Supply Chain Security Management protocols rely on a multi-layered approach in ensuring effective outcomes. A multi-layered approach, for example, may include elements such as:

Physical Security

Potential security measures include perimeter controls through the use of fencing, gates, guard stations, and key card or radio frequency emitting device access. All entryways, windows, vents, and delivery docks should be secured. Exterior lighting and closed-circuit camera systems may also be used to support outcomes.

Personnel Security

Staff training for Site and Supply Chain Security Management. Logging of employee entry and exit is a common method for tracing staff movements within any food business operation.

Operational Security

Employment of internal or external security monitoring and reaction contractors or consultants, security cameras, or security inspections. This may also include the application of central controls for services like airflow, water supply and electricity, and nomination of supervision for contractors working within the operational areas of the food business.

Process Security

Maintaining control over access to the process and the application of Site and Supply Chain Security Management procedures. This may include the application of tools such as Chemical Usage Inventories, which can track excessive or unauthorized chemical use which may potentially be used to deliberately contaminate foods. Receival, Dispatch, and Transport security measures may include purchasing raw materials only from designated approved suppliers, establishing controls on incoming deliveries, limiting driver access to the food business during deliveries, thorough inspection and inventory accounting of delivered materials, use of tamper-evident packaging for finished products, and the use of tamper-evident seals on incoming and outgoing transport.

Contemporary Food Safety and Quality programs and systems often include requirements for the securing of transport modules or vehicles to reduce the risk of deliberate sabotage or terrorist-type events. In such cases, transport modules or vehicles may be secured physically, or by a system that permits the real-time acknowledgment of potential tampering. An example of a physical transport security mechanism may include the physical locking of transport modules or vehicles where these can only be opened by nominated participants within the supply chain. Where security systems are used instead of physical measures, these may include the implementation of controlled tamper-proof transport seals, mandated transport protocols, and/or specified tamper-proof mechanisms for the product (rather than the transport module or vehicle).

It is generally considered best practice to ensure that any implemented Transport Security protocols, physical mechanisms, and related controls are documented and agreed upon with relevant parties to provide a consistent controlled approach. Related requirements are commonly included within Transport specifications and service agreements between the dispatching entity, the receiving entity, and any other process participants and stakeholders.

Product Security

Maintaining control over access to product and raw materials and the application of Site and Supply Chain Security Management procedures. Raw Material and product storage areas security will protect against the intentional misuse of ingredients or non-food items as food adulterants. Storage areas should be adequately secured and monitored, with access limited to authorized personnel only. Using elements such as these allows for an approach that supports Site and Supply Chain Security Management from across the entire food business operation.

Implementing a Site and Supply Chain Security Management Plan

The following elements may be considered in the implementation of a Site and Supply Chain Security Management plan:

Designation of Responsibilities

Responsibility for Site and Supply Chain Security Management should be designated to an individual with a thorough understanding of the food business operation (typically a member of the Senior Management Team). Further delegations may include specific individual responsibilities for elements of the Site and Supply Chain Security Management systems.

Site and Supply Chain Security Management Training

All staff, visitors, and contractors should be trained in relevant aspects of the Site and Supply Chain Security Management system. The purpose of security awareness training is to ensure that all relevant people are aware of their Site and Supply Chain Security Management responsibilities. Site and Supply Chain Security Management training should address system requirements including identification badges, access control protocols, access to restricted areas, protection of critical Site and Supply Chain Security Management risks, and procedures for reporting suspicious or confirmed inappropriate activities. Understanding the threat of intentional contamination and the potential outcomes of such an incident should assist staff, visitors, and contractors in ensuring the ongoing application of the prescribed Site and Supply Chain Security Management control measures.

All staff involved with the handling of food must be trained to recognize and practice good manufacturing practices and safe working procedures at all times. It is generally considered best practice to ensure all new employees complete relevant induction training before actually starting within their new position. As a base level requirement, food and personal hygiene training should be addressed for all relevant staff during the induction process. Supervisory staff may be required to undertake specific and more comprehensive food safety training in the related areas.

It is also important to consider that Visitors and Contractors may also require induction training commensurate with their interactions within any food business. Food business policies should define what induction, GMP, and personal hygiene training are required for non-staff members entering the premises.

Develop Contact Listings

Current, regularly reviewed, and updated contact listings should be maintained as an element of any Site and Supply Chain Security Management plan. Contact listings should include names, positions, departments, addresses, business and after-hours phone numbers and email addresses for key internal food business contacts, customers, regulatory departments, and officials. Contact listings should also include back-ups for instances in which the primary contacts can’t be made.

It is important to consider that an actual Site and Supply Chain Security incident may very realistically lead to a food recall or food withdrawal. Procedures and flow processes should be clearly defined to ensure a food recall or food withdrawal is facilitated where required as an outcome of a Site and Supply Chain Security incident.

Restricted Items in Specified Areas

Many materials are often prohibited in food production areas due to their potential for causing harm to consumers, particularly as deliberate contaminants. The presence of the following items in production, packaging, storage, and handling areas may be considered a significant risk:

• Paper clips;
• Rubber bands;
• Thumbtacks;
• Pins, nails, screws;
• Steel wool or Wire wool;
• Wood and wooden items. If wooden materials such as wooden pallets must be used, it is highly recommended that they be maintained in a good state of repair;
• Staples;
• Glass may be unavoidable as light fittings and as part of instruments, but can still be contained through common sense methods of control and management;
• Packaging containers: Can cause contamination during the opening, either from external sources, or by parts of the packaging breaking lose, and contacting the food;
• Associated physical food hazards. Ingredients such as dried goods can be sifted or screened before use to reduce the possibility of foreign matter within the packaged or stored product being transported further into the production process.

Chemical Storage, Segregation and Security

Chemicals used within food businesses must be properly stored and located with insecticides and rodenticides stored separately from cleaning compounds and other chemicals. All chemicals and pesticides must be stored separately from food, food contact surfaces, and single-use and single-service articles. In this context, the term separate does not include storage of toxic chemicals above food, food contact surfaces, single-use, and single-service articles.

The storage of chemicals must also meet local regulatory and environmental protection requirements.

Where necessary, adequate facilities for the storage and handling of food, ingredients, and non-food chemicals including cleaning chemicals, pest control chemicals, lubricants, and other maintenance chemicals must be provided.
Where appropriate, food storage and handling facilities should be designed and constructed to:

• Permit adequate maintenance and cleaning;
• Avoid pest access and harborage;
• Enable food to be effectively protected from contamination during storage and handling;
• Where necessary, provide an environment that minimizes the deterioration of food through controls including temperature and humidity.

The type of facilities required will depend on the nature of the food items being stored and handled by a food business. Where necessary, segregated and secure storage facilities should be provided for cleaning chemicals, pest control chemicals, lubricants, and other maintenance chemicals. Storage facilities for ingredients, packaging, and other materials should also be appropriately secured and adequately ventilated.

Managing Visitors and Contractors

It is paramount to food safety that visitors and contractors behave appropriately when visiting a food manufacturing business. Any visitors and contractors on the premises and their actions are the responsibility of the management.

Visitors and contractors entering a food manufacturing, processing or handling area should, where appropriate, wear protective clothing and adhere to the other personal hygiene provisions in this section. A policy to this effect should be documented, and a copy provided to each contractor and visitor before entering the site.
It is generally considered standard practice for visitors and contractors to be signed into a food business and identified by an appropriate badge or gate pass. A gate pass is a printed document that needs to be filled out by the person who wants to move out of the premises of the organization. Gate pass can be used to authorize the movement of humans, materials, and machines to or from the premises of the organization. It will help to monitor and track all the movements in an organization. Some of the most commonly used gate pass types include ‘Employee Gate Pass’ and ‘Materials Gate Pass.’ A gate pass helps an organization to get a record of the time movement and to track the person responsible for the movement. It can also prevent theft and unauthorized carrying of materials and improve discipline inside the organization. Visitors may also be required to review documented materials relating to food safety and workplace health and safety before admission to critical areas of operation. Depending on the purpose of the visit, visitors, contractors and internal staff not attired appropriately may be required to wear a hygienic outer covering such as a fresh lab coat or full uniform while visiting food production areas. Visitors and contractors should be accompanied by an authorized staff member at all times unless they have conducted appropriate induction training and have passed established medical and security screening protocols.

As elements of established site security protocols, employees of the business should be encouraged through specified training to challenge anyone seen within operational areas of the site if they are not appropriately identified or accompanied by an authorized person.

For higher-risk or larger food businesses, it is common for a Visitor and Contractor induction process to be developed, documented, and implemented to ensure the ongoing compliance of Visitors and Contractors to the food business. This is particularly important where, for example, maintenance contractors are used long-term and are permitted to work unaccompanied within operational areas of the food business. In this context, it is important to consider that Visitors and Contractors, though they are expected to comply with the standard policies and procedures, may not appreciate their legal responsibilities in meeting such requirements.
In instances where, for example, maintenance contractors are used long term, it is also common for re-induction to be scheduled, conducted, and recorded to ensure ongoing compliance with the nominated Visitor and Contractor requirements.

It is also common for labor hire companies to conduct relevant training and induction processes on behalf of the company which they will provide to the temporary staff. In this case, a food business must be using labor supplied through a company responsible for relevant and induction training to verify and validate the facilitation and outcomes of such activities. This is commonly considered as an element of the approved supplier of service provider programs.

Cyber Security Threats

Cyber Security threats typically refer to the possibility of a successful cyber-attack that aims to gain unauthorized access, damage, disrupt, or steal an information technology asset, computer network, intellectual property, or any other form of sensitive data. Cyber Security threats can come from within an organization by trusted users or externally from remote locations by unknown parties.

Cyber Security threats can impact the food supply chain in many ways. Cyber threats could impede the movement of materials and ingredients from suppliers to manufacturers. Shipments from manufacturers to customers could be delayed or re-routed to the wrong locations. A cyber threat could shut down internal systems and even jeopardize the integrity and safety of food products. Cybersecurity processes are critical and essential to keep systems and processes running, food-safe and the supply chain intact. There are many types of cyber threats the food sector needs to be aware of, including:

• Web skimming: Web skimming (also known as e-skimming, card skimming, or Mage cart attacks) refers to cyberattacks in which hackers implant malicious computer code into websites and third-party supplies of digital systems to steal credit card information. Online sales of consumer-packaged goods, especially food, continue to grow and push manufacturers to manage a different value chain than in the past. This trend has forced many of these producers to enter e-commerce sales in addition to selling through retail channels.
• Ransomware: Ransomware is a type of malicious software (malware) that threatens to publish or blocks access to data or a computer system, usually by encrypting it, until the victim pays a ransom fee to the attacker. In many cases, the ransom demand comes with a deadline. If the victim doesn’t pay in time, the data is gone forever or the ransom increases. Ransomware attacks can result in millions of compromised internal records and customer data. When this happens, manufacturing operations are typically halted, resulting in lower earnings due to lost productivity and sales. Overall, the supply chain becomes interrupted and disconnected. In addition to the disruption of the business that was breached, peripheral businesses and operations are impacted as well. Disruptions to operations and supply chain flow could lead to expired food at all inventory levels, resulting in unnecessary food waste and millions of dollars of lost profit.
• ICS/SCADA Malware: This type of attack breaks into Industrial Control Systems (ICS) and the Supervisory Control and Data Acquisition Systems (SCADA) that run and manage manufacturing facilities. Many ICSs used in the food industry are quite old, highly customized, and were not originally designed with security in place. The focus during these types of attacks is to either bring the factories and operations to a complete halt or contaminate the food supply. This can be done by altering bills of materials and recipes to drastically change ingredient quantities or to add new ingredients to create a toxic product. This vulnerability has been exacerbated in the food industry by manufacturers’ increasing reliance on automated industrial control systems to process, store and manage large product volumes.

If your food business supplies foodstuffs manufactured to a customer’s specifications, it is important to consider any specific Site and Supply Chain Security Management Development requirements in relation to their items.