Food Chain Security: Getting Back to the Basics

Identify your most likely adversary and take the proper steps.

Cyber Security Cybersecurity Device 60504

In a recent discussion, a friend told me he was concerned that his military unit was so busy with the ongoing daily mission requirements that they had forgotten some of the basics that originally made the unit so effective. The military frequently calls this problem “firefighting,” which means having to deal with the myriad of problems that crop up while on mission. I asked myself if the same thing is happening in the civilian world. Are companies today so busy firefighting—putting out fires needing immediate attention—that they lose track of their core mission?

We have to fix the problem by quickly refocusing on our core mission, which is to provide a safe, secure, wholesome and economical food supply. Focusing on this core mission is important not only to assure that companies in the food chain survive and are profitable, but focusing on our core mission is also important for the safety and security of our nation. Failure in the food chain is not an option. Like my friend said, “It is time we go back to school and focus on the fundamentals.”

Domain Basics: Food Supply 101 

Agriculture and the food supply are a continuum, a system of systems, each of which must function properly so food products can be delivered to the consumer in a timely and cost- effective manner. The buying public assumes their food will be free of pathogens, chemicals, harmful materials (such as metal and glass), or radiological contaminants. Contamination can occur naturally, due to accident or intentionally. The focus here is on intentional contamination and adulteration.

Contamination can occur at any stage of production, transportation, processing, warehousing and delivery. The Food Safety Modernization Act (FSMA) lays out rules focusing on intentional contamination in processing plants. Those rules are an important first step. Food products, however, often spend more time outside the processing plant than inside. The implications should not be overlooked.

The first thing to remember is that adversaries generally desire to remain hidden until ready to act. This usually means you don’t know you have a problem until it is manifested. “Target acquisition” takes time, involving planning and preparation. Adversaries seek “dwell time,” meaning an extended period close to their target to plan before they act.

Seeking to avoid detection, adversaries seek points of least resistance. As security managers will tell you, your defenses don’t have to be completely impenetrable; they just have to be better than your neighbor’s. As food processing plants increase their defenses, adversaries will likely migrate toward other, lesser defended vulnerabilities. Logistical systems and services could be that more vulnerable target.

Although efforts to make logistics more secure are ongoing, capabilities differ from company to company. Logistical systems and services are very different from processing plants in that large portions are mobile. A semi-truck filled with food products can move long distances before those products are delivered to the customer. That means security systems at every phase of movement have to be effective. Security has to be a continuum, perhaps hundreds of miles long and very different from security in a warehouse or distribution center.

Predictions of future events are always fraught with error. Given that caveat, it appears probable that at least one or two categories of adversaries will focus more attention on targeting logistical infrastructure and services and less on fixed structures.

Who are Your Adversaries?

Adversaries, sometimes called threat actors, come in many guises. Of most immediate concern are disgruntled employees (you know you have them) with access to your facilities, vehicles and systems. These are the people “inside your wire” who know your vulnerabilities—the chinks in your armor.

 Rule No. 1: Worry first about your employees and your contractors, the people who are “inside your wire.” How do you properly respond to threat actors from within? When I talk to food companies, I ask, “If something bad happened today, do you have an employee you would consider likely to be involved?” Invariably, the answer is “Yes.” My follow up question: “Why do you retain them as an employee?”

At this point, the color has usually drained from the HR manager’s face. “We can’t just fire them, or we’ll get sued…,” is the usual answer. Usually, I ask why a problem employee can’t be fired. At this point, the people present usually start to squirm.

Ignoring a problem does not make it go away. Liability is seldom diminished by choosing not to act, which may in fact increase company liability. Knowing you have a problem and ignoring it is often perceived by the courts as being far worse than not knowing you had a problem in the first place. Remember also that intentionally not documenting a problem you know you have could be used as evidence of criminal conspiracy. People talk and others hear it. Intentionally choosing to not document a problem does not mean no one knows the problem exists.

Company and Personnel Impacts

Imagine a potential worst-case scenario. In this hypothetical case, we’ll say an employee is potentially violent—they haven’t acted out, but there are indications they might. The worst-case scenario is seeing such a threat realized, so let’s get real for a moment. The wrong response to a known or suspected violent threat actor could mean innocent people will be hurt or killed. This very scenario has unfortunately played out too many times in recent years. Companies frequently don’t survive the litigation from victims’ families and the negative publicity associated with violent attacks. Survivors in the El Paso, Texas, Walmart mass shooting have brought suit, blaming the company for not having armed guards. If that suit prevails, the impact will be significant.

Very serious scenario. In this hypothetical case, a problematic employee decides to adulterate the food passing through your company’s link of the food chain. These adulterated products could cause people to get sick or die. When that happens, this very serious scenario turns to a worst case. Regardless of the outcome, litigation would be inevitable. The costs of containment, recovery of food products and remediation would also be significant.

Serious scenario. Let’s say another problematic employee decides to hurt your company in a different way. This employee is not violent, but is malicious and starts a rumor on social media (food products have been “…poisoned…”), which also can be destructive to your company’s brand. Once started, a rumor is hard to tamp down, since a negative is difficult to disprove. Any threat or rumor associated with a potentially compromised food chain must be taken very seriously by companies, and acted upon expeditiously and effectively.

Both scenarios are beyond the capability of even the largest companies to handle alone. Never seek to hide the problem! Law enforcement must be engaged early. Proper responses are expedited where trusted relationships already exist. Executives are often skeptical about opening their doors to law enforcement before events occur. I can, however, cite countless examples when a small investment of time (to inform law enforcement about company products, facilities, systems and policies) has paid important dividends. Trust me—you really do want the cell phone numbers of law enforcement officials.

Blowback. Let’s look at a related problem. Suppose you are an independent contractor, providing logistical services to a food company. Do you think a food company will sign a new contract with your company if there is a security failure (e.g., an intentional contamination event) in your system or services that causes a blowback on them? Or, suppose you are the logistical arm of an integrated food company, and an insider threat results in an actual breach in the safety and security of your food products. The CEO and the board are likely to respond, “You let this happen!” That would not be a good day. 

Neutralizing the Threat Actor

Once you have identified a problem employee, we will assume you and your company will choose to act. So what is your next step? If the employee is newly problematic and is not violent, try to remediate and de-escalate the problem. Problem employees often just want their concerns and criticisms to be heard, and sometimes letting them vent to their immediate supervisors is the best first option. Whatever you do from this point on, however, make sure you document everything!

If the employee has been a chronic problem, you should already have documentation. If not, begin documentation immediately! If a threshold has been passed by the level or frequency of problems with the employee, strongly consider termination. And yes, employees can be terminated, as long as documentation supports the decision. You, your company or both may indeed end up in litigation, but sometimes this is just a cost of doing business.

If termination is not an option, manage the problem by putting the employee in a location or position where they cannot act out their anger in a way that could negatively affect the company. Problematic employees should never be put in locations critical to the safety and security of food products moving through your system, nor should they have access to critical systems. Moving an employee to a different and less critical position or location can at times cause an escalation of risk, because limiting access can be perceived by the employee as a first step in eventual termination. Proper personnel management is critical whenever changes to personnel access of facilities and systems occurs.

 Employees escalating toward violence. Now let’s look at a more serious threat actor—someone who appears to be a real threat to the security and safety of fellow employees. Warning signs may vary, but usually include verbal or written threats, heated arguments and possibly physical altercations with supervisors or fellow employees. These threat actors and activities cannot be ignored and must be acted upon immediately. It is imperative to involve the police, and termination of employment should be mandatory. Understand clearly, however, that the threat level has just increased dramatically. Your company’s next steps must be flawless.

An employee who is to be terminated should immediately be escorted off company property. Several layers of supervisors should be involved in the escort. And, law enforcement personnel should be part of the escort team if the perceived threat potential merits their involvement. Company policies differ. Some will allow the fired employee to retrieve personal belongings, while other companies retrieve personal belongings and give them to the fired employee. In either case, everything should be documented, potentially including video recording.

Keys or passes should be recovered as part of out-processing. Security portals should also be updated to automatically reject the former employee’s credentials. The individual should be escorted to his or her vehicle as quickly as possible. Along with termination papers, the fired employee should receive a document indicating that any return to company property will result in arrest and prosecution. All security personnel and employees working in reception areas should be immediately informed of the termination and given a photo of the fired employee. They should be instructed to immediately call the police if this person seeks to return to a company’s properties.

 Fired employees should be considered as significant potential threat actors. There are countless examples of fired employees seeking revenge on company managers and personnel. The most recent example of vengeance killing was perpetrated by Seth Ator, who shortly after being terminated opened fire on the police and public in Midland and Odessa, Texas on August 31. As he cruised around town he fired randomly, killing seven and wounding 22. It is difficult to predict how long such a threat will persist, since people differ in their anger and responses to being fired. Where mental pathology exists, the danger period can be protracted. At a minimum, company security should remain at a heightened level for weeks to months if a fired employee showed signs of violent tendencies.

Given the importance of maintaining a safe and secure food supply, all food chain facilities and systems should have robust security technology. Access control is essential, even to the extent that employee access is granted only on a need-to-enter basis. If certain categories of employees do not need access to certain facilities, they should be excluded. Security camera systems are not a panacea. Cameras document that an event has occurred, but they do not prevent it from occurring unless someone continually monitors that camera feed. In most food companies, continual monitoring is not an option.