A Guide To Site Security In The Food Industry   

Presented By N.E.M Business Solutions
February 2008.

This guidance document is designed as an aid to operators of food establishments (firms that produce, process, store, repack, re-label, distribute, or transport food or food ingredients). Food security for a developed economy like the UK is multi-faceted and complex and various definitions exist. The common themes are: availability of food; access of consumers to affordable, nutritional and safe food; resilience of the food system to significant disruptions, and public confidence in that system.

In these times of potential terrorist threats, we all need to consider the risk that our sites are subject to. No matter how unlikely it seems that your site could become the next "9 - 11” an assessment of the risks will at the very least show you customs that you are taking a professional and responsible attitude towards site security. In reality most food production sites are open to as many forms of potential risk as there are people that enter the site.

These threats range from mischievous children to a full-blown bio-terrorism attack. Considerable improvements can be made with relatively little effort or cost.   

These notes are intended to act as an aid to improving security and is by no means a fully inclusive guide to security.

A process called Operational Risk Management (ORM) may help prioritise the preventive measures that are most likely to have the greatest impact on reducing the risk of tampering or other malicious, criminal, or terrorist actions against food. http://en.wikipedia.org/wiki/Operational_risk_management

Benefits of ORM                   

   1. Reduction of operational loss.

   2. Lower compliance / auditing costs.

   3. Early detection of unlawful activities.

   4. Reduced exposure to future risks.

It is recommends that food establishment operators consider the following points:

• Preparing for the possibility of tampering or other malicious, criminal, or terrorist actions by assigning responsibility for security to knowledgeable individual(s).
• Conducting an initial assessment of food security procedures and operations, (we recommend this is kept confidential).
• Having a security management strategy to prepare for and respond to tampering and other malicious, criminal, or terrorist actions. Both threats and actual events, including identifying, segregating and securing affected product.
• Planning for emergency evacuation, including preventing security breaches during the evacuation. 
• Maintaining any floor or flow plan in a secure, off-site location.
• Becoming familiar with the emergency response system in the local area.
• Making management aware of 24-hour contact information for local, government, police, fire, rescue, and health agencies.
• Making staff aware of who in management they should alert about potential security problems (24-hour contacts)
• Promoting food security awareness to encourage all staff to be alert to any signs of tampering or other malicious, criminal, or terrorist actions.
• Promoting food security awareness to encourage all staff to be alert to areas that may be vulnerable to such actions.
• Reporting any findings to identified management (for example, providing training, instituting a system of rewards, building security into job performance standards).
• Having an internal communication system to inform and update staff about relevant security issues.
• Having a strategy for communicating with the public (for example, identifying a media spokesperson, preparing generic press statements and background information, and coordinating press statements with appropriate authorities).
• Providing an appropriate level of supervision to all staff, including cleaning and maintenance staff, contract workers, data entry and computer support staff, and especially, new staff.
• Conducting routine security checks of the premises, including automated manufacturing lines, utilities and critical computer data systems for signs of tampering or malicious, criminal, or terrorist actions.
• Have a recall strategy, identifying the person responsible, and a backup person providing for proper handling and disposition of recalled product.
• Identifying customer contacts, addresses and phone numbers, these should be held on and off site.
• Investigating threats or information about signs of tampering or other malicious, criminal, or terrorist actions.
• Alerting appropriate law enforcement and public health authorities about any threats of or suspected tampering or other malicious, criminal, or terrorist actions.
• Evaluate the lessons learned from past tampering or other malicious, criminal, or terrorist actions and threats.
• Review and verifying, at least annually, the effectiveness of the security management program, (for example, using knowledgeable in-house or third party staff to conduct tampering or other malicious action exercises and mock recalls). Revising the program accordingly, and keeping this information confidential.
• Perform random food security inspections of all appropriate areas of the facility (including receiving and warehousing, where applicable) using knowledgeable in-house or third party staff, and keeping this information confidential.
• Verifying that security contractors are doing an appropriate job, when applicable.

     If you are in any doubt contact a reliable contractor for help.  

Here are a number of points that may help the process:

Training in food security procedures.

• It is vital that staff on a site are all aware of the potential risks, this makes training of paramount importance. The training should include food security awareness, including information on how to prevent, detect, and respond to tampering or other malicious, criminal, or terrorist actions or threats.

• All staff should be trained including seasonal, temporary, contract, and volunteer staff.

• Provide periodic reminders of the importance of security procedures (for example, scheduling meetings, providing brochures).

• Encourage staff support (for example, involving staff in food security planning and the food security awareness program, demonstrating the importance of security procedures to the staff).

Look for “unusual behaviour”.

• This may indicate any number of problems and should not be ignored or disregarded. Watch for unusual or suspicious behaviour by staff. For example, staff who, without an identifiable purpose, stay unusually late after the end of their shift or arrive unusually early. Staff gaining access files and information that are not related to their work.  Staff that gain access to areas of the facility outside of the areas of their responsibility. Take note of staff removing documents from the facility; asking questions on sensitive subjects; bringing cameras to work.

Records:

You must know who has been on to the site. (The more information the better).

As a minimum you should know the following:

• Who

• When

• Why

• Company

• Brief medical information.

Most bio-terrorism security regulations require food manufacturers, distributors, and logistics companies to establish and maintain records. These records should allow authorities to conduct a trace investigation to protect the food and animal feed supply.

Security verses convenience.

In most cases, greater security leads to greater inconvenience for food manufactures.  

This situation will often lead to employees ignoring or circumventing security measures. Consequently security needs to be a high management priority at all times. The total management team on a site needs to be aware that security does slow things down, especially if the procedures have not been thought through and sensibly integrated into the sites operation. Involve all staff and ensure they know why security is important, security is just an extension of “food safety” and we are all familiar with that.

Physical security.  

Fences & Walls

Both walls and fences provide a physical barrier and an excellent first line of defence, helping to deter casual intruders. Children are naturally curious and consequently difficult to stop. The installation of physical barriers will often reduce insurance policy costs.

When protecting perimeter access with fencing or other deterrents, it is important not to forget the necessary openings; doors (including freight loading doors, when not in use and not being monitored, and emergency exits), windows, roof openings / hatches, vent openings, ventilation systems, utility rooms, loft areas, trailer bodies, tanker trucks, railcars, and bulk storage tanks for liquids, solids, and compressed gases.

Security measures may include for example, using locks, "jimmy plates," seals, alarms, intrusion detection sensors, guards, video surveillance. Remember to consult any relevant local fire or occupational safety codes before making any changes. Minimise the number of entrances to restricted areas. Securing bulk unloading equipment (for example, augers, pipes, conveyor belts, and hoses) when not in use is as important as inspecting the equipment before use. Accounting for all keys to establishments (for example, assigning responsibility for issuing, tracking, and retrieving keys) is vital.

Guards

Security guards, offer a considerable boost to any system. However the security staff need to patrol the site and to review CC TV monitors on a regular basis.

Closed Circuit TV systems.

CC TV systems offer a good means of monitoring "out of the way" places. CCTV is rapidly becoming the standard in security installations.  Not just as a crime prevention and deterrent, but also to provide good enough digital images to enable prosecution. Lack of daylight is no barrier as infrared cameras and infrared floodlights are now of sufficiently high quality to produce acceptable and useful images. These “night vision” systems are particularly useful when linked to "motion detection" and tracking systems.

The visibility and obvious nature of large CCTV cameras can act as a deterrent to intruders, however it may be necessary to resort to “Spy Cameras” to detect “nefarious goings on” by apparently legitimate employees.  

General points.

Physical security

• Monitoring the security of the premises using appropriate methods (for example, using security patrols [uniformed and/or plain-clothed], video surveillance).
• Minimising, to the extent practical, places that can be used to temporarily hide intentional contaminants (for example, minimising nooks and crannies, false ceilings).
• Provide adequate interior and exterior lighting, including emergency lighting, where appropriate, to facilitate detection of suspicious or unusual activities.
• Implement a system of controlling vehicles authorised to park on the premises (for example, using placards, decals, key cards, keyed or cipher locks, issuing passes for specific areas and times to visitors' vehicles).
• Keeping parking areas separated from entrances to food storage and processing areas and utilities, where practical.

Security of your Mail

Mail / packages                        

• Implement procedures to ensure the security of incoming mail and packages (for example, locating the mailroom away from food processing and storage areas, securing the mailroom, visual or x-ray mail screening, metal detection)

Threats

To protect your site you need to know the potential threats.

Operators of food establishments are encouraged to review their current procedures and controls in light of the potential for tampering or other malicious, criminal, or terrorist actions and make appropriate improvements.

• Animal rights

• Blackmail

• Accidental contamination

• Disgruntled staff or ex-staff

You need to be aware of the potential means of carrying out the threat:
So consider the means that your product could be contaminated:

• Direct addition to the product.

• Cleaning In Place  systems.

• Detergents & Sanitisers.

• Water added as an ingredient.

• Air purges

• Pigging systems.

• Water supplies and distribution systems are particularly vulnerable,
  (Mains, borehole, rivers and stream, recovered or reused water, wells, hydrants).

• Water storage and handling facilities, including repair and Legionella cleaning contractors.

Computer systems.

Remote access to computer and electronic systems needs to be considered just as carefully as physical access to the site. Remote computer access can be even more difficult to spot than someone climbing over your fence. Specialist help is likely to be needed in order to detect computer intrusion; it is simpler and wiser to invest in protection prior to any problems.

Computer connections come in a variety of “flavours”:

External connections. 
These can be reasonably well protected using secure multi-factor authentication and secure (un-hackable) encrypted connections can be established.

Internal connections 
These  can be more difficult to “police” as the trend for laptop and portable computing grows ever more popular. These trends offer two distinctly different risks; firstly there is the problem of theft and the loss of confidential information and secondly the possibility of the employee unwittingly allowing the laptop to be infected with malicious and nefarious software.

Letting employees connect mobile computers of any variety to the main network needs to be strictly controlled.  

Recording media:
Employees should not normally be allowed to bring recording media onto the site without specific permission. This should cover all forms of transferring computer data, for example USB memory sticks, memory cards, floppy disks, portable hard drives. Remember that cameras, MP3 players, PDA,s and mobile phones can all be used to record and transfer data.

Process control systems.

Computer systems are not limited to office systems, it is common for modern food sites to have a number of control systems that are computerised. These systems are often open to remote access by the manufacturer. These systems are often in direct control of the manufacturing process and the software is often proprietary and complex to interpret. Consequently malicious alterations are unlikely to be spotted by anyone other than an expert.

These systems need to be just as secure as any firms accounting system.

A good source of information can be found at    http://www.grc.com/securitynow.html

"Back-up systems"

It is wise to maintain a full and up to date set of "back-up" files for all computer systems. Should disaster strike then "clean copies " of the sites software will be essential in the recovery process. The back-up files should be held on and off site with multiple copies reaching back several weeks would be wise. Computer system offer the opportunity to tamper with a software system and not activate that change until some time later, this means that all software should be validated on a regular basis. This process can be difficult and time consuming, in order to minimise the problem this validation process should be included in the original design brief for any new software. 

©2008

N.E.M Business Solutions        Tel / Fax  : 01823 680119     Mobile   07768 981196 

E-mail   neil@nem.org.uk