Since the onset of the pandemic and the subsequent disruptions felt throughout the world, the food, beverage, and retail industries have responded to this challenge admirably by ensuring that shelves were stocked and people could continue to enjoy the food and drink they love, from the comfort of their homes. The industry has also embraced innovation and technologies like never before, not only to meet the growing demand from regulations and consumers but also to deliver increased cost savings brought about by process improvements arising from the use of smart devices, autonomous robots, and sensors.
While this digital transformation has certainly supported some great examples of positive innovation and disruption throughout the industry, it has also highlighted the pressing need to connect the dots between food safety and information security. We have all seen the headlines over the past few years about food, beverage, and retail organizations falling victim to a cybersecurity attack that takes their systems offline, preventing them from functioning, and holds them ransom for a Bitcoin payment.
How Does Food Safety Intersect with Cybersecurity?
This is a question that is frequently asked and understandable throughout the industry. The short answer? Everything.
Consider the consequences a cybersecurity attack on an organization: The attacker has access to everything within the organization that is connected by technology, including HACCP controls, processing temperatures, metal detectors, product labels, and expiration dates. This is now a real food safety risk. The attackers’ intention may not always be economically motivated, and if the organization is unaware of the attack, then allergens can be easily removed from a label, expiration dates altered, critical control points adjusted, and the list goes on. Let us also consider the regulatory consequences to an organization from the loss of control of their operating systems; it would be impossible to access any records or reports if FDA or any other agency requires access to them.
How to Improve Your Food Defense Plans
The first step is understanding the context of food defense, and how it—directly and indirectly—affects all parts of an organization, including the physical security of a facility, the vetting of staff and visitors, IT infrastructure and use of technologies, purchasing and procurement decisions through to food technology, and process engineering. When most organizations introduce their Threat Assessment and Critical Control Points (TACCP) team, who are responsible for their food defense program and plans, it is typically made up of only their food safety and quality colleagues. The challenge is that food defense goes beyond the safety of the product and requires collaboration throughout departments within the organization, including security, human resources, operations, procurement, IT, and marketing.
Your Food Defense Team
You wouldn’t phone your IT colleagues to discuss a food safety risk or regulatory requirement. In the same way, the food safety and quality department(s) are not fielding calls from colleagues to discuss the cybersecurity features of a wireless smart device; however, envision the potential risks and vulnerabilities to an organization in which the food safety and quality department(s) has introduced new smart devices to improve pest control measures, such as a wireless bait box or wireless sensor directly connected to the organization’s central operating systems. This is one real-life example of a food manufacturer that was affected by a cybersecurity attack; the attacker sat in a nearby parking lot and searched for wireless connected devices without sufficient security protection to gain access to an organization and its systems. Would your current food defense team be able to address a risk like that? Knowledge is key to an effective food defense program, and the shared knowledge and experience of a diverse team will empower the organization to protect itself from the growing number of cybersecurity attacks on the food, beverage, and retail industries.
As the food, beverage, and retail industries continue to innovate and embrace new technologies, they must also keep an eye on emerging industry threats, in particular the creative approaches that attackers are adopting to successfully attack food, beverage, and retail organizations. Food safety and quality professionals should know the importance of food defense, what it means, and why it is an essential element of an effective food safety management system.
Coole is director of Americas, food and retail supply chain, at BSI, a standards and regulations organization based in the U.K. Reach him at [email protected] To access BSI’s PAS 96:2017, “Guide to Protecting and Defending Food and Drink from Deliberate Attack,” visit bsigroup.com.