DEBATE, AND PERHAPS SKULLDUGGERY, are the predominant tactics used during political campaigns, but years ago members of an Oregon religious commune came up with a more nefarious strategy to influence an election: food poisoning. Commune members used salmonella bacteria to contaminate local salad bars in an effort to sicken voters and prevent them from casting ballots. Although no one was killed, more than 750 people became ill and many had to be hospitalized.
Food tampering does not get as much attention as other potential national hazards, but those who work within the nourishment industry are well aware of the risk. Former Secretary of Health and Human Services Tommy Thompson remarked two years ago that he could not comprehend "why the terrorists have not ... attacked our food supply, because it is so easy to do...."
Thompson had voiced similar fears shortly after the September 11,2001, attacks in New York and Washington, D.C., when he told a congressional terrorism panel that he was concerned about the likelihood of terrorists attacking the American food supply by introducing poisons into domestically cultivated crops and livestock.
Terrorists are not the only people who present a potential threat. Others include disgruntled employees or extortionists hoping for a financial settlement from the targeted company.
Some scientists take a contrarian stance on the likelihood or possibility of the food chain being attacked by large-scale assaults such as terrorism. They argue that the known list of chemicals and biological agents that would likely be used in an attack are very easily spread among animals but have little chance of harming a great number of humans. But past examples of food attacks have illustrated that smaller operations can have a profound effect on the industry.
In fact, an attacker doesn't necessarily have to actually harm the food supply to have an economic impact. Even a hoax can be financially devastating to a company. Consider what happened in March 2005, when a female diner at a San Jose, California, Wendy's restaurant claimed that she found a severed finger in her bowl of chili. The report was very quickly revealed to be a hoax in which the woman had hoped to extort money. But by then the incident had already received nationwide press causing a scared public to eat elsewhere. It is estimated that the Wendy's chain lost in excess of $2.5 million.
Prior to 9-11, most regulations in the food industry focused on safety and prevention of accidental or environmentally based contamination. Since then, the U.S. government has focused new attention on the framework for protecting the food supply. What follows is a look at the primary agencies with jurisdiction, the potential types of attackers and means of attacks, and some of the measures now being adopted to counter the threat.
The two main federal agencies that are charged with food security are the Food and Drug Administration (FDA) and the Food Safety and Inspection Service (FSIS). The FSIS, which is a division of the Department of Agriculture, is tasked with protecting the nation's supply of meat, poultry, and eggs, while the FDA, under the direction of the Department of Health and Human Services, protects everything else in the food chain.
Many security practitioners favor consolidation of these entities into one department devoted to food security to eliminate the inherent inconsistencies in having dual agencies. However, that approach has yet to gain the congressional support needed to pass legislation that would restructure the regulatory bodies.
Both of these agencies have had to respond to mandates from Congress and the President to strengthen food safety in the post-9-11 world. Key among these was the Public Health Security and Bioterrorism Preparedness and Response Act of 2002. The law was designed to shore up the authority of the FDA to deal with the grave threat of a terrorist attack against the food supply. It required the FDA to register all food processors and to begin a system of record inspections. In addition, it mandated procedures for the detention of adulterated food and stepped up efforts to ensure the safety of imported food. The bill allocated more than $500 million to help pay for implementation of its mandates.
The first step in countering the threat is identifying potential attackers.
Attackers are categorized in part by their motivation. They desire to cause physical harm, undermine the economy, or spread panic and fear. As you might imagine, this includes far more people than just international terrorists. Another issue is means and method. An attack would not require a large, or even highly skilled, organization.
The FSIS Office of Food Defense and Emergency Response (OFDER) has its own list of potential aggressors. In one category are disgruntled insiders. Typically known as the "unhappy worker," these attackers wish to see the company or industry suffer for the sake of personal revenge. Similarly, protesters pose a threat. There is no shortage of organizations that protest what they perceive as the inhumane or immoral practices of the food industry.
Another top category is criminals. While the common criminal rarely targets food, some extortionists see food companies as potential marks; they can, for example, threaten to ruin their reputation by threatening to taint products on the shelf unless paid not to do so. And finally, there are terrorists, who may see food contamination as an easy way to spread fear and hurt the economy.
Methods of Attack
Records of food sabotage are hard to come by, so security officials have to use isolated incidents as beacons of danger. The most cited example of an attack is the aforementioned Oregon salad bar incident, but in my experience I have been privy to several occasions where employees have threatened--and in some cases achieved--contamination. This is rarely reported.
One incident that came too close for comfort occurred five years ago at a large meatpacking facility in Indiana. It was discovered that a disgruntled employee had introduced nails into hams during the canning process. None of the contaminated hams reached consumers due to an immediate recall, but more than 250,000 pounds of product needed to be pulled from circulation.
There are other examples of what can happen. In 1996, a disgruntled lab employee contaminated a tray of muffins and doughnuts with shigella dysenteriae to show his displeasure with recent company decisions. His attack sent four people to the hospital with serious illnesses. In 2003, a grocery store employee intentionally introduced a nicotine-based pesticide into 200 pounds of ground beef. Afterward, 92 customers reported becoming seriously ill after eating the meat.
Attacks can occur at any point along the chain. But most incidents occur in the processing stage of large-volume products, such as introducing some foreign substance into vast mixing processes. Food-processing facilities are attractive targets because they produce product in large batches; they mix ingredients uniformly; their products have a short shelf life; and there are occasionally inadequate access control measures.
Most of these food products have the risk of affecting a large number of consumers because they are made en masse and are ready to eat, and their short shelf life means that consumers will likely buy the product and consume it before a recall or warning can be issued.
Companies that need to address the problem of food safety are not being left to fend for themselves. In April 2002, the FSIS published a series of guidelines and plans aimed at making food processing more secure. The initial publication--FSIS Security Guidelines for Food Processors--was designed to give those involved in the business of securing food-processing facilities practical tips on how to safeguard against potential attacks. This was followed by additional sets of guidelines concerning the transportation of food products.
In April 2005, the FSIS published model security plans for egg, meat, and poultry facilities. The FSIS is quick to point out that these guidelines are merely advisory and are not mandatory, but many wonder if this is a preview of what may develop into future security regulations (see box).
Most of the techniques contained in the security guidelines and the model security plans are time-tested and universally accepted. The key is how well any individual facility incorporates these guidelines into its own operations.
Security managers with whom I have dealt say the FSIS guidelines are the most practical and realistic steps taken by the government, and they would like to see more from the government along these same lines. They already follow the FSIS recommendation that entry into establishments should be controlled by requiring positive identification such as picture IDs, or sign-in and sign-out at security or a reception desk. They also follow the stipulation that a company should establish and enforce a policy on what personal items may and may not be allowed inside the plant and within production areas.
However, managers tell me the FSIS guidelines sometimes do not go far enough. They want more intelligence sharing with the federal government. They also want the government to tell them where the threats are coming from, what they consist of, and what to look out for.
Likewise, the techniques offered by the FSIS are only as good as their integration into a particular facility and corporate security model. They are seen as impractical at times because they are not flexible enough to be adapted by operations of different sizes and types. While one particular set of guidelines may work well in a small egg-processing facility, it may actually have an adverse security effect in a large poultry-processing operation.
A good example is the ice-production area of such a poultry facility. According to the FSIS, in-plant icemaking equipment and ice storage facilities should have controlled access. Therein lies the rub: virtually every person who works in the processing center has to have access to the entire operation, so the question is, who gets barred from the wide-open ice storage, packaging, and finished product areas? Smaller operations have it easier: bulk storage and processing areas can be easily locked and guarded because there is simply less space to account for.
Back to basics. To its credit, the FSIS recognizes that the most effective solutions are often the simplest. That is what I counsel clients as well. Number one on the list is what every security program begins and ends with: access control.
I have performed many security assessments and facility surveys for food processing companies, and the experience has taught me time and again that risk is easily mitigated via solid access control. One facility I recently visited had no means of employee identification, no means of vehicle identification, and virtually no method of screening visitors. All around the building and grounds there were no signs of fencing, cameras, or even strategically locked doors to prevent access to sensitive areas. Obviously this facility was unprepared to deter or detect an attack on its food processing plant.
The problem here was not the effectiveness of the FSIS guidelines, but how seriously plant managers and owners took them. Too often, I encounter businesspeople who do not realize the importance of security. In the case of the facility I visited, the plant manager with whom I talked told me he did not see access control as a priority because he could not perceive any egregious threats.
Other on-site officials at the facility were concerned and asked me how they could better guard against intentional contamination. I told them to immediately institute a comprehensive system to include employee badges, the screening of vehicular traffic, and electronic security placed throughout the facility to ensure that access to sensitive areas is limited.
I also recommended background checks on employees, which are becoming more common in the food service industry. Furthermore, video surveillance in production areas is always welcome. I added the need for employee education, which my firm emphasizes as important. Staffers need to be empowered to believe they are part of a team and to be put on notice regarding what to watch out for. They need to be told where to report any suspicious activity. As the FSIS states, employees should be encouraged to report any tampering with foodstuffs. The enemy within is one of the food service industry's biggest concerns.
During my assessments, other FSIS points come to the fore. No visitors should be allowed to walk around the premises unaccompanied by a plant official. The plant perimeter should be monitored for signs of suspicious activity or unauthorized entry. As well, a policy should be enforced as to what personal items should be allowed. For instance, cell phones should be banned in production areas because they now have cameras that can document weaknesses.
The facility just mentioned took this advice to heart, and since my visit it has installed several elements contained in the FSIS guidelines as a model for its security program. We helped it set up a food security plan, one facet of which was how to report food tampering. Another angle involved the implementation of an identification system for all employees featuring a picture ID. Another requirement was the restriction of guests and visitors to a specific reception area, rather than allowing them to enter the plant through the main entrance.
Additionally, restrictions were placed on personal items permitted in the plant, and bag checks were put in place. As per our instructions, the facility's perimeter will be beefed up with additional fencing. Surveillance cameras will be installed on the production line and the perimeter.
The last two items were harder to sell to management because of their expense. Most of the security measures that I recommend are not very expensive, but cameras, sensors, and guards at entries and exits are more costly, and businesses may balk at them if they are in a down phase.
Another potential obstruction to implementing security measures is the human element: staffers, particularly those who are veterans of a facility, can take offense at being required to furnish identification overnight. The bottom line is that they have to be educated as to the importance of security at their plant.
The confidence the public has in our country's food supply is well placed, but extremely fragile. It would take no more than a single event to shake it for years to come. By employing commonsense methods, we can help to ensure that such a day never comes.
Eddie Sorrells, CPP, is chief operating officer and general counsel for Dothan, Alabama-based DSI Security Services. He has more than 15 years of security and investigative experience and has conducted hundreds of seminars and security surveys.
BY EDDIE SORRELLS, CPP
RELATED ARTICLE: KEY PRINCIPLES OF FOOD SECURITY
A food security plan using established risk management principles should be developed and implemented. The plan should include procedures for handling threats and actual cases of product tampering as well as an evacuation plan for each facility.
* Food security inspections of the facility should be conducted regularly by plant officials to verify key provisions of the plan.
* All employees should be encouraged to report any sign of possible product tampering or break in the food security system.
* Integrity of the plant perimeter should be monitored for any signs of suspicious activity or unauthorized entry.
* Doors, windows, roof openings, vent openings, trailer bodies, railcars, and bulk storage tanks should be secured (as by locks, seals, and sensors) at all times.
* Entry into establishments should be controlled by requiring positive identification (such as picture IDs, sign-in and sign-out at security or reception).
* Truck deliveries should be verified against a roster of scheduled deliveries. Unscheduled deliveries should be held outside the plant premises, if possible, pending verification of shipper and cargo.
* Restricted areas inside the plant should be clearly marked as such and appropriately secured.
* Visitors, guests, and other nonplant employees (such as contractors, salespeople, or truck drivers) should be restricted to nonproduct areas unless accompanied by an authorized plant representative.
* A program should be in place to ensure the identification, segregation, and security of all products involved in the event of deliberate product contamination.
* All outgoing shipments should be sealed with tamper-proof, numbered seals that are included on the shipping documents.
* Wells, potable water tanks, and icemaking equipment should be secured from unauthorized entry.
* In-plant icemaking equipment and ice storage facilities should have controlled access.
* A system of positive identification of all plant employees should be in place.
* New hires (seasonal, temporary, permanent, and contract workers) should be subjected to background checks before hiring.
* The plant should establish and enforce a policy on what personal items are and are not allowed inside the plant and within production areas.
RELATED ARTICLE: SYNOPSIS
Prior to 9-11, most regulations in the food industry focused on safety and prevention of accidental or environmentally based contamination. Since then, the U.S. government has focused new attention on the framework for protecting the food supply. Among the threats to grapple with are disgruntled employees, preconceived hoaxes designed to elicit a quick and substantial financial settlement, terrorism, criminals, and subversives. The question is how best to thwart intentional foodchain attacks that could cause enormous physical suffering, as well as crippling economic damage.
The private sector has taken some voluntary steps toward boosting food security by, for example, improving access controls at food processing plants. Likewise, there are many government regulations in place that are mandatory for companies to employ and that provide a valuable contribution towards overall food security. Among them is the Hazard Analysis Critical Control Points (HACCP) system that is mandated across the seafood and juice sectors by the Food and Drug Administration, and throughout the meat and poultry areas by the U.S. Department of Agriculture.
Protecting the food industry is often a matter of using common sense and caution from the harvest right through to the consumer's plate. If basic principles are adhered to, many threats that lurk within the industry can be staved off.