A Guide To Site Security In The Food Industry   

 

Presented By N.E.M Business Solutions
February 2008.

 

This guidance document is designed as an aid to operators of food establishments (firms that produce, process, store, repack, re-label, distribute, or transport food or food ingredients). Food security for a developed economy like the UK is multi-faceted and complex and various definitions exist. The common themes are: availability of food; access of consumers to affordable, nutritional and safe food; resilience of the food system to significant disruptions, and public confidence in that system.

 Osama

In these times of potential terrorist threats, we all need to consider the risk that our sites are subject to. No matter how unlikely it seems that your site could become the next "9 - 11” an assessment of the risks will at the very least show you customs that you are taking a professional and responsible attitude towards site security. In reality most food production sites are open to as many forms of potential risk as there are people that enter the site.

These threats range from mischievous children to a full-blown bio-terrorism attack. Considerable improvements can be made with relatively little effort or cost.   

 

 

These notes are intended to act as an aid to improving security and is by no means a fully inclusive guide to security.

 

A process called Operational Risk Management (ORM) may help prioritise the preventive measures that are most likely to have the greatest impact on reducing the risk of tampering or other malicious, criminal, or terrorist actions against food. http://en.wikipedia.org/wiki/Operational_risk_management

Benefits of ORM                   

   1. Reduction of operational loss.

   2. Lower compliance / auditing costs.

   3. Early detection of unlawful activities.

   4. Reduced exposure to future risks.

 

 

It is recommends that food establishment operators consider the following points:

 

     If you are in any doubt contact a reliable contractor for help.  

 

Here are a number of points that may help the process:

 

Training in food security procedures.

 

Look for “unusual behaviour”.

 

Records:

You must know who has been on to the site. (The more information the better).

As a minimum you should know the following:

Most bio-terrorism security regulations require food manufacturers, distributors, and logistics companies to establish and maintain records. These records should allow authorities to conduct a trace investigation to protect the food and animal feed supply.

Security verses convenience.

In most cases, greater security leads to greater inconvenience for food manufactures.  

This situation will often lead to employees ignoring or circumventing security measures. Consequently security needs to be a high management priority at all times. The total management team on a site needs to be aware that security does slow things down, especially if the procedures have not been thought through and sensibly integrated into the sites operation. Involve all staff and ensure they know why security is important, security is just an extension of “food safety” and we are all familiar with that.

 

Physical security.  

Fences & Walls

Both walls and fences provide a physical barrier and an excellent first line of defence, helping to deter casual intruders. Children are naturally curious and consequently difficult to stop. The installation of physical barriers will often reduce insurance policy costs.

When protecting perimeter access with fencing or other deterrents, it is important not to forget the necessary openings; doors (including freight loading doors, when not in use and not being monitored, and emergency exits), windows, roof openings / hatches, vent openings, ventilation systems, utility rooms, loft areas, trailer bodies, tanker trucks, railcars, and bulk storage tanks for liquids, solids, and compressed gases.

Security measures may include for example, using locks, "jimmy plates," seals, alarms, intrusion detection sensors, guards, video surveillance. Remember to consult any relevant local fire or occupational safety codes before making any changes. Minimise the number of entrances to restricted areas. Securing bulk unloading equipment (for example, augers, pipes, conveyor belts, and hoses) when not in use is as important as inspecting the equipment before use. Accounting for all keys to establishments (for example, assigning responsibility for issuing, tracking, and retrieving keys) is vital.

Guards

Security guards, offer a considerable boost to any system. However the security staff need to patrol the site and to review CC TV monitors on a regular basis.

Closed Circuit TV systems.

CC TV systems offer a good means of monitoring "out of the way" places. CCTV is rapidly becoming the standard in security installations.  Not just as a crime prevention and deterrent, but also to provide good enough digital images to enable prosecution. Lack of daylight is no barrier as infrared cameras and infrared floodlights are now of sufficiently high quality to produce acceptable and useful images. These “night vision” systems are particularly useful when linked to "motion detection" and tracking systems.

The visibility and obvious nature of large CCTV cameras can act as a deterrent to intruders, however it may be necessary to resort to “Spy Cameras” to detect “nefarious goings on” by apparently legitimate employees.  

General points.

Physical security

 

Security of your Mail

Mail / packages                        

 

Threats

To protect your site you need to know the potential threats.

Operators of food establishments are encouraged to review their current procedures and controls in light of the potential for tampering or other malicious, criminal, or terrorist actions and make appropriate improvements.

 

You need to be aware of the potential means of carrying out the threat:
So consider the means that your product could be contaminated:

 

Computer systems.

Remote access to computer and electronic systems needs to be considered just as carefully as physical access to the site. Remote computer access can be even more difficult to spot than someone climbing over your fence. Specialist help is likely to be needed in order to detect computer intrusion; it is simpler and wiser to invest in protection prior to any problems.

Computer connections come in a variety of “flavours”:

External connections. 
These can be reasonably well protected using secure multi-factor authentication and secure (un-hackable) encrypted connections can be established.

Internal connections 
These  can be more difficult to “police” as the trend for laptop and portable computing grows ever more popular. These trends offer two distinctly different risks; firstly there is the problem of theft and the loss of confidential information and secondly the possibility of the employee unwittingly allowing the laptop to be infected with malicious and nefarious software.

Letting employees connect mobile computers of any variety to the main network needs to be strictly controlled.  

Recording media:
Employees should not normally be allowed to bring recording media onto the site without specific permission. This should cover all forms of transferring computer data, for example USB memory sticks, memory cards, floppy disks, portable hard drives. Remember that cameras, MP3 players, PDA,s and mobile phones can all be used to record and transfer data.

Process control systems.

Computer systems are not limited to office systems, it is common for modern food sites to have a number of control systems that are computerised. These systems are often open to remote access by the manufacturer. These systems are often in direct control of the manufacturing process and the software is often proprietary and complex to interpret. Consequently malicious alterations are unlikely to be spotted by anyone other than an expert.

These systems need to be just as secure as any firms accounting system.

A good source of information can be found at    http://www.grc.com/securitynow.html

 

"Back-up systems"

It is wise to maintain a full and up to date set of "back-up" files for all computer systems. Should disaster strike then "clean copies " of the sites software will be essential in the recovery process. The back-up files should be held on and off site with multiple copies reaching back several weeks would be wise. Computer system offer the opportunity to tamper with a software system and not activate that change until some time later, this means that all software should be validated on a regular basis. This process can be difficult and time consuming, in order to minimise the problem this validation process should be included in the original design brief for any new software. 

 

©2008

N.E.M Business Solutions        Tel / Fax  : 01823 680119     Mobile   07768 981196 

E-mail   neil@nem.org.uk