IFSEC Insider is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.
Ron Alalouff outlines some of the key aspects of new draft guidance on security in the food and drink industry, published by the ASIS Food Defense and Agriculture Community.
In its introduction, the guide – Physical security guidance for the food and beverage industry to enhance food defense outcomes – states that internal threat sources pose the greatest potential risk to food and drink manufacturers, so the guidance starts from the most sensitive internal areas and works outwards towards the perimeter of a site.
Laboratories are identified as potentially vulnerable areas which need to be secured. For example, labs may contain reagents and other materials that can be used as contaminants. These need to be protected through access control combined with effective inventory control and staff training. Physical security measures needed will vary according to the characteristics of each site, but could include electronic access control to manage entry, lock and key control, cameras, door alarms, door logs, additional supervision, container security (e.g., locked and potentially alarmed chemical storage), colour-coded uniforms to designate work areas, and limiting personal items in the lab.
Mixing and weighing areas – where a substance could be introduced to contaminate food products – are potentially vulnerable. Physical security and access control measures should be implemented and based on site-specific risk assessments. This may vary by site and depends on the production process point, but may include segregated weighing and mixing areas with electronic access control to manage entry and other measures outlined above for laboratories.
CavanImages/AlamyStock
Effective management of visitors is also recommended. Ideally, approval for visitors to access a facility should be obtained at least 24 hours in advance, or at a minimum be approved by a host. Visitors should have to provide some form of official photo ID to validate their identity. Ideally, they should enter via a separate entrance so that their degree of access to the site is controlled until they are met by a host or escort. Visitors should always be escorted and only allowed access to areas where official business is conducted.
Visitors should wear some form of identification which denotes their visitor status, and should not generally be allowed into any area where manufacturing takes place, or where products or ingredients are stored. A visitor log should be maintained for at least 60 days, which contains information on the name of the visitor, the associated firm, the name of the escort(s), areas visited and the time of their arrival and departure.
Management and storage of partial ingredients
Ingredients are usually received in tamper evident packaging so that tampering and contamination can be more easily detected. Sometimes, however, partial ingredient packaging may be present which is a potentially vulnerable point for contamination. Measures to reduce the risk of contamination include:
Storage of partial ingredients in tamper evident containers (e.g. using bins with numbered seals)
Securing partial ingredients in locked storage
Weighing partial ingredients returned to inventory and reweighing them when next brought to mixing, weighing or staging steps in the production process.
Deliveries
All trucks and trailers with supplies, raw materials or finished goods must be sealed until use. If the seal needs to be removed for inspection, a new seal should be applied and documented. Unloading of vehicles carrying raw materials, finished products, ingredients or other materials must be closely supervised. All supervisors must be trained in food defence procedures related to shipping and receiving.
Other than smaller and courier shipments, shipment, loading and unloading activities should be scheduled and monitored. Only scheduled shipments should be accepted, with unscheduled shipments held until authorisation is obtained.
Perimeter security
If a facility chooses to use perimeter fencing, chain-link fencing should be at least 6 feet high using at least 9-gauge wire. Fencing should be galvanised with mesh openings not larger than 2 inches per side and have twisted selvages at the top and bottom. The wire should be taut and securely fastened to rigid metal or reinforced concrete posts set in concrete. The top and bottom of the fence should contain a tension wire that runs horizontally along the entire fence line, to help retain the integrity of the fence. The fencing must reach within two inches of hard ground or pavement. On soft ground, consideration should be given to extending below the surface to compensate for shifting soil or sand.
Fencing would typically include a “top-guard” which is constructed of at least three strands of barbed wire placed at a 45-degree overhang that faces away from the property. The top guard should be continuous and not be omitted from vehicle or pedestrian gates. Walls should be at least 7 feet in height
Access control
Access control should be implemented to monitor and control access of authorised personal into and out of specific locations, while denying access to unauthorised people. It is important that access control systems are properly managed by people with the appropriate level of authority. The objectives of an access control system are to:
Permit only authorised people to enter the facility/specific areas inside
Provide information to site management for the assessment and response to unauthorised attempts at entry
Detect and prevent the entry of contraband (e.g., weapons, contaminants, violations of good manufacturing practices)
Provide an accurate record of who has accessed the facility/area.
Video surveillance
The guidance suggests using fixed cameras over PTZ cameras, which should where possible provide the ability to monitor movement and identity – for example, a fixed camera with a wide-angle view may be used to cover more than one turnstile or lane of traffic. Images need to be at least 40 pixels per foot in the target area of the scene in order to obtain facial recognition from a video image. Other points raised by the guide include:
Frame rate should be at least 15 frames per second for recording purposes
Recorder video should be retained for between 30 and 60 days, bearing in mind the time it might take to discover an incident
Use should be made of day/night camera technology.
Cameras should only be installed after a risk assessment and consistent with where video can have a meaningful impact on risk reduction. The guidance suggests considering employing an independent expert to help identify these needs.
Intrusion detection
The main objectives of intrusion detection systems are to:
Detect an actual or attempted intrusion into a protected space
Provide in-depth protection and response to selected facilities, buildings, assets and operations
Be capable of integration with other physical security systems
Facilitate a response by security personnel, pinpointing where an intrusion has occurred.
Personnel matters
The draft guide states the importance of robust screening of potential employees in order to reduce the risk of sabotage from within. It cites the UK’s PAS 96: 2017 Guide to protecting and defending food and drink from deliberate attack which defines personnel security as “procedures used to confirm an individual’s identity, qualifications, experience and right to work, and to monitor conduct as an employee or contractor”. It goes on to say that these principles are used to assure the trustworthiness of employees, but may also be applied to staff of suppliers as part of the process of vendor accreditation.
Security systems maintenance, inspection and testing
Comments on the draft guidance closed on 15 February 2022. Physical security guidance for the food and beverage industry to enhance food defense outcomes is available here.
EBOOK: Lessons from IFSEC 2023 – Big Tech, Martyn’s Law and Drone Threats
Read IFSEC Insider’s exclusive IFSEC eBook and explore the key takeaways from the 2023 show!
Navigate the impact of Big Tech on access control, gain insights from Omdia’s analysts on video surveillance trends, and explore sessions covering topics like futureproofing CCTV networks, addressing the rising drone threat, and the crucial role of user proficiency in security technology.
There's also an exclusive interview with Figen Murray, the driver behind Martyn's Law legislation.
Guide on food and drink industry security highlights the threat from withinWe outline key aspects of new guidance on security in the food & drink industry published by the ASIS Food Defense and Agriculture Community.
Ron Alalouff
IFSEC Insider | Security and Fire News and Resources
Related Topics
Podcast: Episode 16 – Life as a security professional in Ukraine with Risto Haataja
Dates announced for 2024 Security LeadHER Conference
Crisis management book wins 2023 ASIS Security Industry Book of the Year Award
Access control should be implemented to monitor and control access of authorised personal into and out of specific locations, while denying access to unauthorised people. It is important that access control systems are properly managed by people with the appropriate level of authority. The objectives of an access control system are to: