A
Generic Amendment for Food Defense
The high-risk food processing facilities are the ones that are multi-certified under ISO/FSSC 22000, BRC, or SQF standards in addition to various other non-food standards such as ISO 9001, or ISO 14001, etc., and already maintain robust food defense procedures to mitigate risks related to intentional contamination of food products that are required to comply with mandatory clauses in the given food compliance regulations and standards. However, the evolving landscape of technology and interconnected systems has introduced new cybersecurity risks that pose potential threats to the integrity and safety of food processing operations, which are not directly addressed by those standards, because they are new in the industry and evolving continuously, or on the other hand, they are already addressed in other standards that you have to certify your plant in order to secure your facility. Nonetheless, there is an added cost to the product every time you add a new standard, which may add extra paperwork, new employees, and so on, where it is making the compliance work more complex and extra work with many audits every day creating an embarrassing working environment.
On the
other hand, cybersecurity experts sound the alarm, emphasizing that the
inevitability of cyber-food crime looms large on the horizon. Forecasts paint a
grim picture of organized cyber threats infiltrating the food industry, ranging
from corporate espionage to malicious tampering. While the U.S. FDA's 2011 Food
Safety Modernization Act heralded significant reforms, mandating food defense
plans, the legal landscape falls short in addressing cybersecurity breaches. Further,
Joseph Pelukas, Senior Director of IT Security at NSF, underscores the
pervasive impact of ransomware, labeling it as the most consequential
cybercrime both in the U.S. and globally. FBI statistics reveal a staggering
65% surge in identified global exposed losses between July 2019 and December
2021. Rhia Dancel, Information Security Lead at NSF, stresses the crucial role
of senior leadership in fostering a culture of information security within food
manufacturing companies. Dancel asserts that prioritizing information security
at the management level cascades throughout the entire organization, bolstering
defense mechanisms against cyber threats.
Hence,
it is very important to have a custom-built food safety system that can be used
to address such issues without adding new compliance regulations, where adding
a new procedure or adding an amendment to the existing system will reduce lots
of extra work for the food safety team. Whereas, it is imperative to address
cybersecurity risks comprehensively to safeguard food processing facilities
against potential cyber threats that could compromise the safety and security
of food products, without further certifying the facility for a standard such
as ISO 27001. Thus, following amendment clauses might help you to enhance the
existing food defense program without unnecessarily complexing food processing
facilities certified under ISO/FSSC 22000, BRC, or SQF standards, focusing
specifically on cybersecurity, which you directly cut and copy-paste into your
system with little or no editing or customizing as they are defined mostly to
comply with generic requirements in both cybersecurity and food safety.
Recognizing
the critical need to address cybersecurity risks in high-risk food processing
facilities to enhance the existing food defense program by integrating specific
cybersecurity measures. The industry understands the necessity of highly
trained and scientific individuals who are capable of cybersecurity with
extensive experience in food safety for implementing advanced cybersecurity
protocols, including the use of playbooks, authentication and verification
methods, NIST framework, prevention strategies for high-risk processing areas,
and protection of electronic and digital assets.
Integration
of Cybersecurity into Food Defense Procedures
Incorporation of cybersecurity considerations into the existing food defense risk assessment process to identify potential cyber threats that could impact food safety and integrity.
Integration of cybersecurity controls and mitigation strategies into the facility's food defense plan, ensuring alignment with existing (ISO/FSSC 22000, BRC, or SQF) standards and requirements.
Collaboration with IT security experts or cybersecurity consultants to leverage specialized expertise in developing and implementing cybersecurity measures tailored to the unique needs and challenges of food processing operations.
High-risk food processing facilities shall conduct a comprehensive assessment of their cybersecurity vulnerabilities and threats, considering factors such as network security, data protection, access controls, and vulnerability management.
Implementation of appropriate cybersecurity controls and safeguards to protect critical systems and infrastructure from unauthorized access, data breaches, malware, and other cyber threats.
Adoption of secure communication protocols and encryption techniques to ensure the confidentiality and integrity of sensitive data transmitted within the facility's network.
Establishment of incident response protocols and procedures to effectively detect, respond to, and recover from cybersecurity incidents, including data breaches or cyberattacks.
Regular cybersecurity training and awareness programs for employees to enhance their understanding of cybersecurity risks and best practices for mitigating them.
Implementation
of Cybersecurity Playbooks
High-risk food processing facilities shall develop cybersecurity playbooks tailored to their operational environment, outlining step-by-step procedures for preventing, detecting, and responding to cyber threats.
These playbooks should include detailed protocols for incident response, data breach containment, system recovery, and communication strategies to ensure swift and effective response to cyber incidents.
Authentication
and Verification Methods
Implementation of multi-factor authentication (MFA) for accessing critical systems and sensitive data, including biometric authentication, smart cards, or one-time passwords.
Adoption of role-based access controls (RBAC) and minimum privileges to limit access privileges based on job responsibilities, ensuring that employees only have access to the information and systems necessary for their roles.
Utilization
of the NIST Cybersecurity Framework
High-risk food processing facilities shall leverage the NIST Cybersecurity Framework as a guideline for developing, implementing, and improving cybersecurity practices.
This framework provides a structured approach to identifying, protecting, detecting, responding to, and recovering from cyber threats, aligning with industry best practices and regulatory requirements.
Prevention
Strategies for High-Risk Processing Areas
Implementation of network segmentation to isolate critical production systems from less secure areas of the network, reducing the risk of unauthorized access or lateral movement by cyber attackers.
Deployment of intrusion detection and prevention systems (IDPS) to monitor network traffic and detect suspicious activities or anomalies indicative of cyber threats.
Regular vulnerability assessments and penetration testing to identify and remediate potential security weaknesses in high-risk processing areas, including industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems.
Protection
of Electronic and Digital Assets
Encryption of sensitive data at rest and in transit to prevent unauthorized access or interception by malicious actors.
Implementation of endpoint security solutions, such as antivirus software, firewalls, and endpoint detection and response (EDR) systems, to protect against malware and other cyber threats.
Regular backups of critical data and systems to facilitate timely recovery in the event of a cyber incident, including ransomware attacks or data breaches.
Documentation
and Compliance
Documentation of all cybersecurity-related policies, procedures, risk assessments, and mitigation measures as part of the facility's food defense program documentation.
Regular review and audit of cybersecurity controls and procedures to ensure compliance with regulatory requirements and industry best practices.
Continuous improvement and adaptation of cybersecurity measures in response to emerging threats, technological advancements, and changes in the operating environment.
Reporting
and Communication
Establishment of clear channels for reporting cybersecurity incidents, breaches, or vulnerabilities to appropriate internal stakeholders, management, regulatory authorities, and relevant industry partners.
Transparent communication with customers, suppliers, and other stakeholders regarding the facility's cybersecurity practices and efforts to safeguard food safety and security.
By
incorporating these specific cybersecurity measures into the existing food
defense program, high-risk food processing facilities can enhance their
resilience against cyber threats and safeguard the integrity and safety of food
products. Compliance with these cybersecurity requirements will be monitored
and enforced through regular assessments, internal audits, and inspections,
ensuring ongoing adherence to industry best practices and regulatory standards.
Compliance with the cybersecurity requirements outlined herein shall be monitored and enforced through regular inspections, audits, and assessments conducted by regulatory authorities and certification bodies.
The high-risk food processing facilities are the ones that are multi-certified under ISO/FSSC 22000, BRC, or SQF standards in addition to various other non-food standards such as ISO 9001, or ISO 14001, etc., and already maintain robust food defense procedures to mitigate risks related to intentional contamination of food products that are required to comply with mandatory clauses in the given food compliance regulations and standards. However, the evolving landscape of technology and interconnected systems has introduced new cybersecurity risks that pose potential threats to the integrity and safety of food processing operations, which are not directly addressed by those standards, because they are new in the industry and evolving continuously, or on the other hand, they are already addressed in other standards that you have to certify your plant in order to secure your facility. Nonetheless, there is an added cost to the product every time you add a new standard, which may add extra paperwork, new employees, and so on, where it is making the compliance work more complex and extra work with many audits every day creating an embarrassing working environment.
Incorporation of cybersecurity considerations into the existing food defense risk assessment process to identify potential cyber threats that could impact food safety and integrity.
Integration of cybersecurity controls and mitigation strategies into the facility's food defense plan, ensuring alignment with existing (ISO/FSSC 22000, BRC, or SQF) standards and requirements.
Collaboration with IT security experts or cybersecurity consultants to leverage specialized expertise in developing and implementing cybersecurity measures tailored to the unique needs and challenges of food processing operations.
High-risk food processing facilities shall conduct a comprehensive assessment of their cybersecurity vulnerabilities and threats, considering factors such as network security, data protection, access controls, and vulnerability management.
Implementation of appropriate cybersecurity controls and safeguards to protect critical systems and infrastructure from unauthorized access, data breaches, malware, and other cyber threats.
Adoption of secure communication protocols and encryption techniques to ensure the confidentiality and integrity of sensitive data transmitted within the facility's network.
Establishment of incident response protocols and procedures to effectively detect, respond to, and recover from cybersecurity incidents, including data breaches or cyberattacks.
Regular cybersecurity training and awareness programs for employees to enhance their understanding of cybersecurity risks and best practices for mitigating them.
High-risk food processing facilities shall develop cybersecurity playbooks tailored to their operational environment, outlining step-by-step procedures for preventing, detecting, and responding to cyber threats.
These playbooks should include detailed protocols for incident response, data breach containment, system recovery, and communication strategies to ensure swift and effective response to cyber incidents.
Implementation of multi-factor authentication (MFA) for accessing critical systems and sensitive data, including biometric authentication, smart cards, or one-time passwords.
Adoption of role-based access controls (RBAC) and minimum privileges to limit access privileges based on job responsibilities, ensuring that employees only have access to the information and systems necessary for their roles.
High-risk food processing facilities shall leverage the NIST Cybersecurity Framework as a guideline for developing, implementing, and improving cybersecurity practices.
This framework provides a structured approach to identifying, protecting, detecting, responding to, and recovering from cyber threats, aligning with industry best practices and regulatory requirements.
Implementation of network segmentation to isolate critical production systems from less secure areas of the network, reducing the risk of unauthorized access or lateral movement by cyber attackers.
Deployment of intrusion detection and prevention systems (IDPS) to monitor network traffic and detect suspicious activities or anomalies indicative of cyber threats.
Regular vulnerability assessments and penetration testing to identify and remediate potential security weaknesses in high-risk processing areas, including industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems.
Encryption of sensitive data at rest and in transit to prevent unauthorized access or interception by malicious actors.
Implementation of endpoint security solutions, such as antivirus software, firewalls, and endpoint detection and response (EDR) systems, to protect against malware and other cyber threats.
Regular backups of critical data and systems to facilitate timely recovery in the event of a cyber incident, including ransomware attacks or data breaches.
Documentation of all cybersecurity-related policies, procedures, risk assessments, and mitigation measures as part of the facility's food defense program documentation.
Regular review and audit of cybersecurity controls and procedures to ensure compliance with regulatory requirements and industry best practices.
Continuous improvement and adaptation of cybersecurity measures in response to emerging threats, technological advancements, and changes in the operating environment.
Establishment of clear channels for reporting cybersecurity incidents, breaches, or vulnerabilities to appropriate internal stakeholders, management, regulatory authorities, and relevant industry partners.
Transparent communication with customers, suppliers, and other stakeholders regarding the facility's cybersecurity practices and efforts to safeguard food safety and security.
Compliance with the cybersecurity requirements outlined herein shall be monitored and enforced through regular inspections, audits, and assessments conducted by regulatory authorities and certification bodies.
References:
- Federal Bureau of Investigation. (2021). FBI Releases the Internet Crime Complaint Center (IC3) Annual Report. Retrieved from https://www.fbi.gov/news/pressrel/press-releases/fbi-releases-the-internet-crime-complaint-center-ic3-annual-report-2021
- NSF International. (n.d.). NSF IT Security Solutions. Retrieved from https://www.nsf.org/services/by-industry/food-safety-quality/information-technology-security
- National Institute of Standards and Technology (NIST). (2021). NIST Cybersecurity Framework. Retrieved from https://www.nist.gov/cyberframework
- Food and Drug Administration (FDA). (2011). Food Safety Modernization Act (FSMA). Retrieved from https://www.fda.gov/food/food-safety-modernization-act-fsma/full-text-food-safety-modernization-act-fsma
- International Organization for Standardization (ISO). (n.d.). ISO/FSSC 22000. Retrieved from https://www.iso.org/standard/82973.html
- British Retail Consortium (BRC). (n.d.). BRC Global Standards. Retrieved from https://www.brcgs.com/
- Safe Quality Food Program (SQF). (n.d.). Retrieved from https://www.sqfi.com/
- National Security Agency (NSA). (2021). Cybersecurity Advisory: Advanced Persistent Threat Actors Exploiting Multiple Legacy Vulnerabilities. Retrieved from https://www.nsa.gov/News-Features/News-Stories/Article-View/Article/2785958/cybersecurity-advisory-advanced-persistent-threat-actors-exploiting-multiple-leg/
- Cybersecurity and Infrastructure Security Agency (CISA). (2021). Industrial Control Systems. Retrieved from https://www.cisa.gov/industrial-control-systems
- European Union Agency for Cybersecurity (ENISA). (2021). Good Practices for Cybersecurity in Industrial Control Systems. Retrieved from https://www.enisa.europa.eu/publications/good-practices-for-cybersecurity-in-industrial-control-systems
- Food Protection and Defense Institute (FPDI). (2021). Food Defense Plan Builder. Retrieved from https://foodprotection.umn.edu/fdpb
- U.S. Department of Agriculture (USDA). (2021). Cybersecurity Awareness and Guidance. Retrieved from https://www.usda.gov/our-agency/cybersecurity/cybersecurity-awareness-guidance
- International Electrotechnical Commission (IEC). (2021). Industrial communication networks - Network and system security - Part 1-4: System security conformance testing. Retrieved from https://www.iec.ch/standards/71943-1%3A2021
- National Cyber Security Centre (NCSC). (2021). Guidance: Security measures for Industrial Control Systems. Retrieved from https://www.ncsc.gov.uk/guidance/security-measures-for-industrial-control-systems