· 9 min read
The past year-and-half has been anything but normal. Beginning with the pandemic, social unrest and a host of other concerning world events, there are very few things that haven’t changed in our way of life.
One thing that hasn’t changed from the pre-pandemic era is threats from outsiders and persons that would want to cause harm, which continue to plague our critical infrastructures. With each of our 16 defined critical infrastructures, government and private organizations must have specific mitigation strategies in place that are not only reactive if an event were to occur, but even more so, proactive. “Stopping the threat before it becomes a real danger should be our objective.”
Security managers and directors are tasked each day to monitor, detect and proactively prevent an attack against their facilities, people, assets, organization and brand. This task is becoming increasing difficult.
A recent review of some of the most egregious attacks on various critical infrastructures, for example on a pipeline and a major meat processor, has revealed that companies are no less vulnerable today than they were pre-pandemic. In some cases, organizations are more vulnerable than ever before.
The worldwide coronavirus pandemic reminded us of just how important it is to be prepared. There’s an urgent need for having a robust security and response plan in place. We should expect the unexpected with regards to our business operations and the safety and security of our people, assets and brand.
Terrorists of today, whether domestic or international, seek to destroy, incapacitate or exploit critical infrastructures in a variety of ways. Lately, hacking into a company’s internet and stealing trade secrets, vital information and other important data has resulted in hundreds of thousands, if not millions of dollars being paid out in the form of ransomware. According to a recently published report, one U.S. based company paid over $11 million in ransom to a foreign attacker who was able to penetrate and gain access to highly critical operational systems and shut down the company’s distribution network. In the case of a pipeline attack, the terrorist interrupted the supply chain of gasoline distribution to the entire East Coast of the United States, resulting in a cascading interruption of critical services such as airlines and product distribution, as well as panic buying of fuel at the pumps. Because of the significant magnitude of the fuel crisis, the White House became involved and issued warnings to companies of all sizes of the urgent need to better protect their cyber infrastructures.
“The cyberattack on a major meat processing facility again showed us just how vulnerable we are in the food supply chain. Such attacks can be very costly, if not detrimental to an organization’s survival if there is no prepared, practiced and robust response to such disruptive acts.”
The threat of terrorism against our critical infrastructures is nothing new. For years, homeland security experts such as myself, and many others inside and outside of government, have continued to raise awareness about the potential of a major terrorist or criminal attack against these systems. Unfortunately, the call for increased security protocols and plans has failed to reach some senior members of company leadership.
As someone who has focused exclusively on the food and agricultural industry and its attractiveness to an attack, I have often wondered why some companies fail to take heed of warning signs.
The threat of terrorism against our food supply is as real today as it ever has been. Whether it’s an attack on the products themselves, such as product tampering or sabotage, or a cyberattack against a company’s internet infrastructure, it can be harmful and costly if not recognized in advance. Plans should be in place to not only respond to such an attack but also to prevent it.
It is vitally important that senior management realizes and recognizes four important tenets about terrorism:
According to homeland security experts, terrorists and criminals tend to change their tactics or mode of operating on a regular basis to accomplish their goals. Thus, they seek out targets that are of least resistance. They typically choose days and times that are least expected or anticipated. For example, historically, law enforcement agencies tend to “beef up” security at government facilities during holidays and during large attendance events in anticipation of something bad happening. Recognizing this, a would-be terrorist may choose an unexpected place and time that would be considered out of the norm when their actions or behavior would not be easily recognized.
Think of the case involving Timothy McVeigh. On April 19, 1995, he placed several bombs inside a rental truck and parked the vehicle in very close proximity to the Murrah Federal Government Office Building. According to the FBI, McVeigh is believed to have built homemade bombs inside the truck while it was parked in the office building lot for up to three days before the attack. As a result, over 168 people died and nearly 700 were injured. Many people wondered at the time, why McVeigh, a former member of the military, would target a rather unassuming location in the Heartland of America.
Terrorists look for and specifically choose their targets in the same way as other criminals. An attractive target for a criminal or terrorist is a place, person or thing that shows visibly low awareness of their surroundings, has not anticipated what could potentially happen and has failed to implement protective measures to guard against such an attack. Protective measures start with a keen awareness of all activity – for example of all employees working at a location from the CEO of the organization to the newest worker. A soft target can be defined as a place that is easily accessible and relatively unprotected. Further, an organizational soft target is when a site vulnerability assessment has not been conducted to help to identify all potential areas of vulnerability including those considered attractive by the aggressor. Terrorists look for the path of least resistance. If a location is attractive - such as the food supply - it has the potential to reach a large distribution chain of hundreds of thousands, if not millions, of people. If it’s easily accessible and unprotected, then that location is a prime target. If specific strategies are not in place to identify, reduce and mitigate the potential threat, the company is running the risk of business interruption, or even worse, harm or death to others.
Terrorists generally develop their own benchmarks for how they believe they can accomplish their goals. Although sometimes unknown, it is typically believed that terrorists set goals whereby their actions will have a psychological, social or governmental impact. Terrorists seem attracted to the visibility in the media that their actions cause. That’s why after many terrorist attacks, we see various groups from around the globe trying to be the first to “claim” to take “credit” for the attack. It gives them a sense of success if they are responsible for causing the harm. That is why I’ve always believed “it is counterintuitive to publicly release information regarding any payments made to known or unknown groups who carry out attacks against a company or organization for ransom”.
Announcing the ransom could incentivize, encourage, motivate or inspire others who want to conduct a similar attack. New groups or terrorist leaders may choose to follow suit and if they are successful in perpetuating a major terrorist or cyberattack with cash rewards (ransom), their actions are likely to also be reported in the news media.
How difficult is it for someone to gain access to your facility, your product storage areas or your chemical storage tanks? Have you conducted a penetration test lately or on a periodic basis to challenge your existing mitigation strategies? If not, why not? Is someone planning an attack against your facility right now? How would you know? What “chatter” is being discussed about your business, its operations and products on social media? Who within your organization is checking this daily? It is imperative to realize that terrorist events are rarely spontaneous. They are almost always a planned event. A would-be terrorist will observe, watching how you operate your facility, then strike. They know the “ins and outs” of your facility. They know the areas of weakness or vulnerability in the security protocols.
I am reminded of a recent event when I visited a food processing plant in upstate New York. It was late in the evening around 11:00 pm, during the change of shifts. I sat in the accessible employee parking lot for about 30 minutes, just watching the actions of the employees as some were leaving their shifts for the day and others were arriving for the night shift. To enter the plant, one must either show the uniformed security guard their employee badge or inform the guard that they are a temporary employee. I decided to try to gain access to the plant by informing the guard that I was a temporary employee. There wasn’t a check-in sheet for temporary workers. I strolled past the guard’s booth and sung out (as did all others), “I’m a temporary!” Without hesitation, the guard smiled, said hello and welcome, and waved me past! No questions, no checklist, just a smile and come on in!
The question here is how difficult would this have been for someone with ill intent - such as a terrorist, disgruntled employee or criminal? Obviously, not too difficult at all.
The FDA has been given responsibility by Congress for enforcing the Food Safety Modernization Act which includes a critical section on intentional adulteration (IA). Although the FSMA IA rule is a good start, the FDA, CFIA and other world organizations with their great intent and tenacity can only do so much and cannot achieve the goal of keeping the food supply safe and secure on their own without the support and the same level of resolve from private companies.
Companies need to realize that the safety and security of their products, people and assets doesn’t start by checking boxes on a compliance checklist, but rather, by empowering and training employees on security and food defense awareness, instituting and enforcing policies that continuously support the food defense and security posture at the facility.
Utilizing tools such as the Food Defense Plan Builder, coupled with good training programs, companies can position themselves for the future by trying to anticipate what may come and, just as importantly, being prepared for any crisis or attack - expected or unexpected.
Senior management must recognize and act upon their organizational responsibility. The food and agricultural supply in the United States, working with partners across the globe, has strived to provide safe food for customers.
“The time is now to recognize that safety does not start or stop with the Quality Assurance department” - it starts and stops with everyone working inside the facility, from the company CEO to office personnel to the employee stacking products on the shelves.
Threats to the food supply will continue. The opportunity for us is to ensure that our fight to maintain a secure food supply continues. Not all threats to critical infrastructures can be eliminated, but their impact can be restrained and reduced with effective strategies and management.
“Let’s step up our game to fight terrorism - at the physical facilities and on the internet. Our lives and those of our families, friends and all who consume our products depend on it.”