What Changed the Game for Food Defense?
foodsafetymagazine.com by Robert A. Norton, Feb, 6, 2017
ISIS has been interested in targeting the food supply for many years and has actually experimented with poisons on several very unfortunate human victims. The terrorist group’s efforts had not matured to the point that they posed a threat to our food system, but things started to change in 2015 when Munir Mohammed and Rowaida el-Hassan met and started to plan an attack in the United Kingdom using the deadly toxin ricin, chemical weapons and homemade bombs.
Had this been another thwarted ISIS case involving improvised explosive devices, it would unfortunately have been pretty unremarkable. In fact, this case was anything but ordinary and can instead be labeled a game changer, at least in my opinion. The implications for the food industry are very serious, and for that reason we are likely to see similar cases in the future.
Why was this a game changer? First, Munir Hassan Mohammed was in regular contact with ISIS, making him an agent, not a sympathizer. Second, he worked for a large food company in the United Kingdom, meaning he was “inside the wire”—a longtime ISIS goal for priority targets. That means he had access to and knowledge about food facilities, processes and equipment. Third, Mohammed had a pharmacist girlfriend, Rowaida El Hassan, who was knowledgeable about chemistry. The deadly toxin ricin is not difficult to make, but knowledge of chemistry could certainly help in making purer, more deadly ricin.
We know the couple intended to create this particular toxin, which is so deadly that just a few micrograms can kill. They had access, knowledge, tools and motivation. Had they not been arrested in December 2016, there is little doubt they would have been able to create some quantity of ricin, which could have been used to contaminate food ingredients at Mohammed’s place of employment. Would large numbers of people have died from ricin poisoning? Unlikely. Would it have caused a disruption? Undoubtedly!
The primary goal of terrorism is to create terror, terror that is sufficient to cause some kind of political or religious (again, read political) effect on the public. Terrorized people know (or at least think they know) that their government somehow failed to protect them. Terrorism is all about creating the maximum effect, so that the politically less powerful (i.e., the terrorists) can confront the politically more powerful (government, armies, corporations, etc.). This is often described by the military as “asymmetry.” Terrorists try to use this asymmetry to their advantage by convincing adversaries (that would be us—western society, militaries, corporations, etc.) that they are more powerful, entrenched or widespread than they really are. Terrorists want to cause panic, first by killing or maiming, their preferred modus operandi. If that isn’t possible, the next best goal is to foster panic. Poisoning food, whether or not anybody actually dies, would be an effective terrorist strategy because people would start doubting the safety of the food supply. The intentional poisoning of just a few boxes of product would cause massive disruption and panic and cost piles of money. This, too, is terrorism.
So what should food companies do? If you don’t want terrorists attacking your facilities, don’t let them inside your doors. This defensive strategy becomes largely a human resources problem. Start with thoroughly screening employees before they start and maintain a robust employee security maintenance program, particularly for critical defense points in your system or processes.
What is a critical defense point (CDP)? A CDP is any point in your system or processes where the effect of intentional contamination would be magnified. Take, for instance, the point at which an ingredient (such as a liquid) is introduced into the batch. Think of it in terms of magnification—a liter of a liquid ingredient ends up in three tons of product. This is the point at which you absolutely don’t want to station a disgruntled employee or someone motivated to do harm. This would be the point where you don’t want a Munir Hassan Mohammed working, especially with a vial of purified ricin in his pocket.
Are there strategies to make defenses more robust? Absolutely, but these are strategies and techniques that need to be closely held. In other words, this author will not publicly disclose them, even in a trade publication. The best security is that which the average viewer will never see. The best strategies are those which are not publicly disclosed, since disclosure inevitably leads to providing opportunity to adversaries who will respond with work-arounds for themselves.
Two strategies that can be disclosed publicly, however, are automation and closed systems. Wherever possible, remove the human element. Take advantage of technological fixes when available, since potential threats invariably involve human beings. Removing the human element wherever helps make your system maximally robust.
Closed systems also help eliminate the opportunity for bad guys to harm the system itself. You don’t want a system component that can be easily accessed or used as a portal for contamination. Closed systems also should have sensor and alarm platforms to warn if a breach or disruption occurs. If something is opened during a process run, management should instantly know that and be able to respond immediately.
Security invariable depends on one’s ability to develop and robustly maintain situational awareness, whenever or wherever or with whatever needs to be monitored. Humans by themselves are seldom able to achieve total situational awareness for a whole process or system, much less a whole facility. In other words, you and your corporation will never be able to achieve 100 percent security.
That being said, you can sufficiently harden your situational awareness capability to the point that it will protect you against the kinds of adversaries you are likely to encounter. Contrary to the image they would like to project, terrorists are seldom brilliant. They will make mistakes, and it is those mistakes that frequently betray them.
Vigilance is essential. Defenses cannot be allowed to slip, since it is defenses that will make adversaries go somewhere else in search of victims. It may sound harsh, but your best bet toward safety is to harden your people, facilities, processes and systems, sufficiently to encourage the bad guys to pass you by. You’ve probably heard this from me before, but I’ll say it again. Stay vigilant! Stay safe!