12 replies to this topic

[Mushrooms]

Hello team,
can you please give me some examples of how to perform this food defence challenge 

[AZuzack]

The most common one is to see if an "unknown" person can gain access to product and production areas.  If you have a customer that does self pick up, ask them ahead of time to try to gain access by asking to use the bathroom or something seemingly benign.  At a previous employer, there was a Quality manager that was dating a postal worker.  People in uniforms are often trusted, but our employees would not let him enter the gowning room.  So you're just trying to find a person willing to try to get to restricted areas and then documenting how far they make it.  

[GMO]

As this was SQF I didn't reply as I'm not an expert but you can pay companies (in the UK anyway) to conduct the amusingly titled "penetration tests".  Yes, I sniggered for a good half an hour on and off when I heard that name... I am a child.  I know.

 

Anyway, companies that employ security staff (in the UK the likes of Mitie) will do this for you as will the kind of "risk auditing" companies.  Or if you aren't known from one site to another you could do something internal but it's a fairer test if you're completely external.  They come to your site and basically try and get past your security controls.  The best people will fake up badges etc.  It's surprising how easy that is.  Go and have a look at your company photos on Linkedin.  If you have a policy of wearing ID badges, there may well be one visible that someone could at least roughly adopt.  Stick on a high viz as well and lots of people hold the door open for you.

[jfrey123]

Two examples I've seen/experienced have been the person unknown and a package unknown.

 

In 2023 we did a corporate QA team visit to one of our sites, and I got to play the person unknown and try to get into the plant.  They almost won straight off:  all outside doors were locked, I couldn't access the roof, and the one door for delivery drivers was properly defended with personnel and sign-in sheets (they wouldn't let me pass).  But then I got to the main office door, keypad lock, and the second code I tried was 1-2-3-4 and it popped open.  Front desk was unmanned because it was too early for office staff, so I waltzed on by.  I made it into a storage area where extra smocks and hard hats were kept, grabbed a blue hardhat indicating I was a new trainee, and proceeded to walk the plant for 40 minutes unchallenged.  Started off trying to be sneaky, but eventually I was walking up and down the lines with my phone out, taking photos and checking my Fantasy Football for updates.  The saving grace was that multiple employees reported me to their supervisors, supervisors radioed to management, but they were told not to worry because I'm on the visiting corporate team.  I wrote a report documenting the frontline employees did their job well enough, but senior management dropped the ball, root cause was they allowed one of the most common 4 digit codes to be used on a door (google it, there's a list of common codes to be avoided).

 

That plant last year had done a package unknown challenge.  QA Manager snuck a box into the pile of UPS/FedEx packages that are normally first received on a cart near the docks.  Package was stickered as a biohazard, hand addressed to a boss by a former employee, etc., all sorts of red flags to simulate a disgruntled employee sending a malicious package.  QA Manager timed how long it would take to get reported, observed what receiving employees would do when discovered via the security cameras.  Took them like 6 minutes to discover, pull personnel out of the dock area and report the package to the facility management.

 

Really think of anything that's out of the norm and violates your food defense plan.  Have a manager not normally associated with production ask to throw a box onto a pallet of finished goods that are about to be loaded onto a truck, purposely dodging questions about what's inside (or say something like "this customer peed me off, I'm going to send them a little 'extra' gift, heh heh").  This simulates employee sabotage of the foods.  Have someone approach employees on their lunch break outside and ask them to open the door for him.  This is one area where, IMO, auditors become a little gitty and like to see outside the box thinking, and it leads to some fun conversations.

[nwilson]

I've done quite a few and have tried to have fun with these as well. 

- General parameter break in - I used one of our pest control operators at an employee entrance and they did not have a visitor badge from check in.  Actually nailed on of my QC Techs as they let them in.  

- Chemical security - Either pull the lock off a bulk storage area and see who reports it or place unwarranted chemicals in processing areas. Used a self made label with made up chemical compositions and placed on a squirt bottle with a bit of dish soap and food coloring.  

- Cyber/computer security - See if access at alternate points can be made on production computers.  I found an access point that didn't have the server data drive disabled and this had batch records available to general staff.  

 

With all these scenarios I am either hiding somewhere to observe or on the cameras watching, documenting all the times, staff that walk by, etc.  

[GMO]

Let's face it, we all love pretending to be the bad guy. 

 

Some great tips.

[kfromNE]

I helped one of our warehouse facilities with theirs by sending a box that had "pest contamination". Made it very obvious. Used rice that had been colored black/brown to mimic mouse poop. Then used a staple remover to scratch the box. Certain warehouse directors were aware and communicated with so they knew when it was coming. 

When I told our shipping what I was doing - they were hesitant to help because they felt bad for the warehouse employees but after they saw how bad I made it - they helped and didn't feel bad. 

 

It was fun. 

 

Another idea - use a former employee that left in good terms (retired, etc). Have them try and get in. We have a policy that doesn't allow guests, even former employees to be unaccompanied on our production floor.  

Edited by kfromNE, 08 April 2025 - 06:56 PM.

[kfromNE]

This is the photo of what was done. There's more 'poop' taped on the side of the box too. 

Attached Files

•  Food Defense photo.jpg   487.55KB   1 downloads

Edited by kfromNE, 08 April 2025 - 07:20 PM.

[nwilson]

Let's face it, we all love pretending to be the bad guy. 

 

Some great tips.

 

This comment made me think of this...

Attached Files

•  Picture1.jpg   58.09KB   1 downloads

[Mushrooms]

thank you guys amazing responses.

[GMO]

This is the photo of what was done. There's more 'poop' taped on the side of the box too. 

 

That is BRILLIANT.  I can foresee so many opportunities to wind up techie friends with this...  

[kfromNE]

Here's an example that I would have never thought of or would think a person would do. 

 

https://www.foodsafe...n-latin-america

[nwilson]

Here's an example that I would have never thought of or would think a person would do. 

 

https://www.foodsafe...n-latin-america

 

Wow this is one disgruntled person!  The lengths they went to sabotaging menus and harassing employees.  Thanks for sharing.