The aim of the Publicly Available Specification (PAS) 96:2017 Guide is to assist organisations  to improve the resistance of their food and drink supply chains to fraud or other forms of deliberate attack.

The extent of food fraud incidents is staggering. Some food and drink establishments may have had first-hand experience of deliberate attacks on their supply chain. The challenge is whether these establishments had the relevant processes in place to detect and deter any deliberate attacks. And if any incidents happened, what lessons have they learnt from their ordeal?

Anyone who intends to make a deliberate attack has a reason why they are doing it. The kind of threats range from economically motivated adulteration (EMA), malicious contamination, extortion, espionage, counterfeiting and cybercrime. Nestlé published an interesting booklet titled “Food Fraud Prevention” with particular emphasis on EMA, and cites two types of EMA, namely “the sale of food which is unfit and potentially harmful” and “the deliberate mislabelling of food”.

As the saying goes, “to catch a thief, think like one.” It is important to understand the motive behind the deliberate attack. Does the attacker have the means and skills to conduct it? An insider attacker is likely to have more knowledge of the food and drink value chain. PAS 96:2017 classifies attackers as extortionists, opportunists, extremists, irrational individuals, disgruntled individuals, cybercriminals and professional criminals.

What is PAS 96:2017?

Published by the British Standards Institution 2017, “the purpose of PAS 96:2017 is to guide food business managers through approaches and procedures to improve the resilience of supply chains to fraud or other forms of attack. It aims to assure the authenticity and safety of food by minimising the chance of an attack and mitigating the consequences of a successful attack.”

What is TACCP?

The Threat Assessment Critical Control Points (TACCP) methodology proposed by PAS 96:2017 is the “systematic management of risk through the evaluation of threats, identification of vulnerabilities, and implementation of controls to materials and products, purchasing, processes, premises, people, distribution networks and business systems by a knowledgeable and trusted team with the authority to implement changes to procedures.”

The reality is that any food and drink establishment can fall victim to a deliberate attack. The key issue is to acknowledge that threats exist.

Conducting a TACCP assessment

Organisations that maintain a hazard analysis and critical control points (HACCP) system can use it as a building block by conducting a TACCP assessment. A cross-functional TACCP team should be assembled, according to the size of the food and drink establishment. PAS 96:2017 suggests that the team raise questions such as, “Who might want to attack us? How might they do it? Where are we vulnerable? How can we stop them?”

Assess and evaluate

Having an antivirus on a computer will not entirely deter potential cyberattackers.  When assessing and evaluating threats, the focus can be on an organisation’s products, premises and information systems. The TACCP team needs to think of a broad range of questions when evaluating and assessing threats. A vulnerability assessment should be considered in the context when the threats are driven by EMA, malicious contamination or cyberattacks.

Assess the risks and implement controls

Mere knowledge of the threats is not an indication that one is in control. Further discussions are necessary on the likelihood of the identified threats. A risk-scoring matrix, taking into consideration the impact and likelihood of the threats can be used. PAS 96:2017 suggests that when making a judgment of the likelihood, consider “whether an attacker would achieve their aims if successful; whether an attacker could have access to the product or process; whether an attacker would be deterred by protective measures; whether an attacker would prefer other targets; and whether an attack would be detected before it had any impact.”

Appropriate risk reduction controls need to be taken to combat the identified threats. These controls might range from access control, tamper detection and personnel security.

Wake-up call

Vigilance is the way to go. As we have seen from this insight on PAS 96:2017, deliberate attacks can be triggered by various factors. In practice, measures should be put in place to mitigate potential or deliberate attacks on your food and drink supply chain. It is no longer enough to give food safety assurance to the consumers. A lot is at stake. This is not about creating panic. Being aware of the potential threats and would-be attackers in any food and drink supply chain is the starting point. However, adoption of guidelines such as PAS 96:2017 in the day-to-day food operational activities will not only prevent food fraud, it will also protect consumers at large.

Figure 1: Illustration of the TACCP process (Source: PAS 96:2017)


Leave a Reply

Your email address will not be published.