27 September 2019

Cybersecurity in the Cannabis Industry

As you have probably seen in all the headlines, there is a cyber war going on and the cannabis industry is probably the next victim. Cyber criminals are constantly re-adjusting their target. At first, they aimed at large enterprises, because that’s where the money was. Once the enterprises improved their tools and processes (aka it’s started getting harder), the cyber criminals attacked Small and Medium Businesses (SMBs) because they were easier and had not adapted yet. Now there is a new target in their crosshair, the cannabis industry, because they are not [well] prepared. Who could blame the new industry? They’ve spent a lot of time and effort meeting the regulations they were told to meet, but in many cases, those regulations fall short in terms of cybersecurity requirements. 

Let’s first explore the why: data (well, really, money, but by selling your data on the black market (aka The Dark Web)). 

  1. Personal Information: Any data that can be used to identify you personally (name, address …), specifically in the context of this article, the data from your employees and customers. Just that one record will not fetch that much for a hacker (less than $1), but if you add a Social Insurance (SIN) or Social Security Number (SSN), Drivers License number, a couple of logins to other sites you can build a full package (Fullz) that can fetch a price into the double digit range (and when you multiply that by a 1,000 records it can create the required motivation for someone to attack you).
  2. Financial Information: If your name and address can fetch a decent return for a cybercriminal, imagine if you combine it with full credit card information (cvv and all). In theory, if you are dealing with credit card information you should be PCI DSS (Payment Card Industry Data Security Standard (Visa, Mastercard, American Express…))  compliant and if you are not, you may want to it done [really] soon, they do not take non-compliance lightly.
  3. The secret sauce: The cannabis industry is new and is still full of unknows and uncertainties. The ones that will figure out sooner stand to dominate the market and reap the rewards. What strain is selling well? What demographic of customer is buying what and when? How do you get the best yield from plant A? The answers to all these questions will be key and if someone can steal from you in 5 minutes what you took 5 years to figure out, you now have a new competitor that will spend the same amount of money you did for research and development (R & D), but use it for marketing instead…

What should you do? At a minimum you should get inspired by some of the regulations that exists in other industries, even if they do not apply directly to you due to industry or geography. They are based on years of experience and real scenarios (and let’s be clear, cyber criminals do not care that much about what country you headquarter is based in).

Examples:

  • Industry standards/laws:
    • PCI DSS (Payment Card Industry Data Security Standard)
    • HIPAA (Health Insurance Portability and Accountability)
    • NERC CIP 5 (North American Electric Reliability Corporation Critical Infrastructure Protection
    • FDA (U.S. Food and Drug Administration)
    • AGCO Registrar's Standards for Cannabis Retail Stores (Alcohol and Gaming Commission of Ontario)
    • NIST Cybersecurity Framework (National Institute of Standards and Technology)
  • Privacy standards/laws
    • GDPR (General Data Protection Regulation)  
    • PIPEDA Personal Information Protection and Electronic Documents Act
    • AB-2402 Cannabis: personal information
    • ORS 646A.622 (Oregon Revised Statutes - Requirement to develop safeguards for personal information)
    • AB-2402 Cannabis: personal information (California Legislative Information)
    • Medical Information Act (Part 2.6) (California Legislative Information)

Some of those are prescriptive, like PCI DSS 6.2: “Protect all system components and software from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within one month of release.”, some of those are not, like: AGCO  8.3 “Licensees must ensure that there are reasonable safeguards around data security and protection of data integrity.”.

So what is a responsible cannabis business operator to do? There is unfortunately no one size fits all answer (we offer some good starting point here), but it would not constitute a “plan”. 

First: Reduce! (Do not collect or store information you do not need).

Then, we would recommend building around an existing framework (we like The Five Functions from NIST):

  • Identify: Know thyself (What are your assets, what information is where, what are the risks…)
  • Protect: Deploy your defenses, many layer of them (Firewalls, Anti-malware, email scans…)
  • Detect: Get the alerts, read the reports
  • Respond: Actually do something about the incident you detected (sounds obvious, but you’d be surprised)
  • Recover: You can’t win them all and sometimes a wipe and restore is the best option, make sure you have multiple copies of your data in multiples places (all of it encrypted).

I will stop here for today, but expect some upcoming deep[er] dive into some specific areas, drop me a note if there is a specific topic you want to hear about.