As technology continues to grow its influence on the cannabis industry, it is important to ensure that the security of our operational technology (OT) systems evolves.
Often when cybersecurity is brought up, people first thing of information technology (IT) systems and vulnerabilities, but it is equally important for organizations to consider the threats to their OT, and what the cascading impacts of an attack could be.
As Dr. Jon Vaught, CEO and co-found of Colorado-based Front Range Biosciences recently told MJBizDaily, “COVID is accelerating companies’ plans and technology implementation.”
Technological advancements within the cannabis industry have led to reduction in water and energy usage, a lowering of labor costs, increased yields and quality as well as enhancing workplace safety.
However, they also introduce new risks to enterprises which if gone unchecked can severely impact a business’s operations and bottom line.
In 2019, risk advisory firm Kroll wrote about the potential of criminally motivated threat actors to take control of automated systems to drastically alter water, lighting, or temperature controls to effectively ruin a crop.
This scenario represented a “blended threat”, one in which a cyber initiated attack can have physical, real world impacts on a business.
While it might be low hanging fruit to say that cannabis operators are not properly prioritizing cybersecurity measures, this is an issue that in a concern across industries.
In 2020 TrapX Security surveyed 150 cybersecurity professionals and found that 53% agreed that their organization’s OT infrastructure was vulnerable to some type of cyberattack.
We also know that threat actor are as persistent as ever. According to Fortinet’s “2022 State of Operational Technology and Cybersecurity Report” 93% of organizations had 1+ intrusions in the past year, while 78% had 3+ intrusions.
The Cybersecurity & Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have recently published a comprehensive guidance document for those looking to further bolster their resilience.
On September 22, 2022, CISA and the NSA published a joint cybersecurity advisory about control system defense for operational technology (OT) and industrial control systems (ICSs).
The advisory, Control System Defense: Know the Opponent (AA22-265A) is intended to provide owners and operators with an understanding of the tactics, techniques, and procedures (TTPs) used by malicious cyber actors so organizations can better defend against them.
Most importantly, this advisory provides straightforward, practical, and actionable measures to bolster cyber resilience that organizations can apply now (if they haven’t already).
The new advisory builds on prior NSA and CISA guidance:
- Stop Malicious Cyber Activity Against Connected Operational Technology (April 2021)
- NSA and CISA Recommend Immediate Actions to Reduce Exposure Across Operational Technologies and Control Systems (AA20-205A; July 2020, updated October 2020)
According to the CISA/NSA alert, “The complexity of balancing network security with performance, features, ease-of-use, and availability can be overwhelming for owner/operators.
“This is especially true where system tools and scripts enable ease-of-use and increase availability or functionality of the control network; or when equipment vendors require remote access for warranty compliance, service obligations, and financial/billing functionality.
“However, with the increase in targeting of OT/ICS by malicious actors, owner/operators should be more cognizant of the risks when making these balancing decisions.
“Owner/operators should carefully consider what information about their systems needs to be publicly available and determine if each external connection is truly needed.”
As the threat to OT persists cannabis organizations can apply a few straightforward ICS security best practices to counter adversary TTPs.
- Limit exposure of system information. It’s critical to protect and avoid disclosing operational and system information and configuration data about system hardware, firmware, and software in any public forum. Information protection education should also be incorporated into awareness training.
- Identify and secure remote access points. Discovery and identification of all assets, including remote access points operating in the control environment is key to protecting them.
- Restrict tools and scripts. Carefully apply access and use limitations to particularly vulnerable processes and components to limit the threat posed from legitimate network and control system application tools and scripts.
- Conduct regular security audits. Perform independent security audits of the control system environment, especially of third-party vendor access points and systems to identify and document system vulnerabilities, practices, and procedures that should be eliminated to improve the cyber defensive posture.
- Implement a dynamic network environment. Owner/operators should consider periodically making manageable network changes. A little change can go a long way to disrupt previously obtained access by a malicious actor.
While the end of October brought an end to Cybersecurity Awareness Month, that doesn’t mean we want to lose momentum on promoting the importance of cybersecurity.
According to Chris Foulon, host of the “Breaking Into Cybersecurity” podcast and founder of CPF Coaching, it is important to establish a “safe first” culture where employees are not only trained on what to look for, but are encouraged to report suspicious activity.
“Organizations should not only provide employees with training, but also help keep them up to date on the latest threat actor TTPs. The threat environment is constantly evolving, and it’s important that everyone in the organization knows what to look for. If cybersecurity stays at the forefront of employees’ minds, it minimizes the likelihood of costly mistakes being made.”
If you would like to learn more about other cybersecurity principles that can help protect your cannabis organization, check out this piece which details lessons learned in Multi-Factor Authentication (MFA) from the recent Uber breach.