Standardization News

Cyberattacks, those headline-grabbing, electronic thefts of data and confidential information, are on the rise globally. In May 2021, cyberattacks paralyzed Ireland’s and New Zealand’s healthcare systems, cutting off access to records, delaying surgeries and appointments, and compromising patient privacy. 

The U.S. Federal Bureau of Investigation’s 2020 Internet Crime Report indicates a 69% increase from 2019 in reported U.S. cybercrimes, with losses exceeding $4.1 billion. The attacks often include compromised passwords and malware, malicious software that includes viruses, spyware, and ransomware.

Ransomware was behind the May 2021 shutdown of the U.S.-based Colonial Pipeline, which resulted in gas shortages, consumer unrest, and ultimately, the payment of approximately $5 million in bitcoin to the cybercriminal group DarkSide. 

FOR YOU: Taking a Bite Out of Cybercrime

And the 2020 supply chain cyberattack, referred to as the SolarWinds hack, impacted at least 200 organizations worldwide, including Microsoft, Credit Suisse, the U.S. Federal Reserve, and the European Parliament. Major corporations and government entities aren’t the only victims. Schools, small businesses, and individuals are also targets for these criminals. 

Because it is considered an emerging market comprised primarily of small businesses, the cannabis industry is especially vulnerable to cyberattacks. “We’re coming from a commodity that was once considered highly illegal to a valuable commodity that is, in some cases, traded on the stock exchange,”  says Mike Soberal, senior director of corporate security at Aurora Cannabis and a certified protection professional (CPP). He is also the new chair of the subcommittee on cannabis security and transportation (D37.05). “Although our risks may not be different than other businesses, because we are cannabis and because we’re in the news and at the forefront of a lot of conversation, there is a newer look, a greater interest in us. And that makes us more vulnerable. We are targets for organized crime and criminal activity and, as a result, relevant standards and protections are needed.”

To aid in safeguarding cannabis harvesters, manufacturers, extractors, distributors, and sellers, the 230-member subcommittee is working on the new guide for implementing cybersecurity in a cannabis operation (WK69969). Aimed at reducing the risk of cyberattacks, the proposed standard will set the bar for the protection of sensitive client data, proprietary information, and critical infrastructure, providing cannabis enterprises with clear guidelines on how to implement security measures.

Ripe for Cyberattack

In drafting the new guide, the subcommittee considered what makes small businesses such easy, desirable targets for cybercriminals. There is a range of reasons. Small businesses may not be as cognizant of security threats. They may not have the training, IT staff, and computer infrastructure necessary to combat digital crimes. They may be part of large corporations’ supply chains, serving as stepping stones to these bigger entities and enabling criminals to enact more lucrative extortion schemes, making infiltration particularly enticing. These reasons all contribute to making the cannabis industry susceptible to cyberattack. 

As digital crimes increase, so too, does awareness of them. Yet, this knowledge doesn’t always result in enhanced security. A January 2020 study by the international cybersecurity company BullGuard revealed that close to 60% of small business owners in the United Kingdom (U.K.) and the United States did not believe that their companies would be prey for cybercriminals. Even so, 18.5% had suffered cyberattacks during the previous year. These events led to decreased productivity, data loss, and in some cases, reduced revenue. Of the small businesses that experienced data breaches, 25% spent at least $10,000 USD on recovering data. And even after paying a ransom, some could not retrieve their stolen data. Depending on the company’s financial stability, a costly cyberattack could force the business to close. 

In spite of these sobering statistics, the BullGuard study showed that 43% of small businesses in the U.K. and U.S. still do not have any form of cybersecurity. Furthermore, a third of businesses with 50 or fewer employees rely on free, consumer-level security solutions. The owners assume that, by relying on free software, they can save money while still protecting valuable data. What they may not realize is that home-use cybersecurity provides only the most basic of features and generally will not fend off complicated, application-specific intrusions. 

The new guide for implementing cybersecurity in a cannabis operation (WK69969), when completed, should help to alleviate cybersecurity weaknesses and also to educate those working in the industry about their risks. 

“We’re creating a standard to explain to folks some of the data breaches that are going to be very common and that we can mitigate with software best practices so that bud tenders or cannabis sales associates don’t make mistakes,” says Mike Coner, founder and president of ezGreen Compliance and D37 technical lead for WK69969.

Physical security can be just as important as cybersecurity for cannabis facilities.

According to Coner, a data breach in the cannabis industry can be caused by something as simple as a departing employee copying the company’s database onto a flash drive to use at a later time at a competing business. Or, breaches can be as flagrant as a medical-marijuana dispensary displaying the driver’s licenses of its customers on a screen, arranged in the order in which they arrived, or a bud tender leaving a patient’s records open on a tablet for anyone in the dispensary to see. The breaches can also result from something as careless as a dispensary locally storing customer data but not installing a firewall or making software updates. This provides easy access for anyone trying to hack the patient database.

In all of these scenarios, patient privacy is compromised. In some instances, only a handful of people are endangered. At other times, the repercussions are much greater.  

In December 2019, over 30,000 medical-marijuana patients had their personal information leaked from several U.S. cannabis dispensaries. Names, photo IDs, dates of birth, phone numbers, email addresses, medical identification numbers, and gram limits were among the details exposed. According to vpnMentor, which discovered the data breach, the point-of-sale system used by the affected dispensaries had not been encrypted and secured. Hackers could, and did, easily break into the system and obtained personal details. 

“Anything that goes to your network is hackable. Anything with a password or user name should be changed from the default,” says Tim Sutton. Sutton is a senior security consultant at Guidepost Solutions and a member of ASIS International (formerly the American Society for Industrial Security) and the D37 security subcommittee. “With burglar alarms, I often find there’s one code given to everyone, but each person should have a separate, unique password. This makes the system more secure and allows for accountability. Security integrators often create these types of operational security vulnerabilities. Work with an experienced security professional, someone trained in security, not in policing and law enforcement. There are notorious back doors in camera systems that can leave businesses wide open to hacking. Security professionals know about them and know how to rectify these issues.” 

Privacy, Supply, and Inconsistent Requirements

Privacy violations are a serious problem for the cannabis industry. The release of a person’s medical records and buying history may lead to identity theft, blackmail, personal stigma, and professional setbacks. For those consumers whose employers prohibit cannabis use, the divulging of this information could result in job loss and damaged careers. For the purveyors who get hacked, consumer trust — and ultimately revenue — could be negatively impacted. 

When a database is disabled by hackers, medical cannabis patients face more than just privacy concerns. Supply also becomes an issue. If they reside in states that closely monitor and control patient buying practices, they may not be able to purchase cannabis until the database has been restored. For those taking cannabis to control pain or anxiety, the wait to receive the next dose may take a physical and/or psychological toll.   

Inconsistent regulations within the cannabis industry further complicate security matters. 

“In the United States, every state might as well be a different country because they each have different legislative rules, regulations, and approaches for the cannabis industry,” Coner says. 

As he points out, this lack of consistency from one state to another creates digital and physical security risks. 

“While the regulatory agencies within each state are different, there are a few types of seed-to-sale software mandated by states. It’s important not only to use the software but to tie into and share the information with the state or state regulatory body. It is equally as important that the regulatory bodies keep their systems secure. What’s involved here is your sales volume, transportation schedules, and routes and inventory levels,” Sutton says. 

Sutton points out that state-licensed data companies in the state of Washington post information regarding cannabis producers’ and processors’ inventories, cargo manifests, and locations. Done in an attempt to maintain transparency and traceability, the practice permits the public to view producers’ and sellers’ addresses and sales data. More sensitive information, such as vehicle identification numbers, can be accessed in the United States by filing a Freedom of Information Act (FOIA) request. With these details, an unscrupulous person could easily determine when a cannabis shipment will be made, when a dispensary will have a large amount of cannabis or cash on hand, and what the ideal time to rob a specific dispensary might be. 

Working Together for Better Security

The cannabis cybersecurity standard (WK69969) will enable governments and businesses to follow a standing operating procedure for cybersecurity. This, in turn, should make the approach to cybersecurity more uniform and secure.

“ASTM provides enough content around each pain point, challenge, or roll-out objective in the industry so that regulators have a reference — sort of like attorneys using existing case law — and a way to say, ‘I wrote this law this way because of ASTM,’” Coner says. 

In addition to WK69969, the security and transportation subcommittee (D37.05) has three active standards pertaining to security. 

The guide for video surveillance system (D8205) outlines the recommended video surveillance system for resin cannabis, resin cannabis products, resin cannabis waste, currency, people, property, and assets. The standard emphasizes that, when using digital video surveillance systems, the cameras should be encrypted so that they cannot be hacked. 

READ MORE: Cannabis Cetification

The guide for access control system (D8217) covers access control systems installed at strategic locations within cannabis operations. These areas include exterior entrances, loading docks, growing and processing rooms, offices, and transaction areas. The systems track employee movement and increase overall security on site. The standard also details the use of multiple-factor authentication for doors, vaults, and safes, as well as growing, processing, manufacturing, transaction, product, and currency rooms. Authentication consists of a combination of factors such as biometrics, wireless devices, and personal identification numbers. 

The guide for intrusion detection system (D8218) focuses on invasion-detection devices such as motion detectors, door and window contact alarms, and glass-break alarms. If any apparatus is triggered while the detection system is running, a 24-hour monitoring service will be notified. 

“If you can intertwine the new and existing ASTM standards, you will have a 360-degree solution for your cannabis business,” says Coner. “You’ll know how to set up your facility, how to connect it to different software systems, how to protect it, how to be compliant, and how to turn a profit. You’ll be able to show the way that you report and do business, and show your state that you’re a safe business to work with.” 

Soberal concurs with Coner about the subcommittee’s standards. “We hope that the cybersecurity guidelines will complement the standards in place and will be mindful of existing cybersecurity protocols,” he says. 

Soberal notes that, in addition to digital security, D37.05 is working on the practice for implementing a cannabis transportation program in a cannabis operation (WK76013) to ensure that cannabis delivery drivers have emergency communication devices, GPS, signature requirements, and enclosed vehicles. These are common-sense security protocols, ones that tie into the new and existing standards for the cannabis industry. 

“The hope is to provide the cannabis industry with a uniform security reference covering most aspects of security. It will be a universal document offering consistent security standards for the industry,” Soberal says. He anticipates that the document will be completed by summer 2022. 

For further information about the subcommittee on cannabis security and transportation, please contact D37 staff manager Robert Morgan (tel +1.610.832.9732; rmorgan@astm.org). ■

Kathy Hunt is a U.S. East Coast-based journalist and author.

*ASTM International is a not-for-profit, nongovernmental organization that develops voluntary consensus standards and defers to appropriate government authorities to determine the legal and regulatory framework regarding the control and use of cannabis.