As technology continues to grow its influence on the cannabis industry, it is important to ensure that the security of our operational technology (OT) systems evolves. <\/p>\n
Often when cybersecurity is brought up, people first thing of information technology (IT) systems and vulnerabilities, but it is equally important for organizations to consider the threats to their OT, and what the cascading impacts of an attack could be.<\/p>\n
As Dr. Jon Vaught, CEO and co-found of Colorado-based Front Range Biosciences recently told MJBizDaily<\/em>, \u201cCOVID is accelerating companies\u2019 plans and technology implementation.\u201d <\/p>\n Technological advancements within the cannabis industry have led to reduction in water and energy usage, a lowering of labor costs, increased yields and quality as well as enhancing workplace safety. <\/p>\n However, they also introduce new risks to enterprises which if gone unchecked can severely impact a business\u2019s operations and bottom line. <\/p>\n In 2019, risk advisory firm Kroll wrote about the potential of criminally motivated threat actors to take control of automated systems to drastically alter water, lighting, or temperature controls to effectively ruin a crop. <\/p>\n This scenario represented a \u201cblended threat\u201d, one in which a cyber initiated attack can have physical, real world impacts on a business.\u00a0\u00a0\u00a0<\/p>\n While it might be low hanging fruit to say that cannabis operators are not properly prioritizing cybersecurity measures, this is an issue that in a concern across industries. <\/p>\n In 2020 TrapX Security\u00a0surveyed 150 cybersecurity professionals and found that 53% agreed that their organization\u2019s OT infrastructure was vulnerable to some type of cyberattack. <\/p>\n We also know that threat actor are as persistent as ever. According to Fortinet\u2019s \u201c2022 State of Operational Technology and Cybersecurity Report\u201d 93% of organizations had 1+ intrusions in the past year, while 78% had 3+ intrusions.\u00a0<\/p>\n The Cybersecurity & Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have recently published a comprehensive guidance document for those looking to further bolster their resilience. <\/p>\n On September 22, 2022, CISA and the NSA published a joint cybersecurity advisory about control system defense for operational technology (OT) and industrial control systems (ICSs). <\/p>\n The advisory, Control System Defense: Know the Opponent (AA22-265A) is intended to provide owners and operators with an understanding of the tactics, techniques, and procedures (TTPs) used by malicious cyber actors so organizations can better defend against them. <\/p>\n Most importantly, this advisory provides straightforward, practical, and actionable measures to bolster cyber resilience that organizations can apply now (if they haven\u2019t already). <\/p>\n The new advisory builds on prior NSA and CISA guidance:<\/p>\n According to the CISA\/NSA alert, \u201cThe complexity of balancing network security with performance, features, ease-of-use, and availability can be overwhelming for owner\/operators. <\/p>\n \u201cThis is especially true where system tools and scripts enable ease-of-use and increase availability or functionality of the control network; or when equipment vendors require remote access for warranty compliance, service obligations, and financial\/billing functionality. <\/p>\n \u201cHowever, with the increase in targeting of OT\/ICS by malicious actors, owner\/operators should be more cognizant of the risks when making these balancing decisions. <\/p>\n \u201cOwner\/operators should carefully consider what information about their systems needs to be publicly available and determine if each external connection is truly needed.\u201d\u00a0<\/p>\n As the threat to OT persists cannabis organizations can apply a few straightforward ICS security best practices to counter adversary TTPs.\u00a0<\/p>\n While the end of October brought an end to Cybersecurity Awareness Month, that doesn\u2019t mean we want to lose momentum on promoting the importance of cybersecurity. <\/p>\n According to Chris Foulon, host of the \u201cBreaking Into Cybersecurity\u201d podcast and founder of CPF Coaching, it is important to establish a \u201csafe first\u201d culture where employees are not only trained on what to look for, but are encouraged to report suspicious activity. <\/p>\n \u201cOrganizations should not only provide employees with training, but also help keep them up to date on the latest threat actor TTPs. The threat environment is constantly evolving, and it\u2019s important that everyone in the organization knows what to look for. If cybersecurity stays at the forefront of employees\u2019 minds, it minimizes the likelihood of costly mistakes being made.\u201d<\/p>\n If you would like to learn more about other cybersecurity principles that can help protect your cannabis organization, check out this piece which details lessons learned in Multi-Factor Authentication (MFA) from the recent Uber breach.\u00a0<\/p>\n<\/div>\n![\"\"](\"https:\/\/cannatechtoday.com\/wp-content\/uploads\/2022\/10\/thomas-jensen-h3vT1Kp0FxA-unsplash.jpg\")
\n