Imagine the creation of a new industry throughout the United States whose finished product is deemed illegal by the federal government, but is nevertheless legal, to some degree, in many states. This same product, meanwhile, is legal in the provinces of Canada. The paradox is further complicated by limited U.S. state guidelines for the physical security of establishments that grow, manufacture, and sell this item. And, because of the value of this item, it is highly sought after by the criminal element.

Welcome to the cannabis industry, where physical security is required, but risks and regulations make system selection challenging.

Over the last two decades, Canada and many U.S. states have legalized marijuana either medicinally, recreationally, or both. This “Green Rush” has created a legal cannabis industry composed of cultivators, processors, and licensed dispensaries. According to Cannabis Benchmarks, the spot price for marijuana in April 2020 was more than $1,300 per pound, making marijuana cultivation more profitable than traditional commodity-based crops, including corn, soybeans, and wheat. Research released in January 2020 by The Arcview Group found that the industry was estimated to be worth between $5.7 and $6.7 billion in 2015, and legal cannabis sales grew to $14.9 billion in 2019. Arcview projects cannabis will become a $42.7 billion global industry by 2024.

This new industry has led to opportunities for entrepreneurship in the context of cultivation, processing, and retail sales. However, it has also created new opportunities for the criminal element. Consequently, security for each sector of the marijuana economy remains a challenging and developing field.

Security Challenges

News reports reveal that these marijuana-related organizations have been vulnerable to a myriad of human-based threats. Organizational assets are susceptible to burglary, robbery, and theft. For example, in 2019 in Portland, Oregon, a cannabis warehouse was burglarized of more than $1 million of marijuana related products.

In Humboldt County, California, where illegal marijuana cultivation has a strong history, it was reported that robberies of legal cultivators has reached “borderline epidemic proportions” in 2019.

Other criminal incidents have included retaliation from illegal growers and dealers, who vandalize and harass legitimate enterprises and staff. Just like other industry sectors, employees and guests are also vulnerable to incidents of workplace violence. This controversial, but nevertheless emerging, market is clearly vulnerable to legal and reputational risks.

Compliance and Regulation Challenges

To direct and assist this new industry in its security needs, regulations and laws have been created by the Canadian government and the U.S. states where marijuana has been legalized. In 2018, Bill C-45, the Cannabis Act (and companion legislation), legalized recreational marijuana throughout Canada. This legislation established national physical security requirements that provinces and territories in Canada must follow. The Canadian government also created Part 4: Physical Security Measures of the Cannabis Regulations (primarily sections 63 to 72), which set minimum physical security standards for cultivators, processors, and retailers, as well as testing and research facilities. These regulations provide a variety of principles or practices that may demonstrate compliance for the specific security requirement where licensees are provided an array of options for their physical security needs.

In the United States, there is a more a decentralized, patchwork-style regulatory environment, where requirements vary by state. At the U.S. federal level, the cultivation, processing, and sale of marijuana remains illegal, resulting in a lack of federal assistance and guidance related to physical security regulations. This has plausibly resulted in a great deal of variation, legal confusion, conflict, and controversy regarding the regulation of the marijuana industry.

Currently in the United States, approximately 35 states have legalized marijuana to some degree. To date, 29 states have an operational marijuana industry and have published or established security requirements. Depending on the state, the marijuana industry is regulated by Cannabis Control Commissions (Massachusetts and Oregon), Medical Marijuana Commissions (Arkansas), or the Departments of Health (Arizona, Minnesota, and Pennsylvania). These state regulatory bodies have established minimum standards that must be met to be awarded a license to operate. These regulations are comprehensive in nature, where security-related requirements are one of the areas that must be met to be eligible to receive and maintain an operational license.

Depending upon the state, applicants must provide detailed plans to state reviewers in a competitive selection process. The applicant that receives the highest overall score is then awarded one of the coveted operating licenses, which are limited in number by state law. As part of the licensing agreement, regulatory agencies can then inspect the operation and note any security issues that arise. Moreover, depending on the state, local governments can also impose stricter security standards than those found at the state level.

Defense in Depth

One approach to understanding the role and need for effective security is the Routine Activities Theory (RAT). Heavily used in the field of security and crime prevention, RAT posits that there are three elements to crime: suitable targets, lack of capable guardianship, and motivated and likely offenders.

Suitable targets can be considered as anything perceived as valuable to a motivated and likely offender. In the case of the marijuana industry, these can be organizational assets including marijuana-related products, grow hardware, or cash. To protect these assets, organizations can use a variety of guardianship-related security measures. These capable guardians can be people engaged in the business of safeguarding property or possessions, or guardians can also be technology and hardware such as sensors and video surveillance. Finally, there is the motivated and likely offender who can be an internal or external threat.

If any one of the three elements are not present, RAT posits that the threat of crime can be reduced or eliminated. This theory has practical applications, and security managers need to be aware that their facilities and products are suitable targets that are vulnerable to motivated and likely offenders, necessitating the need for capable guardianship—which, in this case, translates to an effective physical security system.

In addition to this theoretical foundation for security, an effective physical security system also relies on the principles of defense in depth. Defense in depth is based on the notion that having multiple layers, and different types of security, that are used simultaneously to defend against an attack by an adversary is an effective method to protect organizational assets. These layered security measures slow or prevent an adversary’s progression to the target, allowing for improved detection and security response measures. These layers also improve the organization’s response time to threats, reducing the time it takes to respond to incidents.

The physical security system elements include site characteristics (the area surrounding the asset or building); detection devices (cameras, sensors, and alarms); delay measures that slow an adversary (locks, fences, and other physical barriers); and response elements (guards or law enforcement) that assess and protect organizational assets from being compromised by human threats. All these elements need to be effectively coupled and cohesive in nature to ensure that there are mutually supporting elements in the physical security system.

The review of existing regulations shows that RAT and the elements of defense in depth are required to some extent in the existing marijuana security regulations. Section 5.1.1 (or Part 4 of the Regulations) of Canada’s Physical Security Measures Guide for Cannabis (2019) states that the “the rings of protection concept requires the construction of various rings or barriers of protection...so that the intruder is detected when they surmount the first barrier and the rest of the barriers are present to slow them down to such an extent that the police have arrived before they have departed with the goods.”

Using this “rings of protection” approach, Canada requires that this concept be considered in a site design that includes perimeter, visual monitoring, recording devices, and intrusion detection with continual monitoring (in-house or third party). Other required standards are related to access control and physical barriers (walls, doors, fences, sensors/intrusion detection devices). These physical security standards also require a head of security, an alternate head of security, and an organizational security plan.

In the United States, no states specifically refer to the principles of defense in depth. Depending upon the state, however, some elements of defense in depth are present in the security-related requirements.

Site Characteristics

The review of the Canadian and U.S. state regulations shows that site characteristics related to the physical environment are limited. One common strategy used by security professionals is Crime Prevention Through Environmental Design (CPTED).

CPTED is widely accepted in the field of security where the physical environment is used as a benefit—not a vulnerability—to delay, deny, and deter the actions of adversaries. As a philosophy and a practice, these CPTED strategies can even be psychological in nature. As a psychological deterrent, for example, modifications such as decorative fencing establish territoriality, subliminally informing human threats that the area is private and cared for.

Conversely, if foliage is not properly used, it can obstruct lighting and surveillance activities by humans and video surveillance systems. Foliage can also serve as a form of concealment for threats. However, foliage that is properly used as a security design feature can reduce criminal activity and fears of criminal victimization. Therefore, its existence and location should be a site element that needs to be considered in the design of an effective physical security system.

The review of Canadian and U.S. regulations shows that CPTED is not specifically named in most regulations. Canada’s requirements refer to the need for perimeter security but have no specific criteria for CPTED. In the United States, foliage-based requirements are also uncommon; only Arkansas and Massachusetts have specifications on the control of foliage for marijuana cultivation facilities to ensure unobstructed surveillance activities.

Delay Elements

In Canada, Section 69 requires physical barriers to prevent unauthorized access. These physical barriers include the use of walls, doors, windows, fences, and locks.

In the United States, several states also require delay-related physical security elements. Consider locks. Most U.S. states with legalized marijuana have lock-related requirements for cannabis facilities. The review of this security element shows that most states have general, simplistic statements related to locks and do not require advanced locking technologies, such as electronic card access.

Perimeter fencing is also a common physical security feature to delay threats. Canada, for example, requires that physical barriers be used for cannabis operational and storage areas. Fences must be continuous, without breaks, well maintained, and difficult to jump, climb over, or crawl underneath. Moreover, trenches and culverts must also be secured with fencing or grilles constructed in a manner that prevents someone from exploiting these vulnerabilities.

However, less than half of U.S. states with legalized marijuana have fencing requirements for cultivation sites. Hawaii and Michigan have limited guidelines stating that security fencing is required, providing information related only to the location or placement of fencing. Other states have advanced descriptors in their fencing requirements pertaining to variables such as height, gauge, support posts, and anchoring requirements for fences and gates. Maine has standards for anchoring posts (or requires that posts meet Chain Link Manufacturers Institute guidelines), as well as height, and top guard requirements. Missouri, Nevada, and Oklahoma also have standards for fences that are related to gauge, top guard, fence height, gate, and anchoring requirements.

Biometric-based requirements for access control are limited in Canada and the United States. Biometrics can include voice, fingerprint, hand geometry, iris and/or retina, and face recognition systems. They can help security systems differentiate between authorized persons and threats who have unlawfully acquired traditional keys or access-related mechanisms including PINs, passwords, tokens, or other physical access devices. With biometrics, an authorized person must be present to gain access. And, it is very difficult, if not impossible, to steal another person’s physiological characteristics.

Canada’s subsection 68(2) of the Cannabis Regulations states that a record must be maintained of the identity of every individual entering or exiting a storage area. However, no biometric requirements are referred to. Requirements related to biometric security devices are limited in the United States; only Arkansas requires biometric devices on all external locks.

Detection Elements

Detection elements are some of the most common physical security elements for marijuana cultivators or retailers in Canada and the United States. In the context of alarm monitoring (to detect intrusion), Canada requires that license holders have third-party, on-site, or a combination of strategies to monitor alarms and sensors in external and internal locations. Cultivators, meanwhile, are required to have alarms at all entrances and exits to grow areas. These alarms must be monitored at all times.

In the United States, all cannabis-legal states have alarm system requirements. Some states simply require a system. They include California, Hawaii, Michigan, Nevada, and Oklahoma. Other states have specific criteria that require alarm points (where alarm sensors are required to be located) and specific types of alarms.

Some states also have limited descriptors in the context of alarm points. Alaska requires security alarm systems on “all exterior doors and windows.” Washington and Utah require an alarm system on all entry points and perimeter windows. Colorado also requires alarms on all entry points. These systems must be continuously monitored by an alarm company. Maine, meanwhile, requires sensors on all exterior entry points and windows, with an audible alarm.

Other technology-related surveillance requirements are also commonplace. Canada requires visual monitoring of the entire perimeter, including clear, unobstructed surveillance and full coverage. In the United States, detection-based elements—such as cameras and recording-related standards—are very common and have some of the most detailed requirements in comparison to other aspects of security.

Response Elements

On-site guard forces perform intrusion detection and alarm assessment roles in a physical security program. The primary roles of guard forces are to assess, identify, and respond to threats—interrupting the actions of the intruders during a security incident while preventing threats from completing the attack. Furthermore, the physical presence of guard forces can serve as a deterrent against crime.

In both Canada and the United States, the use of security personnel or guards is often not required. Canada, for example, requires a “head of security” for all cannabis license classes. However, line-level security personnel are not required.

In the United States, meanwhile, five states have requirements related to the use of security personnel in cultivation facilities. Of these, two require security managers. For example, each facility in Missouri is required to employ a security manager. In Nevada, outdoor cultivation facilities are required to employ a security director or manager; sites in Nevada must also have security guards present at all times to monitor and provide adequate levels of security.

Meanwhile, Connecticut has conditional guard requirements. The state’s Commissioner of the Department of Consumer Protection may require a supervised watchman service as an additional safeguard. Florida also requires that at least two employees (or two contract personnel) serve as security personnel. These individuals must always be present where the cultivation, processing, or storage of marijuana occurs.

Lessons Learned

In general, this review of existing regulations reveals that the most commonly required types of physical security are detection-based elements that include technologies related to camera and video surveillance systems. Security requirements related to delay strategies (in some cases using CPTED)—while present—are required to a lesser degree, and site work elements vary, with the Canadian regulations placing more emphasis on these security features. In both nations, response strategies are limited, and guard forces are seldom required.

In the context of RAT and defense-in-depth strategies, the theory and security elements do exist in some current regulations. However, these regulations provide minimal details in the context of type, placement, and utilization. This suggests that relying solely on existing requirements may result in marijuana facilities with unacceptably high levels of risk related to the actions of criminal human threats. For example, during the period of social unrest in the summer of 2020, as many as 43 cannabis related facilities along the U.S. West Coast were looted.

Canadian and U.S. security professionals have an excellent opportunity to ensure that these facilities are adequately protected. By using their expertise and applying the basics of RAT and defense in depth, then vulnerabilities, risks, and crime can be better mitigated and controlled. This is especially important in the United States where the concept of defense in depth is not explicitly explained in existing state requirements (as compared to Canada’s “rings of protection” standard).

The current state of regulations presents an opportunity for the security profession. Now, security practitioners can design and implement a strong physical security system for marijuana-related facilities—one that goes beyond the existing requirements and which will ensure that this emerging industry will remain secure from human adversaries.

Brian R. Johnson is a professor of criminal justice at Grand Valley State University in Grand Rapids, Michigan. His research is related to criminal justice policy issues and practices, and his publications focus on management, criminology, crime prevention, and security.

Christopher A. Kierkus is a professor of criminal justice at Grand Valley State University. He has published on a wide variety of topics including firearms policy, drunk driving prevention, child protection, and applied security issues including economic espionage, and situational crime prevention.

Read more about the layers of Defense in Depth here.