Securing Marijuana Dispensaries
Uruguay paved the way. In 2013, it became the first nation to fully legalize marijuana for both medicinal and recreational use. Canada followed suit in 2018. And a patchwork of U.S. states have joined the movement.
Despite still being considered a Schedule I drug by the U.S. federal government, marijuana is legal for recreational use in 11 states and Washington, D.C.; decriminalized in 15 states; and legal for medical use in 33 states.
Due to this, dispensaries are now commonplace in U.S. states that have legalized the use of marijuana. And these dispensaries need to meet a variety of security requirements to remain in compliance with state regulations—and to stay open for business.
For instance, Colorado—which legalized marijuana for medicinal and recreational use—requires dispensaries to have a security alarm system on all perimeter entry points and perimeter windows and a continuous monitoring system. This monitoring system must have cameras that are within 15 or 20 feet of each door, at every ingress or egress of the facility, and at all points of sale to capture what is happening during a transaction, says Chris Jensen, cannabis market manager for March Networks, an intelligent IP video surveillance company.
“Anywhere there is cannabis stored, packaged, or grown…there needs to be full coverage of that facility,” Jensen adds. “It’s difficult for integrators and end users because being compliant with the regulation doesn’t necessarily always equal security, and good security doesn’t always meet the regulations.”
Cultivation centers—where marijuana is grown—are also required to adopt security measures to show they are not easily accessible by unauthorized individuals, according to Colorado’s state licensing authority.
“The main regulatory compliance in Colorado is based around detailed tracking of the plants themselves,” says Jeff Corrall, strategic partnerships and integrations at March Networks.
“Every plant needs an RFID tag; every cultivation facility needs to be monitored.”
This often means adding security technology, such as cameras and video management systems that are connected to networks, introducing additional cyber vulnerabilities that many traditional retail facilities face.
“Across the retail landscape, cybercriminals are looking for the same payday in their assaults: sensitive and valuable data such as credit card information, personally identifiable information (PII), and even trade secrets and/or intellectual property,” wrote Associate Managing Director of Kroll’s Cyber Risk practice Matthew Dunn in a white paper. “Cannabis retailers are particularly attractive targets not only for the coveted customer data they hold; cybercriminals are always on the lookout for businesses operating in a young and rapidly growing industry, like the cannabis sector, where many retailers have not incorporated mature cybersecurity practices into their business processes.”
Dunn previously served as the supervisory special agent for the FBI’s Cyber Crimes/Counterintelligence Squad in Nashville, Tennessee. Drawing on that expertise, he wrote the white paper The Impact of Cyber Crime in the Cannabis Industry for Kroll, a major consulting firm, earlier this year.
Based on his work with the FBI and at Kroll, Dunn found that the cannabis industry is a target for traditional cyberattacks—such as credential theft to gain access to systems and corporate networks, ransomware attacks, and intelligence gathering. Dispensaries are an especially lucrative target because of the kinds of data they have access to that could be used to hurt the dispensary or gain leverage over its customers.
For instance, if a malicious actor gained access to the dispensary’s camera system, he or she could use it to monitor customers and how regularly they purchase marijuana—information the customer may not want to be public, says Stan Engelbrecht, CISSP, director of the cybersecurity practice at D3, an incident management and response company.
“Extortion, which is generally a face-to-face item, can be done remotely now with no recourse,” Engelbrecht explains. “There’s no real ability to go after someone who is on the other side of the world.”
Dispensaries that serve high-profile customers, such as those in Los Angeles or Washington, D.C., could be targeted to conduct these kinds of attacks on their clientele. And gaining access to the camera network, if the network is not segmented, could give malicious actors a foothold to obtain additional records that dispensaries store about their customers.
“This unexpected negative exposure could potentially threaten clients’ livelihoods,” Dunn wrote. “Cannabis retailers must consider the additional privacy customers expect when they provide their personal data to a dispensary to conduct a transaction.”
Because of this risk, and increased expectations of privacy, Canada—which legalized marijuana in 2018—has focused dispensary security regulations mainly around data protection.
Canadian dispensaries are required to report if they have experienced a data breach, to take reasonable measures to secure data they store on customers, and to limit the customer data that they collect, says Lisa R. Lifshitz, partner in Torkin Manes’ Business Law Group.
Lifshitz says she anticipates additional guidance and possible regulation from the Canadian government but adds that it has not been released yet because the legal recreational marijuana market is still getting off the ground.
This is why it’s critical for dispensaries and cultivators to adopt good cyber hygiene now, training their employees about the risk of cyber threats and ensuring that security technology is properly installed.
Cultivators especially need to be aware of the risk that the Internet of Things poses to their operations, similar to risks to other agricultural facilities.
“Many grow operations utilize automated, Internet-accessible watering, temperature, and humidity control systems and lighting programs,” Dunn wrote. “The same IoT vulnerabilities that accompany video surveillance exist with these systems. For example, if a competitor were able to access these environmental systems through weak cybersecurity measures, they could overwater, create cold temperatures, or turn off lights that could effectively cause a crop failure.”
Because of these risks, marijuana dispensaries and cultivators should make sure that IoT devices—such as cameras—are set up on local area networks, firewalls are in place, and the devices have unique usernames and passwords. Dunn adds that employees should also be required to use two-factor authentication for all accounts associated with the business.
In addition, organizations should limit how many people have administrative rights on the network, because that will limit exposure, Dunn explains.
“Because if the bad guy is able to compromise your account and you had administrative rights, then they have full access to your network,” he says. “So, use a policy of least privilege. Give people access to the network, but just what they need for their job.”
Marijuana Criminalization in the United States
Marijuana was first criminalized in the United States when the Marijuana Tax Act of 1937 was enacted. The act was struck down as unconstitutional but was then replaced with the Controlled Substances Act that created the schedules that the U.S. Drug Enforcement Agency uses to classify drugs based on their abuse or dependency potential.
There are five schedules, with Schedule I being drugs considered to have the highest potential for abuse and dependence. Drugs that are in this schedule include marijuana, heroin, lysergic acid diethylamide (LSD), methylenedioxymethamphetamine (ecstasy), methaqualone, and peyote.
Possession of marijuana in the United States is considered a misdemeanor on the first offense, but selling marijuana is almost always considered a felony—as is cultivation, or growing marijuana. Second-offense penalties for possession and selling vary from state to state.
Sixty-one percent of Americans now support some level of marijuana legalization, for either medical or recreational use, a drastic increase from 30 percent in 2000, according to an April 2019 General Social Survey by NORC at the University of Chicago, a nonpartisan research institution.