“Pay us one million dollars, or your plants die.”
It sounds like something out of a low-rate, slapstick thriller.
Although this cannabis cybersecurity issue is no joke. As cannabis cultivators become increasingly dependent on online automated systems for water, nutrients, lighting, etc., it’s only a matter of time before professional hackers take advantage.
In a nightmare scenario like that, manual override is always an option, but how realistic is that for larger grows? At the very least, it will be a major disruption, compromising day-to-day operations, plant health, seed-to-sale data, and any other valuable info in the system.
These same hackers can also go after dispensaries, stealing customer info and sales data before locking up point-of-sale systems.
For cannabis operators who think this will never happen to them, one only needs to read about the increasing frequency of ransomware attacks on hospitals over the past few months.
As the cannabis industry continues its rapid growth trajectory, it also becomes an ever-growing target for cyber criminals across the world.
“I Guarantee You It’s Going to Happen.”
Ben Goodman, CEO of 4A Security, has seen too many businesses fall prey to the nefarious clutches of overseas hackers. While his team specializes in prevention, they are also frequently called in to help companies address and recover after a breach.
“Basically, you get religion when that happens. A lot of people think that it won’t happen to them, that they are too small and in some rural area – the reality is it doesn’t matter. Hackers are scanning the entire internet.”
According to Goodman, it’s not unusual for businesses – including cannabis – to overlook cyber-related threats.
“Businesses aren’t in business to protect against all the risks, they’re in business to make money. And until they actually feel the pain of a certain risk or threat, they tend to not focus on it too much,” he says.
The more reliant an industry or business is on technology, connected systems, and the Internet of Things (IoT), Goodman continues, the more vulnerable you are if you haven’t actually taken or invested in any precautions. “It’s basically tech debt that a lot of people don’t know they have.”
Another way to think of ‘tech debt’ is like this: imagine building a bridge and skipping out on some of the engineer’s advice to save money. At first the bridge may work fine, but due to its design, it will not withstand all conditions. As stress on the structure increases, those issues are going to quickly rise to the surface – and you can imagine what happens next.
Insecure Infrastructure a Big Issue in The U.S.
Goodman has been in the IT space for more than 30 years. When he founded 4A Security in 2012, he was especially interested in helping healthcare institutions. “Obviously we support clients in many different industries, and for me, cannabis falls into that same area as healthcare because it has a real impact on people’s lives,” Goodman notes.
As IoT becomes more popular, the question of security grows by the day. “The IoT devices themselves are relatively inexpensive, and the manufacturers of those devices are not spending money on security. It’s cost prohibitive to go back and fix all that stuff, so we’ve got a ton of infrastructure that’s insecure and likely to stay that way for a long time,” he explains.
“Personally, I think this is going to be a problem that’s not going to go away. Our infrastructure is kind of rickety, it’s a little bit like our roads and bridges, we haven’t invested to keep it up. So we have a lot of tech debt, and our kids are going to inherit all that tech debt. It just keeps growing and growing – and my motivation is to chip away at that.”
The U.S.’s critical infrastructure is just so vulnerable, Goodman explains, to the point it presents clear health and safety issues. “When you look at healthcare or the electrical grid, [a cyber attack] could be catastrophic. With cannabis growers it’s the same thing. You take out that part of the supply chain, and we are in bad shape.”
Cyber Attacks Can Be Devastating for Any Business
Cyber terrorists can go after a business in all sorts of ways. And the consequences can be costly.
In the case of hospitals, a patient in Germany actually died because a hacker locked up the medical systems.
As for cannabis specifically, a hell-bent hacker can go after point-of-sale systems, stealing customer data before locking everything up.
If you are a cultivator, they can threaten the health of your entire grow by locking up those automated systems, or they could steal trade secrets.
“And it’s not just cannabis. Farmers of all kinds are using automation more and more. It’s efficient and cost-effective, it’s the way of the future for a lot of this industry, a dependence on technology,” Goodman says. “And if you have the mind of a criminal, you see that as a chokepoint: ‘what could I do that’s going to make these guys cough up a million bucks.’”
While ransomware is a substantial threat, hackers antagonize businesses in other ways as well. “One of the common attacks, and this is across all businesses, is what they call business email compromise where you basically get in between the payer and the receiver of funds and the criminal spoofs the identity of a legitimate vendor. They send an email that looks and sounds just like the vendor and they say, well I’m so-and-so, I sent you an invoice, but we’ve changed banks, so please send funds to this bank,” Goodman reveals. “You’d be amazed, but it’s billions of dollars that go flying out the door for these kinds of things.”
How Ransomware Works
If you are unfamiliar as to how ransomware works, the concept is fairly basic.
Essentially, the hacker gains access to your system and infects it with malware, encrypting all of the connected systems, servers, computers, etc.
At that point, the hacker demands a monetary payment – say $100,000 – for them to give you a software key which will unlock your system. And if you don’t pay them right away, they’ll make it $200,000.
“That was the old days – like a year ago,” Goodman explains. “Now they will steal all of your data before locking the system up. ‘Oh you’ve got backups and don’t want to pay us for the key? Good for you; we’re going to dump all your data on the dark web or sell it at auction.’ For a lot of organizations, that’s a painful possibility.”
For growers, just getting your systems locked up can cause all sorts of unwanted disruptions, Goodman notes. “Like I said, I think it’s a matter of time before you see those headlines. And unfortunately, the ransoms have been going up and up. Now you see them in the millions.”
The Thing About Cyber Insurance
While cyber insurance is slowly penetrating the cannabis market to help operators better mitigate against the risk of attack, the insurance won’t actually stop the attack itself.
“Cyber insurance is a different kind of risk management. It’s not really preventing a bad thing from happening, but it’s making the loss a little less painful,” Goodman explains.
And of course if you lose an entire crop, the loss would be astronomical. “If you’re going for coverage like that, the provider is going to make sure you have the systems in place to protect yourself before they write that insurance.”
Threat-Modeling: Inside the Mind of a Hacker
While hackers are thankfully in the minority, one of the things that amplifies their prevalence is the use of automation. They’ll use automated programs to take over hundreds of thousands or even millions of systems and computers all over the world, and they’ll use automated scanners to scan the entire internet for vulnerabilities.
“One of the malicious things they do is send out millions of phishing emails, and it’s a numbers game. One report said there were about 3.5 billion fake emails sent each day. So even if a tiny percentage of people are going to click on those emails, and when they click on those emails they get compromised. That ends up being a lot of compromised systems,” Goodman says.
The people sending out these phishing emails are part of a larger ecosystem, he continues. “The ones sending out these emails aren’t necessarily doing any kind of hacking. They may sell access to these compromised systems, which could sit there for a while, and there might be multiple different organizations that are using those same compromised systems for different reasons.”
Goodman recalls one client who first came to his team after being attacked, and it turned out their servers had been infiltrated by three or four different organizations in China, Russia, and Eastern Europe on multiple occasions, doing different things.
What’s more, hackers can range from organized criminal groups to state-sponsored hackers, to lower-level hobbyists who do their hacking a couple days per week.
For cannabis businesses, the professional organized criminal groups are the real threat. “They will target organizations where they know there is a lot of money to be made. They’ll craft really good phishing emails, do their research, and figure out who to go after in an organization,” Goodman notes. “Once they get in, they leverage those credentials and move throughout the network until they get to where they need to be – in a position where they can do everything they need to do.”
Cybersecurity: Protecting Your Cannabis Operation from Criminals
When Ben Goodman and his team at 4A Security begin working with a new client – whether it’s a startup on a limited budget or a large corporation with IT infrastructure – the first thing they do is look at the client’s operation the way a hacker would before generating a detailed report.
“The first priority is to make sure you’re not the low hanging fruit from a hacker’s perspective. Hackers are just like anybody else – they don’t want to work hard unless they have a chosen target and are specifically going after that target,” Goodman says.
“And in general there are a lot of wide open opportunities for these hackers. People have left the doors open, the roof is down, and the keys are in the car. All somebody has to do is open the door, sit down and go. That’s very common, and we want to make sure our clients are not that guy.”
And while even gigantic organizations can never get their cyber risk down to zero, you can at least mitigate potential attacks significantly by covering all the bases, so that if somebody is going to hack, they’re going to have to work for it, Goodman says.
“But a lot of organizations are completely oblivious. People don’t realize the threat. They think this computer screen is in their living room or office and it’s safe, and they don’t realize that hackers aren’t really limited by geographical boundaries.”
It’s like Covid-19, Goodman adds. You can ignore it, but you can’t pretend it’s not there and that it will just go away. “I mean, it’s different obviously in that we will eventually get Covid-19 under control. But cyber threats are not going away anytime soon. And sooner or later, the cannabis industry is going to be all over the news for this because criminals go where the money goes.”
FREE: For a limited time, 4ASecurity is offering free cybersecurity assessments to readers of The Bluntness!