By Wael Lahoud
By Wael Lahoud
Over the past five years, Canadian businesses have seen the threat of hacktivism, cyber extortion and the incidences of data breaches grow exponentially. No industry is immune to these threats, not even license producers of cannabis across Canada.
For every LP, securing their operation is not an option; furthermore, managing their risks of exposure to regulatory scrutiny, litigation, reputational costs, and business loss is becoming a daily task they cannot ignore. Throw in the mandatory breach reporting, notification measures, and the costly fines proposed by the Digital Privacy Act (Bill S-4) and its amendments to PIPEDA, security concerns for LPs are only going to increase in complexity.
Canada’s Access to Cannabis for Medical Purposes Regulations (ACMPR) act stipulates requirements for physical security at cannabis production facilities. Many producers — whether licensed or in the licensing application phase — rely on physical security integrators or consultants for selecting the proper security equipment and measures to comply with ACMPR regulations. Unfortunately, the security design plans, selection of equipment and their implementations are often executed in silos without an overarching organizational-wide security program that includes a holistic view of cyber security and its related business risks.
Current physical security technologies, such as video surveillance, electronic access control, intrusion detection, and their monitoring and management systems increasingly rely on IP networks. Most of this is done by local on-premise or over wider networks spanning beyond the LPs premises and control. Despite the many advantages IP-based physical security systems present, the fact of the matter is that many are still vulnerable to cyber security attacks due to manufacturers lagging on securing their equipment throughout the production process or installers and designers not considering cyber security as a priority or part of their scope.
With the digital transformation trends in IT and the LP’s shift to using operational technology (OT) for production, environmental and other building control
efficiencies, it is not uncommon to see IoT and physical security systems converging on a unified network platform. In other words, security is now operating alongside other business-critical systems that deal with clients’ private health and sensitive data. Because of this convergence of technology, LPs are now at risk of having potential security gaps that may be neglected or otherwise missed.
Other aspects of this problem include the misperception that designing and implementing physical security systems on segregated or separate IP networks eliminates the need for extensive cyber security measures. In fact, the converse is true in that the stakes are even higher when such networks are advertently or inadvertently linked to the production or enterprise networks to meet operational requirements. Examples include the remote video surveillance monitoring by third-party security service providers or even local monitoring by security managers over the corporate network. Again, leaving LPs exposed to the same critical cyber security business risks and losses that are commonly reported in the news these days.
ACMPR Security Compliance is a regulatory requirement, and it should not be considered an ultimate secure state for LPs as it may only provide them with a false sense of security. The incidences of cyber security breaches of physical security systems is on the rise, despite the hefty investments in traditional security measures, such as firewalls and anti-virus software. For me, relying solely on these old-school approaches and managing security in physical and logical silos within an organization is simply not working.
Security should no doubt be a critical aspect of every LPs business plan and ultimate success. It is a complicated and expensive issue that cannot be ignored – an issue that is only going to become more complex because of the converged relationship between an LP’s physical and cyber security controls, measures and processes.
Embrace organizational change by assigning an organizational-wide qualified security leader accountable for all aspects of IT, OT, physical security, and even IoT.
Actively engage cyber security subject matter experts or independent consultants, not associated with any manufacturer or security service provider, in all facets of IT, OT and physical security planning, design, implementation, and operations.
Develop a comprehensive and converged security program while ensuring that overall electronic security measures and their overall architecture form part of the organizational cyber security program.
Avoid replicating the risks associated with flawed physical security designs and invest the proper time and resources in analyzing your organizations’ specific cyber security risks. Replicating vulnerabilities may expose your business as well.
Have a cyber security plan ready and be sure to practice it – cyber security should not be an afterthought.
Wael Lahoud is a professional security consultant, advisor and expert in physical security with over 14 years of experience. He is the founder/owner of Goldmark Security Consulting, which focuses on the security risks and the intersection of business and technology.