In this blog series, our Executive Director Ben Taylor highlights a selection of cybersecurity, physical security, health or natural threat related stories relevant to the cannabis industry.


Cyberattack Leaves Ontario Cannabis Store Unable to Fill Orders

The Ontario Cannabis Store (OCS), the monopoly wholesaler of adult-use marijuana in Canada’s most valuable market, suspended deliveries to stores after a cyberattack on the parent company of contractor Domain Logistics, which operates the OCS distribution center. The attack occurred “late on Friday August 5,” according to an email the OCS sent Monday night to Ontario retailers. OCS said it is working with Domain Logistics and independent cyber-security experts to determine the extent of the breach, adding that there is no evidence that its computer systems were targeted or that customer data has been compromised.

“The Ontario Cannabis Store’s distribution centre is in the process of returning to operational status,” the government-run cannabis distributor said on its website late Wednesday afternoon. “A small number of deliveries from the distribution centre will be made later today, beginning with the delivery of the orders that were impacted at the time of shut down.”

There are two important security takeaways that we want focus on from this story.

  1. Blended Threats! Gate 15 defines a blended threat as “a natural, accidental, or purposeful physical or cyber danger that has or indicates the potential to have crossover impacts and harm life, information, operations, the environment, and/or property.” When analyzing threats and working to mitigate risks, it is important to understand how these threats can move from one arena into another. The biggest mistake an organization can make when facing cybersecurity incident is to strictly think of it as an IT issue. The OCS examples shows very clearly how a cyber incident can have implications on physical operations. We will have more on blended threats later in the blog post.
  2. Third Party Security! As our organizations scale up and we begin to connect with more and more third party vendors, each of those connections opens up a new security risk for our organization. Maintaining a proper understanding of our business connections, as well as properly vetting our business partners is crucial to ensure sensitive business and customer data remains secure. The National Institute of Standards and Technology (NIST) has developed a Risk Management Framework. The Risk Management Framework provides a process that integrates security, privacy, and cyber supply chain risk management activities into the system development life cycle. The risk-based approach to control selection and specification considers effectiveness, efficiency, and constraints due to applicable laws, directives, Executive Orders, policies, standards, or regulations. Managing organizational risk is paramount to effective information security and privacy programs; the RMF approach can be applied to new and legacy systems, any type of system or technology (e.g., IoT, control systems), and within any type of organization regardless of size or sector. Gartner has indicated that “More than 80% of legal and compliance leaders tell us that third-party risks were identified after initial onboarding and due diligence, suggesting traditional due diligence methods in risk management policy fail to capture new and evolving risks.” Their Third Party Risk Management ebook is available for free download and may be a useful resource. Total Security Advisor also recently discussed “9 Pro Tips to Protect a Growing Industry” in which they outline several key steps organizations can do to enhance their cybersecurity. 
CISA Releases 2021 Top Malware Strains

This joint Cybersecurity Advisory (CSA) was coauthored by the Cybersecurity and Infrastructure Security Agency (CISA) and the Australian Cyber Security Centre (ACSC). This advisory provides details on the top malware strains observed in 2021. Malware, short for “malicious software,” can compromise a system by performing an unauthorized function or process. Malicious cyber actors often use malware to covertly compromise and then gain access to a computer or mobile device. Some examples of malware include viruses, worms, Trojans, ransomware, spyware, and rootkits.

In 2021, the top malware strains included remote access Trojans (RATs), banking Trojans, information stealers, and ransomware. Most of the top malware strains have been in use for more than five years with their respective code bases evolving into multiple variations. The most prolific malware users are cyber criminals, who use malware to deliver ransomware or facilitate theft of personal and financial information.

CISA and ACSC encourage organizations to apply the recommendations in the Mitigations sections of this joint CSA. These mitigations include applying timely patches to systems, implementing user training, securing Remote Desktop Protocol (RDP), patching all systems especially for known exploited vulnerabilities, making offline backups of data, and enforcing multifactor authentication (MFA).

The top malware strains of 2021 are: Agent Tesla, AZORult, Formbook, Ursnif, LokiBot, MOUSEISLAND, NanoCore, Qakbot, Remcos, TrickBot and GootLoader.

  • Malicious cyber actors have used Agent Tesla, AZORult, Formbook, LokiBot, NanoCore, Remcos, and TrickBot for at least five years.
  • Malicious cyber actors have used Qakbot and Ursnif for more than a decade.
How MFA Saved the Day for Cloudflare and Not So Much for Cisco

We are sharing the following report from our friends at the Water Information Sharing & Analysis Center (ISAC). They do a great job of explaining a few recent incidents, but more importantly, emphasize the fact that “despite the fact that Cisco has experienced a compromise, it has been extremely forthcoming on how the actors bypassed and further enumerated its environment. What’s more notable, the threat actor behaviors Cisco describes is NOTHING new or innovative. It’s the same behaviors we read about every day – confirming that threat actors keep doing the same thing because the same thing keeps working for them. Read more on Cloudflare at SecurityWeek and on Cisco at Talos Intelligence.”

Organizations are highly encouraged to read and distribute the Talos Intelligence post as appropriate to senior leadership and legal teams. The report is not only a good example of cyber incident response, but a great model of public disclosure for the greater global good. Yes, Cisco has a duty to the world to be as transparent as possible, but we should all be so forthcoming. Does it mean everyone needs to be public about who they are – absolutely not!! Non-attributable reporting is why the ISACs/ISAOs exist. I beg everyone to stop keeping your cyber incidents so close to the vest. ISACs/ISAOs thrive on being able to help their sectors/communities understand the threats facing them. We do that best when we receive member reports that we anonymize and report out for the benefit of all members. Sadly, far too often, the news ends up leaking from elsewhere anyway, and that’s unfortunate to first hear something about a sector organization’s cyber incident from the mass-media news.

Physical Security

Potential New Wave of Civil Unrest Could Impact Cannabis Industry 

The FBI search of former President Trump’s Florida residence this week has inspired a fierce backlash among his supporters, fueling concern among experts about the escalating risk of political violence. Some of the public responses among Trump supporters has ranged from sharp criticism over the Justice Department’s tactics to much more incendiary rhetoric. On Thursday a man attempted storming the FBI building in Cincinnati, Ohio. After failing to gain access to the building, Ricky Shiffer, who is being investigated for potential ties to extremist groups including the Proud Boys, fled before engaging in a several hours stand-off with law enforcement which ended when he raised his weapon towards the officers and was shot. Additional reporting shows that Shiffer participated in the attack on the U.S. Capitol on January 6, 2021.

“On August 11, 2022, at approximately 9:15 EST, the FBI Cincinnati Field Office had an armed subject attempt to breach the Visitor Screening Facility (VSF),” the FBI’s Cincinnati Field Office said in a statement today. “Upon the activation of an alarm and a response by armed FBI special agents, the subject fled northbound onto Interstate 71.” The suspect, Ricky Walter Shiffer, 42, reportedly fired a nail gun when trying to enter the FBI office and was armed with an AR-15-style rifle. He then fled the scene driving a Ford Crown Victoria.

The outrage over the FBI search of Trump’s home comes at a particularly tense moment in American politics, as the share of partisans who think violence is sometimes justified to achieve political ends has grown significantly. According to researcher Nathan Kalmoe, around one in five partisans say violence by their own party is at least a little justified to advance its goals. 

Jared Holt, senior research manager at the Institute for Strategic Dialogue (ISD) stated, “We’re starting to track some calls for protests, we’ve seen a couple kind of floated around, but nothing’s really centralizing at this point,” he said. “There have been at least a couple instances where this has inspired extremists to call for protests or call for mobilization. We’re going to keep an eye on that and see how that evolves.”

As we have discussed in previous posts, any form of large-scale civil unrest could pose direct and indirect threats to the cannabis industry. On the one hand, protests can further tax law enforcement resources, which could lead to cash-based businesses needing to increase security presence to deter robberies. In addition, the potential for protest and counter-protest clashes can lead to violent outburst which can impact the ability to conduct business, as well as the safety of costumer and employees.

Among the protest activity that has been discussed online:

Alberta Rethinks Cannabis Store Window Coverings After Robberies

Regulators in the Canadian province of Alberta have scrubbed a rule that led to cannabis stores covering their windows after “a significant rise in commercial robberies,” particularly in the largest city of Calgary. Some robberies have involved violence and weapons, an Alberta Gaming, Liquor and Cannabis (AGLC) executive wrote in a Tuesday letter to licensed stores, which was obtained by MJBizDaily. Police told the Calgary Herald there were 29 cannabis store robberies in 2021, with more occurring this year.

Recently Cannabis ISAO leadership had the opportunity to attend a cannabis industry safety briefing by the Washington State Crime Prevention Association, and you can find a copy of the informative presentation here.

Recent Cannabis Robbery Related headlines include:

New Zealand Sees Uptick in Vehicle Rammings Targeting Retail Locations

Over the past three days, there have been over a dozen robberies featuring a vehicle ramming committed around Auckland, New Zealand many of them carried out by juveniles. This included a daylight robbery on Queen St. in the central business district by offenders as young as 14 and a total of six ram raids on Sunday night across South Auckland, North Shore and central Auckland. Supermarkets, liquor stores, and jewelry shops have been among the businesses targeted.

 A recent report from the U.S. Department of State indicated that “Private-sector security managers should work with local law enforcement to create open lines of communication and ensure that any negative trends affecting a location are understood and planned for within the organization. While New Zealand is not changing overnight into a high-threat location, it is generally one where those with operations give only basic credence to physical security preparation, aside from spectacular attacks like in Christchurch and concerns about earthquakes. It is imperative for the private sector to acknowledge that even in safe locations like New Zealand, worrying trends in crime could affect their operations without proper planning and understanding.”

In a global society, trends, including crime trends, can easily transcend borders. Smash and grab robberies have been an ongoing and growing issue for retailers, with some involving vehicle rammings. Facilities that may be more susceptible to vehicle rammings either from local crime trends, or the physical location of their facility, may want to consider conducting a vehicle ramming threat assessment and initiate mitigating steps.

CISA provides a Vehicle Ramming Self-Assessment Tool which could be useful.

Natural Events

Updated Atlantic Season Hurricane Forecasts

Colorado State University’s Tropical Weather & Climate Research team have decreased their forecast but continue to call for an above-average 2022 Atlantic hurricane season. Sea surface temperatures averaged across the tropical Atlantic are slightly warmer than normal, while subtropical Atlantic sea surface temperatures are cooler than normal. Vertical wind shear anomalies averaged over the past 30 days over the Caribbean and tropical Atlantic are slightly weaker than normal. Current La Niña conditions are likely to persist for the rest of the Atlantic hurricane season. Researchers continue to anticipate an above-normal probability for major hurricanes making landfall along the continental United States coastline and in the Caribbean. As is the case with all hurricane seasons, coastal residents are reminded that it only takes one hurricane making landfall to make it an active season for them. They should prepare the same for every season, regardless of how much activity is predicted.

Atmospheric and oceanic conditions still favor an above-normal 2022 Atlantic hurricane season, according to NOAA’s annual mid-season update issued today by the Climate Prediction Center, a division of the National Weather Service. “I urge everyone to remain vigilant as we enter the peak months of hurricane season,” said Secretary of Commerce Gina Raimondo. “The experts at NOAA will continue to provide the science, data and services needed to help communities become hurricane resilient and climate-ready for the remainder of hurricane season and beyond.” NOAA forecasters have slightly decreased the likelihood of an above-normal Atlantic hurricane season to 60% (lowered from the outlook issued in May, which predicted a 65% chance). The likelihood of near-normal activity has risen to 30% and the chances remain at 10% for a below-normal season. 

NOAA Wildfire Portal

The National Oceanic & Atmospheric Administration (NOAA) plays a vital role supporting partners in preparing for the threat of wildfires and in battling the blazes that endanger life and property. NOAA’s forecast products range from short-term warnings to long-term seasonal predictions, and include air quality and smoke forecasts related to wildfires. NOAA also provides real-time fire and smoke detection tools using new imaging capabilities from geostationary and polar orbiting satellites. You can start reviewing these at their new web hub here.

Blended Threats: Weather Impacting Business Operations

Late last month, heavy monsoonal rains saturated Las Vegas, sending water cascading into casinos, as previously noted in these reports. The extreme nature of the incident is consistent with what can be expected as global temperatures rise amid climate change, experts said, drawing parallels with the historic flooding that damaged Yellowstone National Park in June.

“We’re already in a climate where the odds of intense precipitation are elevated,” said climate scientist Noah Diffenbaugh, a professor and senior fellow at Stanford University. “And we have a clear understanding that as global warming continues, the heavy precipitation events are likely to continue to intensify overall.”

Last month we saw how Europe’s heatwave had led to Google Cloud and Oracle Cloud outages after cooling systems failed at the companies’ data centers. Nearly three weeks later and the impacts of the heatwave are still being felt in the healthcare sector as two of the UK’s leading hospitals have had to cancel operations, postpone appointments and divert seriously ill patients to other centers as a result of their IT systems crashing.

Like we discussed in the Ontario attack, threats that start in one area, can impact a completely different side of our operations. As we continue to deal with a changing climate, cannabis organizations are encouraged to examine how extreme weather incidents can impact their operations and make the necessary adjustments.

A recent issue of Venue Professional magazine featured an article that highlighted the potential impacts from blended threats. The article examines past case studies including the 2018 Winter Olympics and the attack on the San Jose Earthquakes concessions vendor to demonstrate the threat of blended attacks. The author encourages these types of scenarios to be included in future tabletop exercises in order to allow organizations to fully prepare and mitigate the impacts of these types of complex attacks. Some of the questions facility operators will want to be asking include:

  • What plans are in place if a cyber attack disrupts physical operations just prior to a high-profile event?
  • Who would be involved in responding to a cyber-physical incident?
  • What connected systems are in the venue?
  • Are these systems all on one network or multiple, segmented networks?
  • Who is responsible for maintaining security updates on these systems and networks?
  • What plans are in place for communicating with staff and patrons should normal communications become compromised or otherwise unavailable?

Check out the latest blog highlighting issues important to cannabis security!