What Does A Cannabis Licensed Producer's Threat Model Really Look Like?
What Is A Threat Model?
In the world of information security, a threat model is sometimes generated to gather all the threats a particular product or organization might face, from the point of view of potential attackers. Going beyond typical panaceas such as ‘patch regularly’ and ‘use 2-factor authentication’, threat modelling takes your security strategy from the general to the specific and allows your organization to effectively defend itself against attackers.
There has been some coverage of the LP security situation in the media, however such coverage rarely goes beyond the aforementioned panaceas, and the best practices often listed are more applicable to technology companies rather than producers of cannabis. Before diving into specific threat modelling however, it’s important to recognize the role of compliance, and why ultimately regulatory obligations should be evaluated alongside threat models.
Threat Models and Licensed Producers
Depending on what type of license you may hold / be applying for, you will have a varying set of regulatory obligations related to security. It may be tempting to look upon these obligations as the ‘minimum’ level of security measures you should have implemented, however it is foolhardy to only design your security around regulatory commitments, as threat actors are not so interested in government regulations as exploiting any weakness they might find. A comprehensive security strategy will evaluate regulatory commitments in concert with threat models through a holistic approach, arriving at security architecture that both satisfies regulatory commitments and presents an unfavourable target to would-be threat actors.
LP threat models will undoubtedly focus far more on physical security than the typical technology company, largely due to the fact that the most valuable thing a LP produces is a physical good rather than an information product or platform. If engaging consultants, LP’s should make sure there is a significant ‘red team’, or consultants masquerading as attackers, both for fulfilling basic threat modelling work and leveraging the results for mandatory areas of the Organizational Security Plan (OSP) such as security drill preparation.
Social engineering, or attempting to get employees of an organization to bypass established procedures or otherwise facilitate a threat actor’s unauthorized entry and activity are also something LP’s need to plan for. While technology has been evolving, albeit slowly to mitigate social engineering with measures like 2-Factor Authentication, the simplest situations to social engineer are often those involving little to no technology, such as a delivery arriving at a licensed producer’s facility. Aside from investing in security technology, LP’s should also invest in training for front-line security employees as they will need to be vigilant in screening arrivals to their facilities.
Principle of Least Privilege (PoLP) is a concept widely used in information security, essentially meaning that staff should be granted the least amount of privilege needed to carry out their job requirements. This is usually applied to cybersecurity, but is also a very important component of physical security. It is prudent to give each employee only as much physical access as is needed to perform their job duties, and to carefully consider the risks of credentials being compromised or otherwise being mis-used. It is also important for LP’s to realize that 2-Factor Authentication can also be applied to physical access, such as keyfob’s or keycards that also require a PIN code.
The cannabis regulations provide LP applicants with a basic framework in terms of requirements for video recording and intrusion detection. These two areas are probably the most straightforward as far as security infrastructure planning, but LP’s can take their architecture further by viewing these technologies through the lens of an attacker to deny avenues of exploitation that might remain un-addressed otherwise.
Anyone who has experience in a Network Operations Center or Security Operations Center will know that tuning alarms and alerts is a difficult, sometimes tedious process, but ultimately essential to maintaining effective awareness. Whether the data sources are physical or electronic, it is crucial for LP’s to properly baseline and tune their alerting technology so that staff will definitively know the severity of any security-related situation that might arise.
When it comes to cybersecurity, LP’s should also place high importance on privacy of both proprietary information and personally identifiable information (PII) of their clients. Cloud platforms are versatile and often able to deliver turnkey solutions faster than building on-premises architecture. The tradeoff, however, is that at some point you will have to entrust your systems and data to a third-party provider. At a minimum, LP’s should assess the potential risk of security issues / breaches with their cloud partners (sometimes also referred to as Managed Service Providers) and either accept that risk or implement mitigations, such as only using servers from cloud providers located in Canada rather than the US.
The overall threat model of LP’s is closer to that of industrial control systems than it is to public facing technology platforms, and there are many best practices from the ICS ecosystem. The first and most important is that of network segmentation, or ‘don’t put everything on the internet’. LP’s should design their networks to have as little infrastructure on the public internet as possible, and exercise as much access control as possible when making use of cloud platforms such as 2-Factor Authentication. By doing this, a LP will present a far reduced surface area of attack to threat actors and will make a far less appealing target.
Lastly, LP’s should be keenly aware of their public information presence and how that may impact spearphishing attempts. Spearphishing is a targeted social engineering attack, in comparison to standard phishing which is less targeted, but still attempts to convince and end-user to divulge information or bypass approved processes. An unsophisticated attacker may simply attempt to concoct a believable story for entering a licensed producer’s facility, whereas a more sophisticated attacker may research what information is publicly available about a company and attempt genuine spearphishing. The best way for a LP to defend against this type of intrusion is to be aware of what information is publicly available, and develop mitigations against threat actors leveraging that information such as instructing employees to be wary about unfamiliar visitors dropping publicly searchable names related to the company in an effort to gain entry.