8 minute read
IIOT cyber security lessons from Africa
By Taz Chikwakwata Managing Consultant Cybernesis
Diversity, Equity and inclusion teach us that lessons can come from the most intriguing sources and in the most interesting packages if all we do is open our eyes. Quite recently I had the opportunity of sitting on a panel at the AfricaTech Festival which looked specifically at challenges around securing Industrial Internet of Things (IIOT).
AfricaTech, which is the biggest conference in Africa, is held annually in the beautiful city of Cape Town, South Africa bringing together the movers and shakers in the African Technology and Communications space. Representation from across the continent is notable with no country to big nor too small. With every idea seen as important and significant, the festival is a giant mash of creativity and intellect.
One thing that I found admirable about the conference and Africans in general is the deep-rooted desire to belong to a community. The African proverb “it takes a village to raise a child” is inculcated in every African from birth.
This community value drives the strong relationship culture for which Africa is both known for and proud of. In my language, Shona, we call it “hukama” which means relationships. Ever since I can remember, the ritual of creating family out of strangers has involved the same coordinated questions after exchanging names starting with “Where are you from?” If a link can be found, then down the rabbit hole of association, the conversation goes. If place of origin produces no link, then the search is stepped up a notch – “What is your totem(mutupo)?” Here you have to appreciate that the totem, which is usually an animal, is a gold standard for relationship. People with similar surnames may not be related, but people with the same totem are considered as related as if they were sanguine kin. My totem is “Shava Museyamwa - Mhofu yomukono ” which in English translates to the Great Eland Bull. Whether the person I may have just met bears the same last name as mine or not is immaterial as long as they are a Mhofu, we are related. Depending on age and gender they automatically become my brother, sister, father, or aunt; as totems, like surnames, follow a patriarchal lineage. Similarly, a person bearing my mother’s totem is my aunt, uncle, cousin, and it goes on. No matter where I am, as long as there is a Zimbabwean, I will have a relative.
Now, halfway down the article you must be asking yourself how this lesson on Shona culture relates to IOT Security. Well, the thing is that the IOT phenomena is based upon, “things” connecting and communicating to other “things”. For this to happen there must be a common communication medium and protocol, whether this is done wirelessly through Bluetooth, LoRa and WiFi or through fixed wired networks such as Ethernet or DeviceNet. The trump card of any implementation is the simplistic seamless communication that in most cases can be established without any end-user intervention. Tie artificial intelligence into the matter along with machine learning and bingo, we have mimicked the African culture of establishing and maintaining relations at all costs. Where there is no relationship, the ultimate goal is to build one. From the perspective of Digital Transformation and experiencing tomorrow’s tech today, this is absolutely amazing, and everything should be done to increase the simplicity and ease of connection, however, from a
Cybersecurity perspective, this is an absolute nightmare. The exponential increase of 1 to 1 connections to 1 to many connections multiplies the existing attack surfaces along with the associated vulnerabilities at an astronomic rate. Every cybersecurity professional worth their salt wants to see business value protected and in so doing implement their duties as a business enabler. One of the easiest ways to do that is to reduce the attack surfaces. This may be a seemingly mammoth task in the face of hyper-connected IOT strategies which are constantly trying to increase those attack surfaces by finding newer, faster, and easier ways for devices to talk to each other. This is compounded by the fact that old legacy technology and protocols such as MQTT which was originally developed to monitor SCADA system oil lines in “controlled” and isolated environments is now the go-to protocol for Industrial IOT yet, out of the box, it lacks basic communication encryption instead sending messages in plain text. Its robustness, efficiency, economy, and simplicity must be lauded, even in the face of glaring security shortcomings.
To tackle this quandary, we will look again at the African Culture of Relationships. As I mentioned earlier, when Africans meet a “new” unfamiliar face every effort is made, not only to establish some sort of relationship that brings that person into their “circle of friends” but also to understand each and every relationship. All too often I have sat through pleasantries where two people, normally of the older generations, narrate their entire lineage and relations in a hope that their new acquaintance may recognize a name, place or totem with which they are familiar. Going back to the totems, there are different derivatives under the various totems. For example, my very own mother was a Shumba - Siphambi, which means Lion in Shona. It is always a common joke that a man, such as my father being an Eland Bull should not marry a woman whose totem could easily eat his. Back to our derivatives. As much as my mother was a Lion and any man whose totem is a Lion should automatically become my uncle, if their derivative is not Siphambi but something different like Shumba – Mhazi, there is unfortunately no relationship to speak of and other efforts must be made to establish a relationship.
I mention this because, with Cybersecurity, it is only possible to protect what you know, not only on the surface but that you know deeply. It is nearly impossible to understand or protect an asset from a SYN Flood attack if you do not understand the fundamentals of SYN/ACK handshakes in an IP network. It is this requirement to understand how things work that has made me so fond of Cybersecurity because surface knowledge will not cut it. One needs to understand the technology and exactly how it works and how it communicates with other technology to build its cyber resilience. The field of cybersecurity has grown in leaps and bounds. Although nowadays there is a huge requirement for non-technical cybersecurity experts, let us not frown upon the hardcore technology specialist who has spent the greater part of their life understanding or in some cases developing the intricacies in certain tech that we now consider basic such as Bluetooth. That person is best positioned to understand and protect the attack surface and vulnerabilities that new IOT devices introduce into any environment be it at home or at scale in enterprise setups.
Turning again to African culture, once the relationship has been established and fully understood, every effort is made to maintain the relationship especially where it matters most. The question being, where does it matter most? and in African rural settings it matters most during public social gatherings, notably at funerals. It is taboo and unheard of to miss a funeral unless an Act of God forces that fate. Funerals are unplanned and un-budgeted but in solidarity and “Ubuntu,” attendance is non-negotiable. This is the opportunity to pay last respects to the dearly departed and more importantly to maintain good relations with the remaining loved ones.
In the world of IOT security, once that relationship has been fully appreciated and understood it is imperative to document and maintain that knowledge being sure to constantly revisit, patch and upgrade the technology around the communication between the IOT devices. Simply being aware of the vulnerabilities and their intricacies is critical but leaving it at that is a recipe for disaster. The discoveries must be constantly and consistently managed as with our African relationships. Like African Funerals, remediation of security issues that pop up on the CVE (Common Vulnerabilities and Exposures) list and the NVD (National Vulnerabilities Database) are unplanned and un-budgeted but at the risk of facing breaches they must be addressed immediately at all costs. IIOT security in most cases deals with IT/OT integrations and critical infrastructure whose erroneous functioning can quite literally result in life-or-death situations. Maintenance is imperative. Unfortunately, this is where the African culture parallelism ends. A faux pas in cultural protocol can be forgiven but when critical infrastructure is breached and lives are lost, the consequences, more often than not, are unpardonable.
Avoiding such mistakes requires the right guidance. As African culture is guided by grey-beards and matriarchs the ISA/IEC 62443 standard guides the secure implementation and maintenance of electronically secure industrial automation and control systems. Lend yourself and your management system to it and reap the rewards in bucket-loads.
The next time you introduce new technology into your existing infrastructure, remember this lesson out of Africa! Make every effort to garner a deeper understanding of the relationships between the devices, considering each device on a case-by-case basis. Establish, what you need to protect, how you need to protect it, when and where the protection is required and why. Once you think you’re done, get a second eye to review your discoveries and strengthen your knowledge of your IOT. In so doing so you will enable the secure deployment of next-generation IOT advancements.