Physical network security: dig it deep or hang it high

By Ben Roberts

Investing heavily in cybersecurity but failing to physically protect the equipment itself is a bit like leaving your house with the alarm on but the backdoor wide open.

Businesses face a huge challenge in protecting networks from cyber-attacks, but consider for a minute some of the
complexities involved in physically protecting network and ICT infrastructure. I am responsible for the network operations of the largest independent pan-African fibre network.

For Liquid Telecom, our physical security requires meticulous planning to minimise the risk of fibre cuts or theft of network equipment. In a nutshell, our tactic is too dig it deep and hang it high. Our fibre can either be found 1.2 to 1.5 metres safely tucked away underground, or at the very top of utility poles running alongside electricity lines.

Other operators in the region are deploying fibre as fast as they can, but sometimes at the cost of leaving their networks exposed. In several cities I have visited there are many cases where the wires have sunk so low from the pylons that anyone could come along and grab hold of them or inflict accidental or malicious damage.

There are some incidents that are hard to avoid, however. Contractors digging up roads, for example, may accidentally hit and damage fibre – often reburying them and running away shortly afterwards. Or criminals sometimes venture down manholes and destroy fibre during a misguided quest for copper. Most ICT and telecoms networks will have different levels of site classifications requiring different levels of security. The architecture of any
modern big network is highly distributed. And naturally leads to 3 or more levels. At the core or central office sits the data centre, at branches or network nodes sits networking equipment to connect users to the central office, and at the edge are the devices which access the network.

The impact of failure or data loss at data centre level could leave a whole country or business affected by service failure, and so these are our most secure sites: electric fencing, full CCTV coverage, armed guards, access control finger readers – the full works. The impact of failure at a branch office could impact service availability across an entire region or location.

Security remains high at these sites, which are monitored by CCTV and security guards. The impact of failure from an edge device will only impact a user or small group of users. Edge devices can include network CPE devices, laptops, smartphones and point of sale devices. Here edge switches are kept under lock or entrusted to specific
individuals. Theft may have minimal impact on business continuity but can result in large amounts of data loss if devices localise data that is not encrypted and backed up to the central office.

Network infrastructure is generally not the most obvious target for criminals, but the growing threat of terrorism is changing attitudes to protecting physical infrastructure. Deadly terrorist attacks across East Africa have prompted businesses to invest further in physical security across their operations.

In 2006, I was working in Nigeria alongside an engineer, who asked me to wait in his car while he went to attend a quick job at a bank.

He wasn’t quick and after half an hour, I decided to go and find him. I strolled through the building into the room where the main core banking servers were located to find the engineer. The firewalls in the racks remain to this day some of the largest I have ever seen. But I was able to walk straight up to them without a single person asking me for ID.

All that investment in protecting the networks from cyberattacks, without giving a second thought on how to secure the equipment itself. This would never happen anywhere in the region today. Over the last ten years, businesses have
woken up to this kind of vulnerability – be it more down to fear of a criminal brandishing a gun rather than one with a memory stick hidden up their sleeve.

But it still serves as a valuable lesson to businesses: investment in the latest cybersecurity technologies should always be matched with investment in the physical protection of your equipment.

(Ben Roberts is the CEO of Liquid Telecom Kenya. This article has been reproduced from Liquid Telecom’s report “CYBERSECURITY & DATA PROTECT ION AFRICA REPORT“)