Inmarsat PLC is a British firm that specialises in satellite-based telecommunications. It provides mission critical data and telephone services to users across the globe. The company employs 1,500 people around the world and counts commercial enterprises, governments and humanitarian organisations as its clients. This gives the firm a unique perspective on cyber security. On one hand it needs to maintain its own security posture and, on the other, it is responsible for maintain its clients’ communications.
Tell us about the rules that govern satellite launches and locations
Satellites are all geo-stationary, so they stay in the same place, but they’re all around the equator so they do sit above various parts of the world. That’s all managed by UN-type agencies who oversee who has what space. The spectrum you can use is managed on a global basis with organisations.
The geo-politically sensitive issue is that the services a satellite provides need to land at a ground site that’s directly in line with the satellite. We have constellations which are made up of between three and four satellites, guaranteeing coverage around the whole world depending on the band of the satellite; however, the ground network needed to make it all work together can touch sensitive countries.
Therefore, the geo-political aspects can sometimes include governments wanting to access data that lands in their country. We have to choose and carefully manage where we put those ground stations.
Increasingly, we’re transferring data from satellite to satellite. Most existing satellites have been in service nearly 15 years – before the internet became prevalent – so they weren’t launched with that technology. The technology in modern satellites, such as the one we’re launching this month [November 2019], has a greater ability for us to control, move and create data feeds than previous generations. All of that will change over time, but the ground stations, the ground network is the core to the system.
Our satellites get launched by private companies, so Space X and others do the launches for us. The satellite is actually built by other companies, so that could be Boeing or Thales or Airbus. We design and work with them; we do all the quality assurance control to get to the point where the satellites launch. When launched, we take ownership of the satellite once it’s out of the launch vehicle, then we fly it into orbit from our control room. At which point we actively keep it in orbit via a satellite control room, which keeps it in the space it should be. Because Earth’s orbit is not perfectly circular, if not monitored [the satellite] could slowly drift out of orbit, so we use power thrusters to move it back. That means you have to have fuel on board and that limits the life of the satellite. If it wasn’t for that they could stay there forever.
Do you employ AI when looking for network security anomalies?
What we have are toolsets, which in a company like ours are incorporated into what’s called a SIEM platform Security Incident and Event Management, where adverse behaviour on networks is monitored. They monitor the fact that an untrusted device has been plugged into the network; they monitor that someone has tried to download some software which isn’t on the approved list. In some cases, the system will stop it automatically and in others, it will be referred up to our cyber operation centre to investigate. There is an increasing amount of automation in how we respond and the reason for that’s important – it is so a person can then focus on the really hard problems where there’s a need to investigate slightly further.
A huge percentage of cyber-attacks result from human error. What is your experience?
What you’ve described is a core strand of cyber security. There are some people who view cyber security as only tech, but I take a much broader view on security: people are at the heart of every single cyber security event or attack. Whether it’s a deliberate attack by a person, or a deliberate attack to exploit a person’s weakness, their lack of training, or something misconfigured by somebody; there’s a people issue everywhere along the attack chain.
We have an extensive training and awareness workforce development programme at Inmarsat, including phishing exercises, training exercises, weekly reminders, the security culture and an annual training review, as well as annual mandatory cyber training. We treat the human aspect pretty seriously because it’s a good part of what we do. It’s not all about technology.
Are there any issues with intrusion and spying?
The sort of feeds we get from places like the National Cyber Security Centre and government agencies mean we need to be alert to that all the time. That happens at a number of levels, including state-based theft attempts. We have to protect our intellectual property by making sure our operations are safe and secure for customers. If they just want to talk to relatives from the middle of the Atlantic on a handset, not much security is needed – but if you’re on a military operation somewhere, there’s a higher degree of security requirement, so we provide a spectrum.
How do you manage risk from vendors and third parties?
It’s an issue of increasing concern, simply because of the spectrum of suppliers that exist in a supply chain and the pressures on people to reduce costs and operate at lower margins. We’re very aware of that. We have policies that we ensure everybody in our supply chain signs up to, and we’re enhancing many of those processes to enable us to audit those customers. We can insist on certain standards being met before they’ve become a customer.
At a national level, there are some things which are helping, such as the Cyber Essentials Scheme in the UK, which is intended specifically to flow down through the supply chain. Companies get accredited by Cyber Essentials, so for a meeting of potential suppliers, you can say you’re only going to invite those already accredited and use that as a sift to start with.
You’re based in so many different places around the world. How do you prepare for the worst all over the place?
There are some slightly different legal requirements in different countries about privacy, data protection and workers’ rights, so implementing things like our acceptable use policy has subtle differences in different countries. But we have policies which are ISO 27001 accredited, which cover all of our information security, data classification, retention – all the stuff that’s required for information security – and ISO 27001 applies globally.
As for unauthorised access, with the internet it really doesn’t matter where someone tries to get access to the network – we monitor all of our systems irrespective of where they are in the world. Our control centres will identify unauthorised activity and if something happens, they’ll intervene, locally or globally.