Graham Wright CBE, Senior Vice President for Security and Cyber at Inmarsat talks to Johanna Hamilton AMBCS at the Cyber Security Connect UK conference, about satellites, security and paving the way for those new to the cyber profession.

Inmarsat PLC is a British firm that specialises in satellite-based telecommunications. It provides mission critical data and telephone services to users across the globe. The company employs 1,500 people around the world and counts commercial enterprises, governments and humanitarian organisations as its clients. This gives the firm a unique perspective on cyber security. On one hand it needs to maintain its own security posture and, on the other, it is responsible for maintain its clients’ communications.

Tell us about the rules that govern satellite launches and locations

Satellites are all geo-stationary, so they stay in the same place, but they're all around the equator so they do sit above various parts of the world. That's all managed by UN-type agencies who oversee who has what space. The spectrum you can use is managed on a global basis with organisations.

The geo-politically sensitive issue is that the services a satellite provides need to land at a ground site that's directly in line with the satellite. We have constellations which are made up of between three and four satellites, guaranteeing coverage around the whole world depending on the band of the satellite; however, the ground network needed to make it all work together can touch sensitive countries.

Therefore, the geo-political aspects can sometimes include governments wanting to access data that lands in their country. We have to choose and carefully manage where we put those ground stations.

Increasingly, we're transferring data from satellite to satellite. Most existing satellites have been in service nearly 15 years - before the internet became prevalent - so they weren't launched with that technology. The technology in modern satellites, such as the one we’re launching this month [November 2019], has a greater ability for us to control, move and create data feeds than previous generations. All of that will change over time, but the ground stations, the ground network is the core to the system.

Our satellites get launched by private companies, so Space X and others do the launches for us. The satellite is actually built by other companies, so that could be Boeing or Thales or Airbus. We design and work with them; we do all the quality assurance control to get to the point where the satellites launch. When launched, we take ownership of the satellite once it's out of the launch vehicle, then we fly it into orbit from our control room.

At which point we actively keep it in orbit via a satellite control room, which keeps it in the space it should be. Because Earth’s orbit is not perfectly circular, if not monitored [the satellite] could slowly drift out of orbit, so we use power thrusters to move it back. That means you have to have fuel on board and that limits the life of the satellite. If it wasn't for that they could stay there forever.

Do you employ AI when looking for network security anomalies?

What we have are toolsets, which in a company like ours are incorporated into what's called a SIEM platform Security Incident and Event Management, where adverse behaviour on networks is monitored. They monitor the fact that an untrusted device has been plugged into the network; they monitor that someone has tried to download some software which isn't on the approved list.

In some cases, the system will stop it automatically and in others, it will be referred up to our cyber operation centre to investigate. There is an increasing amount of automation in how we respond and the reason for that's important - it is so a person can then focus on the really hard problems where there’s a need to investigate slightly further.

A huge percentage of cyber-attacks result from human error. What is your experience?

What you’ve described is a core strand of cyber security. There are some people who view cyber security as only tech, but I take a much broader view on security: people are at the heart of every single cyber security event or attack. Whether it's a deliberate attack by a person, or a deliberate attack to exploit a person's weakness, their lack of training, or something misconfigured by somebody; there's a people issue everywhere along the attack chain.

We have an extensive training and awareness workforce development programme at Inmarsat, including phishing exercises, training exercises, weekly reminders, the security culture and an annual training review, as well as annual mandatory cyber training. We treat the human aspect pretty seriously because it's a good part of what we do. It's not all about technology.

Are there any issues with intrusion and spying?

The sort of feeds we get from places like the National Cyber Security Centre and government agencies mean we need to be alert to that all the time. That happens at a number of levels, including state-based theft attempts. We have to protect our intellectual property by making sure our operations are safe and secure for customers. If they just want to talk to relatives from the middle of the Atlantic on a handset, not much security is needed - but if you're on a military operation somewhere, there's a higher degree of security requirement, so we provide a spectrum.

How do you manage risk from vendors and third parties?

It's an issue of increasing concern, simply because of the spectrum of suppliers that exist in a supply chain and the pressures on people to reduce costs and operate at lower margins. We're very aware of that. We have policies that we ensure everybody in our supply chain signs up to, and we're enhancing many of those processes to enable us to audit those customers. We can insist on certain standards being met before they've become a customer.

At a national level, there are some things which are helping, such as the Cyber Essentials Scheme in the UK, which is intended specifically to flow down through the supply chain. Companies get accredited by Cyber Essentials, so for a meeting of potential suppliers, you can say you’re only going to invite those already accredited and use that as a sift to start with.

You’re based in so many different places around the world. How do you prepare for the worst all over the place?

There are some slightly different legal requirements in different countries about privacy, data protection and workers’ rights, so implementing things like our acceptable use policy has subtle differences in different countries. But we have policies which are ISO 27001 accredited, which cover all of our information security, data classification, retention - all the stuff that's required for information security - and ISO 27001 applies globally.

As for unauthorised access, with the internet it really doesn't matter where someone tries to get access to the network - we monitor all of our systems irrespective of where they are in the world. Our control centres will identify unauthorised activity and if something happens, they'll intervene, locally or globally.

Do you have any advice for those new to, or looking to get into the industry?

I'm on the advisory board at three universities, so I see a lot of students but most of them are specialists who've already started out. But we do bring the students in to try and create internships.

The main thing that's different from when I was young is the cyber security profession. If anybody has gone through school and done the various STEM subjects which get them to the point where this maybe something they want to pursue, then there are many routes in. Like many things, it's just a question of people keeping their options open but focusing on what makes them think "That's a career path I'd quite like."

My advice at the moment, and this is coming from someone who didn't come through that sort of system, is to not assume that one must come through that path in order to be senior in this business. If we do, I think that will be a retrograde step because I think the advantage that someone like me brings is sometimes a broader perspective based on operations and why it's important as opposed to how it's delivered. I think there is a danger in creating lots of technical experts who don't lift their eyes above implementing and operating something.

So, I'd say when looking at the path they're going to take, they ought to broaden it as best they can in order to open up opportunities downstream.

About the author

Graham Wright is the Senior Vice President for Security and Cyber at Inmarsat, a global satellite communication company operating a constellation of satellites, with the only broadband service to cover the entire world.