Rising up to meet subsea cybersecurity challenges

By Kathy Kirchner

Kathy Kirchner Network Operations VPBoth US and European governments are growing concerned at how reliant countries are becoming on subsea connectivity, and the subsea cybersecurity challenges it creates. Maritime cables are the arteries of modern economies and therefore risk being targets for state-sponsored cyberattacks. The EU Commission recently made recommendations for member states to assess risks and vulnerabilities around subsea cables, to map out the infrastructure and begin to make it more resilient.

At the same time, hyperscale internet providers like Amazon, Google, Meta and Microsoft have become key players in the market, bringing with them a cybersecurity awareness that was badly needed in the sector. New entrants first brought Indigo into the sector as a subsea support provider, back in 2021.  We were already on a mission to embed more cyber security into our business, particularly around our NOC (Network Operation Centre) – where we recently recruited a Head of Information Security (Will Rendle)– but entry into the subsea world meant we had to extend our capabilities and be razor-sharp focussed on what’s required.

Secure monitoring service

In a 2023 report, the European Union Agency for Cybersecurity, ENISA, went into more detail about subsea security, emphasising the importance of ensuring that cable landing stations and network management systems are adequately protected. We are acutely aware that remote monitoring tools are a target for criminals which is why we invest so much time and money in making our proposition more resilient.

Indigo has built a unique secure remote access system, which connects into customer networks to meet the demands of clients who want proactive monitoring that spans both security and fault-finding. Our security-aware NOC continuously collects data that is cross-referenced to fulfil both functions simultaneously. The customer experience is always our priority, ensuring uptime and the optimised performance of network infrastructure, but it’s increasingly important that our monitoring capabilities can identify bad actors and early indicators of a cyberattack.

Indigo Subsea Connecting Continents

To make our service more secure, we avoid third-party networks that other service providers are willing to share, preferring a dedicated carrier-grade IP-based DCN (Data Communication Network). Built on robust and secure MPLS technology, it has advanced security features for high availability and redundancy, with full network recovery in case of failure.

Our hardware is state-of-the-art. We never buy second-hand because we need to have a forensic level of understanding around the features and specification of equipment that comes straight from the factory. Our clients have a single point of contact, and because we only use our own systems, we can take 100% responsibility for the level of support and security we provide. And it’s important to remember that we never ingest the data travelling over client networks.

People, policies and processes

At the heart of our Secure Remote Access Solution is the Salesforce CRM platform. Bigger than we initially needed when we made the investment, our strategy was always to grow into it, eventually capturing all our monitoring data to provide insights that will move us closer to predictive monitoring and maintenance. Adding to the power of the platform is Salesforce going into partnership with Microsoft and OpenAI, introducing Einstein GPT, an AI CRM solution that will deliver content across every service intersection we provide.

Other features of our subsea service include NOC resilience. We have two facilities with duplicated hardware and staffing for seamless failover. People are often described as the weakest link in security, which is why newly recruited Indigo employees undergo a thorough vetting and onboarding process. Vigilance extends to threat intelligence with our security team tracking suspect IP addresses and organisations that are likely to pose a threat.

We have built our security framework in accordance with the US National Institute of Standards and Technology (NIST) and are ISO 27001 accredited. ITIL best-practice standards are embedded in our culture, covering all of our processes, policies and procedures. [See our accreditations and certifications] ISO 27001 Logo

This level of detail matters to hyperscale US internet companies as they look to forge partnerships across Europe. We help them navigate EU regulations, such as the European Electronic Communications Code (EECC), a major revision of the original framework for the telecommunications sector. US clients, used to a more relaxed regulatory environment, rely on Indigo to make sure they are compliant with the different markets they enter.

If you want to find out more about how Indigo Subsea go to Indigo Subsea webpage.