“If you wanted to have civil disobedience and start the process of unraveling a society, we're a pretty big target”: how National Gas is shielding itself against cyber threats with Palo Alto Networks

When you think of organizations tied to the UK’s critical national infrastructure (CNI), few play a role as critical as National Gas.

The sole owner and operator of the UK’s National Transmission System, National Gas oversees the daily operation of almost 5,000 miles of high-pressure pipes that keep the nation’s lights on, stoves hot, and homes warm.

“We are very critical to the UK: we generate, from gas, up to 75% of the nation's electricity in winter, and we keep 20 million homes warm

“So if you wanted to have civil disobedience and start the process of unraveling a society, we're a pretty big target. In fact, the NCSC said the energy sector is number one now in terms of threat, and they actually identified national gas as number one in the energy sector.”

To keep these critical operations safe and improve its resilience amid widespread cloud adoption, National Gas partnered with Palo Alto Networks.

ITPro spoke to Darren Curley, CTO at National Gas, to learn more about the aims of his organization and the core role Palo Alto Networks has played.

When Curley joined the organization nearly four years ago, it was with the brief of transitioning it out of National Grid, building a new hosting platform, and expanding its functions to meet the needs of CNI.

Palo Alto Networks is National Gas’ primary security vendor, securing its operational technology (OT) and wider infrastructure.

“We're virtually full-stack Palo, including networks and all the way through to Prisma Cloud and most things in between,” Curley says.

“The one thing that we don't do with them at the moment is the XSIAM, XSOAR side of things. However, we are looking to progress in that way.”

National Gas is currently migrating choice workloads to the cloud. Curley tells ITPro that it hosts all its major applications on Google Cloud Platform, while keeping its legacy security apparatus on Microsoft Azure. In collaboration with partners like Palo Alto Networks, National Gas took a hard look at what could and couldn’t be altered during the migration process.

“We decided very early that the CNI element would be ring-fenced and it would be migrated on a more or less like-for-like novation basis.

“So the things that actually keep the gas flowing would stay pretty similar to what they are, because the deal breaker was we could not affect the business, we could not affect the flow of gas around the country.”

The exception to this rule was the enterprise space and the organization’s non-regulated metering business, where National Gas was able to go deeper into its cloud adoption.

At the start of its migration journey, Curley’s team mapped tools against key capability areas, a process that he says ensured “you had simplicity decide on your course of action”. These capabilities were then broken up into “transitional states” in which teams focused on the implementation of key cloud and security elements.

“Ultimately, when I look back, that was why we were successful,” he says. “Macquarie Asset Management, who is our major owner now, said that of the 42 transitions they did across Europe, this was the only one that went to time and to budget.

“So I think it was mostly down to one team culture and transitional states, which included the introduction of key elements from Palo, people like Equinix, and those sorts of vendors, which were much, much more modern and progressive.”

Since migrating more of its operations to the cloud, National Gas has seen many benefits, including improved agility. Curley tells ITPro that the organization now builds everything as infrastructure as code (IaC), improving consistency and repeatability.

It’s also reduced costs, both through lower overall operating overheads and by eliminating the need for extensive data center hardware refreshes.

A new focus on cloud cybersecurity

National Gas is now looking at architecture 2.0, a more cloud-native approach with a focus on software as a service (SaaS) and AI to expand endpoint security beyond XDR and Microsoft. Curley clarifies that while National Gas will retain its legacy Microsoft deployments, he and his team are also looking at unlocking new capabilities through further cloud adoption:

“So Sentinel has its place, we've made it sing and dance because we've got some talented people in our SOC who have really done some great things with it. But when you look at what you can do with the Google security apparatus and their acquisition of Wiz, and when you look at what we can do with Palo, it outstrips it quite quickly.”

Architecture 2.0 will be cloud agnostic, with Curley stressing that National Gas should be able to shift workloads based on geopolitical or commercial needs. This, he says, is already being accomplished through its adoption of SASE edge technologies.

“But we’ve also done iPaaS services, hence why we chose single-stack Palo, who can sit wherever we need them to sit, even though they're backboned primarily on Google,” he adds.

Curley is leading a system-wide inspection of where his organization’s processes are run and how they’re protected. For example, some services, such as those in National Gas’ IBM cloud, will be repatriated to three on premises instances, while in other cases the organization will look to protect vendor services with greater use of managed enterprise browsers, enterprise data loss prevention (DLP), and conditional access.

Throughout its internal review process, National Gas is taking steps to ensure that its leaders understand what each service is doing and where each sits on its organizational risk profile.

“One of the things I love about what we've done with Palo is they actually own what they do, and one of the things they do for us is they stand up a config that's analogous to ours and test it every time they do a major change, which is unique,” Curley explains. “I had conversations with other vendors about doing the same thing, and they all gasped.”

Agility for the next decade of power

Agility, Curley says, will be key for National Gas over the coming years. But this hasn’t always been made possible by former industry partners.

“It's not a Palo instance, but we had an incumbent network vendor, and it took us longer to discuss which legal paper things would be written on than it did for me to go away and build a SASE edge and the whole head end of our network,” he admits.

Going forward, Curley says National Gas will work to improve the speed at which its security teams can respond to the changing threat landscape.

“We want a situation where I can shift people's identities and privileges, I can shift where the interface is hit, I can shift where the network connections terminate, and where the applications are presented from without any sign of that happening, as far as our users are concerned,” he says.

This will also mean a cautious adoption of AI on a vendor-agnostic basis.

“Everything has to be very carefully thought through, so that it's a deterministic outcome whereby we exactly know the lineage of the models, the security of them, and also from a data perspective, that it's only getting to the data that it should,” he says.

National Gas may also play a wider role in power for AI data centers in the future. Gas turbines are increasingly used as a short-term power source for data centers and as a flexible baseload even as green data centers take off, and renewables become a greater part of the energy mix.

Meeting this demand will further increase the need for agility.

“I think it's really important to start setting yourself up to be agile, because nobody knows what's going to happen with the power wall issue that's looming on AI,” Curley says. “Nobody knows what's going to happen in terms of when they have to pay forward the huge amounts of money they've accumulated in AI development, which is running into trillions.

“Now it will have an effect somewhere, and agility is going to be key to managing those bumps in the road as they occur. And none of us know what they are, as much as we can all predict.”

Embracing digital sovereignty is another major factor in this journey towards agility and resilience, Curley adds:

“I always think of CNI as an onion: there are many layers to it, and every single one makes you cry. But as you get into it, some of those outer layers are perfect candidates for data sovereignty, so that you've got absolute keys that you manage on external [hardware security modules (HSMs)] so nobody can get to them.”

Looking ahead, Curley is keenly aware of the cyber threats facing National Gas, including from the likes of CRINK attackers and other state-sponsored groups and APTs.

“We've actually got a large intelligence function inside national gas that surveys that landscape and looks at where the next set of threats are going to come from, and tries to give us enough information so that we can adjust our posture to suit.

“I think it's only going to get worse. When you look at what's been happening in some of the countries that border Russia and the attacks on things like Poland's rail infrastructure, from an OT perspective that’s not broadly discussed, you have to prepare yourself for them to start attacking operational technology.