The City of Mesa, Arizona, provides citizens, businesses, and visitors with a broad range of services to enhance quality of life and support economic prosperity. With extensive digitization of services, Mesa needed a security infrastructure that could reach beyond its private network while tightly controlling access to sensitive environments like its supervisory control and data acquisition (SCADA) system. Mesa is also launching a smart city initiative, which will require securing diverse internet of things (IoT) devices. By deploying the Palo Alto Networks Security Operating Platform®, Mesa has a unified platform to meet the full range of its current and future security needs, providing granular, application-specific traffic control and segmentation, with extended visibility and control into public clouds and across an IoT-enabled smart city.
A Modern City with Diverse Citizen Services
Mesa, Arizona, is a city built around early settlements of indigenous people dating back more than 2,000 years. Today, it is a modern, thriving metropolis that provides not only an idyllic setting for its growing citizenry but also a popular destination for visitors seeking sun-filled recreation, worldclass educational opportunities, and a business-friendly economic atmosphere.
With nearly a half-million full-time residents and a surging tourist population, the City of Mesa provides a wide range of services, the sheer scale and scope of which make Mesa stand out from other comparably sized cities. Along with requisite services, such as police, fire, and emergency medical teams, Mesa runs five municipal utilities, numerous parks and pools, public library facilities, schools, transportation, even a city cemetery—and, of course, its famous Major League Baseball spring training camps.
This diversity of services is geared toward a common goal of providing a high quality of life for Mesa’s citizens and a positive experience for its many visitors. Technology increasingly plays a central role in achieving this goal. Naturally, as more and more services are digitized and automated, securing private information traversing Mesa’s network—and increasingly extending out to the cloud—is paramount. In fact, as Mesa sets its sights on becoming a smart city, leveraging the internet of things (IoT) to further enhance quality of life, civic engagement, economic development, and community vibrancy, security requirements will only intensify.
Lester Godsey, chief information security officer for the City of Mesa, explains, “Government, in general, is a popular target of bad actors because of the breadth and scope of the information we have. In Mesa, we have over 180,000 utility accounts with people’s personal and financial information. We have medical records, court filings, building permits, personal information on child and family services, all of which we’re responsible for safeguarding. The technology we use for that is critical. And when we expand to a smart city with the proliferation of IoT devices, we can expect to see a whole new attack vector.”
Ensuring Secure Application Segmentation While Enabling Access
The challenges of securing information across a wide range of departments and services are formidable. Industrial control systems, like the SCADA system controlling Mesa’s electric, gas, water/wastewater, and irrigation utilities, need to be isolated from other segments of the city-wide network. Preventing data exfiltration is a prime concern to ensure private information like credit card numbers and account details are kept secure. Building a smart city will blur the edges of the network with so many distributed devices, adding to the challenge and all but rendering traditional security approaches obsolete.
These important considerations pointed Godsey and his team to a new way of securing Mesa’s legacy enterprise environment and emerging cloud environments while establishing a security model for a smart city of the near future. Godsey explains, “We were looking for more flexibility and scalability than our old firewalls could provide. We have numerous departments, and we need to segment various components of the network, but we don’t want to invest in a lot of different equipment to do that. The Palo Alto Networks Security Operating Platform provided a lot of capabilities we could leverage, like unified threat management, application-level traffic control, threat intelligence, and SSL decryption, all on a single platform.”
With growing threats from spear phishing and social engineering, Threat Prevention and the threat intelligence sharing of MineMeld™ have proven invaluable. Godsey remarks, “MineMeld has been a life-saver. We automatically ingest over 20 different threat intelligence feeds, which we could never keep up with manually. We can take that threat intelligence and automatically push new controls out across our Next-Generation Firewalls to try and stay ahead of the cybercriminals.”
Also very important to Godsey is the flexibility the Palo Alto Networks platform provides to segment and secure traffic where we need to without buying additional equipment. SCADA is a perfect example. Godsey deployed a pair of Palo Alto Networks Next-Generation Firewalls for Mesa’s SCADA environment, which is isolated from the rest of the city network. To access the SCADA system, operators must log in through GlobalProtect™, which provides network security for endpoints, integrated with Okta® multi-factor authentication (MFA). Due to the sensitivity of the SCADA system, Godsey built a DMZ through virtual segmentation on the Next-Generation Firewalls and uses App-ID™ technology to enable only sanctioned applications, like a vulnerability scanner, to access the SCADA system.
The way Godsey secures the SCADA system has become a model for how other sensitive applications and data are accessed throughout the city. Smaller Next-Generation Firewalls are deployed across Mesa’s many departments and facilities spanning a broad geographical area, and by applying App-ID, Godsey delineates precisely what traffic is allowed or denied. A combination of User-ID™ technology and GlobalProtect with Okta MFA further controls access to the most sensitive applications and data, allowing only a select number of authorized users through the GlobalProtect portal.
Moreover, SSL decryption plays a crucial role in Godsey’s security strategy. He observes that having such a diversity of city services is like managing a multinational conglomerate. “We have to meet a number of compliance standards. From a PCI perspective, we’re considered a Level 3 merchant because of the volume of financial transactions we handle. We have to be HIPAA-compliant due to the health information under our management. In the police department, we’re required to adhere to CJIS—Criminal Justice Information Systems—standards. So, we have to be cognizant of the risks of exfiltrating data like credit card numbers or Social Security numbers. Of course, bad guys encrypt their exploits, too. That’s why SSL decryption is critical, so we’re able to apply all the same data loss prevention rules to encrypted traffic as non-encrypted traffic.”
Foundation for Leveraging IoT to Build a Smart City
Building the security infrastructure for Mesa’s distributed organization, and especially for the SCADA environment, has laid the foundation for securing a smart city comprised of numerous, widely distributed IoT devices. One example of the city’s initial foray into IoT is the use of automatic meter reading (AMR), using smart meters installed for its utility customers.
Godsey notes, “The work we did leveraging the Palo Alto Networks platform to secure our SCADA environment has led us to where we are today with planning and deploying for the smart city initiative and IoT in general.”
He adds, “Our focus is on changes happening out on the perimeter. With traditional firewalls, you had a clearly delineated perimeter, but when you introduce IoT and cloud services, that perimeter no longer exists. Our security strategy for the future is to equip ourselves with tools that provide insight and control of things potentially outside our network—tools that give us awareness and asset management of IoT devices and cloud services.”
For example, as the city begins acting on its smart city master plan, Godsey foresees taking advantage of the latest features in PAN-OS® 9.0, combined with K2-Series 5G-Ready Next-Generation Firewalls, to extend the prevention-oriented security of the Palo Alto Networks platform to cellular IoT technologies. “Being able to leverage our investment in Palo Alto Networks and apply additional security controls on IoT devices would be awesome,” he says.
The city is also moving more services into public clouds like Microsoft Azure®. As with IoT, Godsey points out that adopting cloud services will further expand the attack surface. “Every cloud service has an API or web service associated with it. If we have a third-party provider interacting with that service or we want to download data to on-prem systems or another cloud to do analytics, that’s part of the attack surface and exposes us to risk. We leverage the virtual next-generation firewalls from Palo Alto Networks to secure those interactions.”
Ultimate Goal: Enhance City Services for Citizens
Centralized administration of the security infrastructure through Panorama™ is a key factor in managing risk, maintaining effective control across multiple environments, and leveraging insights to continually strengthen the city’s security posture. Godsey also relies extensively on using data collected by Panorama in the city’s Splunk® security information and event management (SIEM) system.
“I can’t tell you how useful the tight integration between Panorama and Splunk has been,” says Godsey. “The data and logs from Panorama, along with logs consumed from individual workstations, are critical sources of information we use to proactively assess risk and look for anomalous behavior.”
He adds that the data from Panorama and Splunk is not only useful from a threat prevention standpoint but also as a means to demonstrate performance. “We have a project where we’re taking data from multiple sources, including Panorama, and using it to articulate the number of security incidents that have occurred within a certain period of time. Information like this helps frame conversations with executive management on why security is such an important investment.”
Godsey also anticipates leveraging log data from Panorama to enable more automation. For example, if the security team determines that someone’s credentials have been compromised, the natural response is to disable the account and reset the password. These same actions can be automated, but as Godsey says, “You can’t get there without collecting the data.”
Ultimately, city government is a service provider to citizens, businesses, and visitors. For Mesa and many other cities like it, the breadth of services is continually expanding, and that trend will only increase with initiatives like the smart city. This makes information security more important than ever.
“Governments are a popular target for cybercriminals because of the information we have,” Godsey acknowledges. “We can’t have information out on the fringes of IoT without knowing that all those points are secured. We rely on our relationship with Palo Alto Networks to do that. Working with us in partnership, Palo Alto Networks continues to help us take advantage of features and capabilities in the platform that ensure we get the most out of our investment today and as we look into the future.”