Protect mission-critical SCADA systems used for remote monitoring and control of irrigation systems.
Palo Alto Networks Next-Generation Security Platform managed by NextWave Partner Idea 11 that protects SCADA systems, 160+ endpoints, as well as data center servers and storage systems.
Threat Prevention, URL Filtering (PAN-DB), WildFire, Traps, Panorama, GlobalProtect
PA-850 (4), M-100 (1)
Premium Plus Support (partner-enabled), Consulting Services, Education Services
Murrumbidgee Irrigation is one of the largest private irrigation companies in Australia, servicing over 3,000 landholdings owned by over 2,500 customers within an area of 660,000 hectares. The irrigation water and drainage services that Murrumbidgee Irrigation provides have helped create a diverse and highly productive agricultural region known as the Murrumbidgee Irrigation Area (MIA).
The importance of protecting SCADA systems has never been greater than is the case today. With SCADA systems scattered across its vast irrigation infrastructure, Murrumbidgee Irrigation lives this challenge every day. When security penetration testing pinpointed potential security deficiencies, Murrumbidgee Irrigation embarked on an initiative to transform its security network architecture.
After comparing different solutions and testing many of them, Murrumbidgee Irrigation chose Palo Alto Networks® Next-Generation Security Platform. In addition to providing the company’s small ICT team with a single point of contact for multiple areas of its security environment, the platform enabled Murrumbidgee Irrigation to move from a largely reactive security posture to one that is predictive.
Murrumbidgee Irrigation deployed four PA-850 firewalls, along with subscription capabilities such as Threat Prevention, URL Filtering, WildFire® cloud-based threat analysis service and Panorama™ network security management. The ICT team also uses the GlobalProtect™ network and VPN security client for endpoints. Most recently, Murrumbidgee Irrigation elected to completely rethink its approach to endpoint security, moving from a traditional antivirus point product to Traps™ advanced endpoint protection.
With a next-generation security platform in place, Murrumbidgee Irrigation has a much more robust security posture, something crucial when it comes to an organization with a mission-critical SCADA network. The team is also realizing much greater efficiencies.
“We no longer need to spend hours troubleshooting and managing firewall rule configuration. Panorama provides a simple and logical interface for building and implementing new rules, allowing us to maintain a tightened and granular policy configuration,” says Andrew Pasquetti, ICT Coordinator at Murrumbidgee Irrigation.
Mission-Critical Security Requirements
Established in 1912, the Murrumbidgee Irrigation Area (MIA) is one of the largest irrigation areas in Australia. The services that Murrumbidgee Irrigation provides to 2,500 landholders spread across an area of 660,000 hectares are mission critical. Any malicious disruption or even tampering of the SCADA systems supporting its vast irrigation network could have far-reaching implications, both for the immediate region as well as for much of the Australian population that relies on the produce, crops and livestock grown and raised in the MIA.
“SCADA and industrial control systems are used to remotely operate our irrigation infrastructure network and deliver water to irrigators. Infrastructure including regulators and outlets are remotely monitored and controlled from our main office. Protecting our corporate information and SCADA systems from malicious external threats is paramount to ensure that this operation is undisturbed.”
Therefore, it should come as no surprise that Murrumbidgee Irrigation’s board of directors and senior leadership team take information security very seriously. “Penetration testing revealed some security issues that could have exposed us to malicious activity, but in particular, we needed a long-term and modern security architecture,” added Pasquetti, ICT Coordinator at Murrumbidgee Irrigation.
Next-Generation Security: Going From Reactive to Proactive
As Murrumbidgee Irrigation’s existing network security solution was reaching its end of life, this revelation provided the ICT team with an opportunity to rethink their security strategy and architecture. The company looked at several different options, one of which included Palo Alto Networks Next-Generation Security Platform.
“We performed a bake-off between the different options,” Pasquetti notes. “Palo Alto Networks stood out from the rest in that it offered us a completely different security approach. Palo Alto Networks Next-Generation Security Platform is forward-thinking and proactive, while the other options were reactive and based on legacy technologies.”
Two capabilities that were particularly compelling to Murrumbidgee Irrigation were App-ID™ application identification technology and User-ID™ user identification technology. “We didn’t want to worry about IP addresses and ports, but rather we wanted to focus on creating application and user rules that make sense based on our business needs,” Pasquetti says.
“Both App-ID and User-ID have been very important features in building our new security policy base. We can create Active Directory groups and associate them with security rules allowing user-based firewall policies. With the added benefit of App-ID, we can create very granular rules, allowing only defined applications for specific users. App-ID provides a more sophisticated approach in a cloud-first environment and comprehensive visibility of the different applications being used across the network,” adds Pasquetti.
Built With Transformation in Mind
With a green light from the leadership team, Pasquetti laid the groundwork for a successful configuration and implementation by documenting all user and application rules. “I didn’t want to migrate anything from our prior solution, but rather wanted to start from scratch,” he explains. Today, Murrumbidgee Irrigation has over 80 application and user rules that address issues such as access to file sharing and internet services.
“User-ID and App-ID from Palo Alto Networks streamlines the time required for rules management,” Pasquetti reflects. “Beyond spending a lot of time developing and managing rules in our prior security environment, we simply couldn’t get all of them to work. So we’re spending less time on rules management while improving our security posture.”
Murrumbidgee Irrigation deployed four PA-850 next-generation firewalls throughout its organization. The company also chose multiple Palo Alto Networks subscriptions to enhance its security posture. “We wanted much more than a firewall solution,” Pasquetti notes. “This was intentionally a transformative decision on our part.”
To get up to speed on the Palo Alto Networks security platform, Pasquetti signed up for training courses with Palo Alto Networks Education Services and received Accredited Configuration Engineer (ACE) status. “The training courses gave me hands-on experience that I was able to apply directly to our configuration and deployment,” he states.
Security Posture Founded on Robust Capabilities
URL Filtering (PAN-DB) is another feature that replaced a previously ineffective solution. “The web browsing experience of our users is much better, and we don’t have the types of issues that we had before,” Pasquetti says. “Users couldn’t get pages to load correctly and had certain pages blocked. All of this contributed to a degradation in the productivity of Murrumbidgee Irrigation users. URL Filtering improves the efficiencies of our end users and saves the ICT team time-remediation issues.”
The Threat Prevention subscription includes enhanced vulnerability and exploit protection, enabling Murrumbidgee Irrigation to protect against intrusion exploits, malware delivery and installation, and command-and-control attacks. “It gives us an extra level of protection and provides visibility over the types of malicious attacks and their targets, but blocks and alerts us before any successful attempt is made,” Pasquetti observes.
Panorama, which runs on an M-100 management appliance, gives Murrumbidgee Irrigation enterprise-wide security visibility and reporting. “Panorama has been worth its weight in gold,” Pasquetti states. “Previously, we had to manage each of our firewalls separately and had very little reporting capabilities. With Panorama, we have a single pane of glass across our main office and branch office. It saves me valuable time logging in to each of the different devices and locations, and the reporting puts all of the information at my fingertips.”
Pasquetti also recently added WildFire. “The community-driven threat intelligence of WildFire amplifies our security posture,” he says. “It increases the circumference of our security network and minimizes our risk of malicious intrusions. Because legacy solutions that use signature-based mechanisms are essentially defenceless against zero-day attacks, WildFire provides us with the confidence that we have the most up-to-date knowledge and protection generated from the Palo Alto Networks user community.”
Connecting the Mobile Workforce, Securely and Efficiently
GlobalProtect is used across all of Murrumbidgee Irrigation’s endpoints. “We have a lot of staff who work from their home offices, as well as staff who need to connect via remote sites, so having a quality, secure VPN solution is very important,” Pasquetti says.
The prior VPN remote access and security connectivity solution Murrumbidgee Irrigation used was difficult to manage and unstable. “We spent a lot of time troubleshooting problems encountered by individual users,” Pasquetti recalls.
Rethinking Endpoint Security
Early this year, Pasquetti was given a charge by the company’s leadership team to rethink how Murrumbidgee Irrigation approaches endpoint security. “We weren’t looking to replace one antivirus solution with another one,” he reports. “All of the news around ransomware and CryptoLocker accentuated the fact that we wanted a much more proactive and preventative approach than that offered by an antivirus model. The use of individual exploit prevention techniques in Traps advanced endpoint protection puts Palo Alto Networks way ahead of the competition.”
Just recently deployed, Traps is delivering tangible results. Previously, Pasquetti and another member of the ICT team spent substantial time deploying and managing antivirus instances across each of the company’s endpoints. This is eliminated with Traps, which also removes the need for antivirus updates and has minimal performance impact.
“Traps has a very small installation and performance footprint, does not require daily signature updates or scheduled scans to operate. It sits quietly in the background and observes behavior and takes a preventative approach, rather than cleaning up after the fact,” Pasquetti says.
All of the different components of the Palo Alto Networks Next-Generation Security Platform add up to give Murrumbidgee Irrigation a comprehensive Next-Generation Firewall, Threat Intelligence Cloud services, and Advanced Endpoint Protection. It delivers application, user and content visibility control, as well as protection against known and unknown cyberthreats.
Tapping Consulting Services and NextWave Partner Idea 11
To help with the deployment of Traps, Pasquetti engaged Palo Alto Networks Consulting Services. “The consultant has worked hand in hand with our systems engineer, providing overarching support and helping to resolve problems when we encounter them,” Pasquetti says.
About a year ago, Murrumbidgee Irrigation elected to outsource day-to-day management of its Palo Alto Networks security platform to Palo Alto Networks NextWave Partner Idea 11. “This proved to be a valuable decision for us,” Pasquetti observes. “We’re now able to focus our time on managing strategic security initiatives while relying on their expertise for tactical execution.”
Protecting Mission-Critical Information and SCADA Systems
Pasquetti is quite pleased with the decisions Murrumbidgee Irrigation has made in its deployment of the Palo Alto Networks Next-Generation Security Platform. “It has revolutionized our entire security network,” he says. “Protecting our information and SCADA systems that are scattered across a very wide expanse is front and center for us. The social and economic repercussions of a malicious intrusion could be dramatic. Palo Alto Networks gives us the ability to move from a reactive posture to a proactive, preventative posture.”