Founded in Australia in 1992, Pacific Hydro is a
global renewable energy owner, operator, and
developer. It operates a high-quality, diversified
portfolio with an installed capacity of more than
1 gigawatt across Chile, Australia, and Brazil.
The company also has a substantial number
of projects in development, totaling more than
totaling more than 2 gigawatts of potential
capacity and has a growing electricity retail
business in Australia called Tango Energy.
As a leading provider of renewable energy in Australia, Chile, and Brazil, Pacific Hydro requires strong security in its corporate data center as well as its solar farms, wind farms, and hydro plants. Many generating sites are in remote, unstaffed locations, yet they require the same level of security as staffed facilities. The company utilises contractors at its sites for operations and maintenance, requiring strict separation of operational technology (OT) and information technology (IT).
The Palo Alto Networks Security Operating Platform® enables Pacific Hydro to segment OT and IT traffic and apply strict security policies to both systems to prevent successful cyberattacks or inappropriate data exfiltration. The platform also ensures that all contactor traffic destined for the data Palo Alto Networks | Pacific Hydro | Case Study 2 center or the internet is routed through Pacific Hydro’s core Next-Generation Firewalls for consistent application of security policies. With Prisma™ Access, the same level of cybersecurity is also extended to remote users and applications around the world via a simple cloud-based solution.
Protecting Critical Energy Assets
When it comes to generating electricity from renewable sources—hydro, wind, and solar—Pacific Hydro is a rapidly growing force across Australia, Chile, and Brazil. In Australia alone, the company’s operating assets abate more than 1 million tons of greenhouse gas pollution every year, and the number of clean energy generation projects Pacific Hydro has in the works continues to grow.
While Pacific Hydro’s generating capacity is substantial by renewable energy standards, the business runs with a lean, efficient staff, adopting a strategic mixture of in-house expertise and outsourced support across its value chain. However, the company must comply with the same regulations and security standards as large enterprises.
Daniel Hayward, Head of Information Systems and Technology for Pacific Hydro, remarks, “The challenge for us is to find smart solutions that meet the requirements for protecting customer data and securing our generation assets. It’s about determining the right long-term solution and understanding the cost impact on the business. That may take more effort to balance the risks and rewards of certain investments, but it just makes us more impassioned to get it right.”
Adam Roddick, Pacific Hydro’s IT manager for Australia, adds, “In our business, we need to protect substations, solar farms, wind farms, and do that cost-effectively. Substations are viewed as critical infrastructure and have to be protected as part of the electrical grid. In Australia, we have just over 20 different branch locations—some with no staff, just electrical equipment—which makes SCADA a big part of our challenge. On the data center and services side, we have customer data, PII, commercial, and company data that needs protection. We were looking for a security platform that covers all those components—OT and SCADA as well as IT—along with remote access, end-to-end visibility, orchestration, and reporting so we can manage security at the level we need with the limited resources we have.”
Extending Cybersecurity Across Business and Operational Systems
To address these complex security requirements, Pacific Hydro implemented the Security Operating Platform across its OT and IT environments in Australia, spanning the corporate data center, remote offices, and generation sites. Palo Alto Networks Next-Generation Firewalls act as highly available central gateways for all traffic traversing the corporate network or passing to or from the internet. IPsec tunnels provide connectivity from the data center firewalls out to separate firewalls at each of the other sites, and no direct breakout is allowed at the remote sites.
The IT team developed specific rule sets that govern user-to-server, server-to-OT-system, and server-tointernet traffic using a combination of App-ID™ and User-ID™ technology to segment the network.
Hayward notes, “We have defined standards for how people are supposed to access resources on the internet, but we’re working with a lot of contractors in the field and can’t be sure they will always follow the rules. With Palo Alto Networks at each site as the perimeter between the OT network and our corporate network, contractors have to go through our secure link. We don’t allow them to put their own links out there. It’s a balance between process and technology.”
For example, a wind farm might have four or five subnets— one for supervisory control and data acquisition (SCADA), one for internal users, one for vendors, and so on. SCADA systems would be physically isolated and protected on-site, but some servers in IT interact with SCADA to run analytics for business intelligence. That’s all controlled by the on-site Palo Alto Networks firewalls, so any local site traffic stays local, and traffic coming from an IT system passes through the core Palo Alto Networks firewalls in the data center.
“We recently added a location in Chile,” notes Roddick, “and straightaway, we could roll out Prisma Access for our users there. We just added another location in Singapore. The system can easily scale up to any number of users, offices, countries—and we know the performance is going to be strong. It truly provides us with a global platform.”
It’s not just a matter of convenience. Fast, secure access to the home office means businesspeople from Pacific Hydro traveling abroad have assured access to whatever information they need to do their jobs effectively.
Roddick also points out, “The Prisma Access rollout was
really easy for us. The technology is simple to configure,
and we haven’t had a single problem. It’s been absolutely
Stopping Malware Threats at the Endpoint
As an added layer of security, Pacific Hydro also rolled out Cortex XDR agent for laptop users across Australia, Chile, and Brazil. The company also deployed Cortex XDR agent on its public-facing servers in the data center demilitarized zones (DMZ). In addition, Cortex XDR agent protects Citrix® servers and virtual desktops delivered on Citrix.
Like many organizations, Pacific Hydro historically relied on traditional antivirus software. However, as Roddick puts it, “There was a lack of confidence in antivirus technologies around the ability to respond to zero-day vulnerabilities.”
With Cortex XDR agent, all doubts have disappeared. “Our risk assessment of threats like ransomware appears to be much lower than many of our industry peers due to the Cortex XDR agent solution. We’ve never had an instance of ransomware or malware getting through on the Cortex XDR agent systems. The trust we have in Cortex XDR agent, and the stress that evaporates by using Cortex XDR agent, is huge.”
Hayward adds, “IT Infrastructure, resources, cybersecurity awareness, and controls vary between geographical regions. While we work on building cybersecurity maturity at the process level, Cortex XDR agent gives us assurance that we have a strong defense mechanism on the endpoints. Combining Cortex XDR agent with all the other layers of protection we have from Palo Alto Networks is what takes away the stress and lets us sleep better at night.”
Looking into the future, Pacific Hydro is also evaluating Cortex XDR agent to provide endpoint protection on its SCADA and other OT systems at remote sites. Roddick notes, “We are now exploring opportunities in our OT environment, working with our SCADA teams to assess potential expansion of Cortex XDR agent out to our generation assets.”
Delivering Consistent Security from the Data Center to the Cloud
As Pacific Hydro continues to grow and evolve its business, the IT team is exploring the benefits of moving portions of the data center infrastructure into Microsoft Azure®. The Palo Alto Networks platform will enable the team to extend into the cloud the same protection they currently have on-premises and at remote sites. As a first step, the company deployed a pair of VM-300 Virtualized Next-Generation Firewalls on Azure.
A consistent security approach across IT, OT, and the cloud is a strategic advantage for IT and the business. As Roddick points out, “You get much more integration between the different layers when it’s one platform from one vendor. We have Next-Generation Firewalls, Prisma Access, and Cortex XDR agent, and they all plug in very nicely to one management point, Panorama, which orchestrates it all.”
“Having a common platform is important when you have a small team,” Hayward says. “Our people have to figure out a lot on the fly, and even having two vendors would slow things down. It makes everyone less efficient. With the Palo Alto Networks platform, we have a lot more confidence in understanding what we have, and how to jump in and address needs in the security infrastructure without a lot of stress or worry.”
Hayward concludes, “The right technology can make you more efficient, which means you can maintain a high level of quality. I don’t want our people to just put out fires—I want them to prevent fires and focus on fine-tuning our services to improve the user experience. The Palo Alto Networks platform helps us be proactive on the security side and allows us to put more time into bringing value back to the business.”