Skip to content

Search the site

UK gas utility eyes "high-risk" shift to Azure, frets over ICS security

"A requirement to bring unmanaged and unsupported ICS devices under proper governance and control..."

One of the UK’s largest gas utilities is rearchitecting its entire industrial control system in what it describes as a “high-risk” move that will include creation of an industrial demilitarized zone (DMZ), hosted on Azure.

Wales & West Utilities (WWU) operates 35,000km of gas pipelines in Wales and south west England. A contract notice revealed that it was running "unmanaged and unsupported" Industrial Control System (ICS) devices.

The company, which serves 7.5 million domestic and large industrial customers, has been exploring a huge digital network overhaul over the past nine months under its "Galileo Programme". It has now published a contract notice for a partner to help with “all aspects of Azure network architecture design and implementation” over five years, with the possibility of extension. Responses are due by January 19, 2024.

The company says the programme will help it “(a) meet recognised best-practice architectures to ensure a secure and resilient industrial network now and for the future, and (b) to take advantage of cost-effective security and resilience opportunities afforded by the cloud which exceed the possibilities afforded by the current on-premise model.”

The contract notice comes nine months after WWU hired an operational technology (OT) security partner with “extreme urgency brought about by events unforeseeable for the contracting entity” – telling The Stack that this was not in response to a security incident, but regulatory pressure. 

What is WWU's Galileo Programme?

The gas network firm said in a December 21 contract notice: “The Galileo Programme is a significant, high-risk and multi-year programme of work composed of several different phases and projects. WWU is seeking to partner with an organisation that can work closely with us on all aspects and phases of this programme… from initial proof of concept implementations through to testing and eventual production deployment.”

“At the core of the programme will be the design and build of a new ICS network, including an industrial demilitarized zone (DMZ), to be hosted in Microsoft Azure. The new Azure estate will host assets at Purdue layers 3 and 3.5 and will be required to communicate securely with lower and higher layers of the WWU industrial technology stack, which are hosted outside of Azure, as well as external hosts on untrusted networks.

See also: Potemkin security standards propping up "insecure by design" OT

"The project will therefore include all aspects of Azure network architecture design and implementation, including deployment of SaaS, PaaS and IaaS components ... and will also define and implement the security policy and governance standards that will apply to the network."

The overhaul comes as government authorities tighten up their scrutiny of utility cyber and information security amid rampant ransomware attacks and fears that critical infrastructure's IT networks (which often include significant legacy components and infrastructure running on aging protocols and operating systems) look like a compelling target for motivated adversaries; whether cyber-criminal or hostile states.

WWU added in the contract notice: "However, the programme also encompasses aspects that go beyond the creation of the Azure environment. For example, there is a requirement to bring unmanaged and unsupported ICS devices under proper governance and control, ensuring full lifecycle management, patching and support. Alongside this, a new solution for effective identity and access management for colleagues working in the ICS space will be required. The pros and cons of secure remote access to remote facilities will need to be considered and a secure solution implemented if WWU agrees there are security benefits to be gained. Finally, existing redundant general packet radio service (GPRS) and satellite communication (SATCOM) conduits will also need to be taken into account and factored appropriately into the new architecture design.”

See also: Security contractor hit with ransomware through "rogue" Windows 7 PC amid fears for sensitive sites