CWS Book a Call
Case Study · Energy & Utilities

Canadian Pipeline Operator Migrates 18 Sites to Palo Alto

OT-aware. 18 weeks. NERC CIP-aligned design.

How a Canadian pipeline operator migrated 18 operational sites from a legacy NGFW vendor to Palo Alto in 18 weeks with OT-aware deployment at the IT-OT boundary, NERC CIP-aware design for cross-border interconnections, and full Palo Alto IoT Security visibility.

Canadian pipeline operator, 18 operational sites, cross-border bulk-electric-system interconnections

Scope a Similar Engagement
18
Operational sites migrated
18 weeks
End-to-end
NERC CIP
Aware design
ICS protocols
App-ID coverage
01
The challenge

Legacy NGFW EOL and OT visibility gap

The operator's legacy NGFW estate was approaching end of support across 18 sites. The replacement decision coincided with NERC CIP version updates that demanded better OT visibility and IT-OT boundary inspection for cross-border interconnections. The operator's existing security team was IT-network-focused. OT environments were owned by engineering teams with limited security tooling. Bridging the gap required a vendor that supported ICS protocols natively. Three options surfaced.

"The IT-OT boundary was the gap our auditors kept circling. CWS delivered it as part of the migration without making it a separate project. The NERC CIP awareness was already in the design, not a retrofit."

Head of IT Security, Canadian pipeline operator

Why CWS

Four reasons CWS won the engagement.

  • OT-aware engineers

    CWS senior engineers experienced in IT-OT boundary deployments and ICS protocol inspection.

  • NERC CIP awareness

    Engagement deliverables included NERC CIP control awareness for the operator's cross-border interconnections.

  • Phased site rollout

    Site-by-site cutover with documented rollback at each site reduced operational risk.

  • Engineering-team coordination

    Coordination between IT security and operations engineering teams across distributed sites.

02
Timeline

Five phases. Defined ownership.

  1. Phase 1

    Discovery

    Three weeks. Site inventory, legacy policy export, OT environment audit, NERC CIP scope mapping for cross-border interconnections.

  2. Phase 2

    Design

    Three weeks. Target architecture per site type (HQ, operational sites, remote stations). IoT Security deployment plan. ICS App-ID coverage validation.

  3. Phase 3

    Build (parallel)

    Five weeks. PA-1410 pairs racked at each site, Panorama configured, IoT Security cloud-delivered service activated.

  4. Phase 4

    Site-by-site cutover

    Five weeks. One to two sites per week with weekend cutover windows. Rollback ready at each site. Cutover scheduled outside peak operational windows.

  5. Phase 5

    Stabilization

    Two weeks. Tuning, IoT Security policy refinement, decommission of legacy hardware.

"The IT-OT boundary was the gap our auditors kept circling. CWS delivered it as part of the migration without making it a separate project. The NERC CIP awareness was already in the design, not a retrofit."

Head of IT Security, Canadian pipeline operator

03
Impact

What changed after the engagement.

  • 18
    sites migrated
    Site-by-site cutover with zero unplanned downtime
  • 18 weeks
    end to end
    Including parallel build phase across sites
  • ICS
    protocols inspected
    App-ID coverage for Modbus, DNP3, IEC 61850 at IT-OT boundary
  • IoT Security
    deployed across all sites
    Connected-device inventory and risk classification
  • 0
    OT operations disrupted
    Cutover windows respected operations engineering schedules
  • NERC CIP
    control awareness in design
    Cross-border interconnection design aligned to NERC CIP expectations
What's next

Where the engagement is heading.

The operator has expanded the engagement to include Cortex XDR rollout across IT and OT-bridge environments. Cortex XSIAM is in evaluation for SOC consolidation across Canadian and US operations.

Keep reading

Related reading

Ready when you are

Migrate with OT awareness.

Book a Discovery Call