So SGN stands for Koland gas network. I believe if I, yes, the speaker is Moad who's the CISO. And he will talk about how SGN is securing shared credentials, credentials at the heart of digital transformation. And I'm really curious about it because I've been moderating just a, so it was electricity, which is probably even more problematic than gas, but I've been moderating a, a U workshop with it, security people from various energy providers about security and identity.
They left me a little bit scared because they all were scared regarding the physical security and the other things and what the children transformations mean to them. So I'm really interested in what you will tell about the gas in Scotland and beyond, sorry, the state yours. Here you go.
So,
Yeah, that's fine. Okay. Wanna start? Okay. So I've never felt so much pressure to finish my presentation in time. Thank you all for staying. It'd been really embarrassing to give this talk to an empty room. So my position here, so why am I here?
So, so essentially I think I've heard some of the other talks and they're really around some aspirational status that, that the IDAM industry might be in and also some technologies, but here, I'm here as a CISO to talk and share with you as a peer, the transformation that our organization went from. And I hope the output of this is that if there's anything that you can take away and implement in your own organization, and there's some benefit to that.
So just to give you an overview of SGN, we are the UK's largest gas distribution company. We're also part of critical national infrastructure.
And we, we are probably best described as a traditional organization. We've got around two and a half thousand field engineers, and broader than that, not just for SGN, also within the rest of the utility industry in the UK, we're under increasing pressure to reduce costs. I'm not sure if you have this in all the, on all the rest of the countries, but generally there's always a view that the utilities industries are overcharging the customers and that there are people at home, especially the elderly who are being overcharged by fat cats.
And I think that for us is not gonna change the organization as well is also split into two parts. We have a regulated business. So the regulated business is where we are paid buying, essentially the government to distribute gas up throughout the UK, to our customers and unregulated and unregulated for us is the opportunities around new growth opportunities that I'm gonna talk to you about. So as part, as, as I was explaining, we've got two parts to regulated and the unregulated unregulated is really the only opportunity that we have to branch into new business opportunities.
And what this essentially means for us is from an it perspective, is to transform the way that we currently do business.
And there's, there's been a lot of talk around services that we are providing out to people, but there hasn't been that much from what I call around, understanding the customer and providing services for the customer. And just an example of that, I was at a car wash around, I was at a car wash about eight months ago at supermarket and I parked up and the guy gave me, the guy came over and we did, you know, how much, which one do you want?
Oh, this gold. Okay. So how much is that? 25 pounds again, it's 25 pounds. And he said, can I have your mobile number? And I said, what do you want my mobile number for? And he said, so I can inform you when the car's ready. So he had a tablet in his hand and I went, okay. So I gave my mobile number.
And as I, as I walked away, I started walking to the store. I received a text message. And he said, hi, Mr.
A dude, your car be ready in 40 minutes. And I thought, wow, that's amazing. So I got into the store, I managed to get around two lanes, and then I got another text message saying, hi, Mr.
A dude, your car's ready. You can come and collect. And the point that I'm trying to make there is that experience is something that our users see day in and day out in their day to day experiences. And when they come back to the organization, they start challenging us around why they can't have that experience and why our systems can't provide that kind of interaction for them.
So that, oops, sorry, I've pressed the button accident. So apologies that kind of, that, that kind of drives the customer experience piece that we have in terms of trans transform transformation of our infrastructure. And that really led us to the position of going cloud first. So we're the first critical national infrastructure in the UK to go a hundred percent to the cloud for those questions around gas control, which is separate domain that is in our sites as well. But that's outside the scope of what I'm primarily talking about today, but I'm happy to talk to you about it offline.
And also when we look at a digital workforce and a changing workforce, we've just changed all of our pipes around the UK from copper to plastic and plastic has a hundred year life expectancy and has, and is less likely to, to break. However, with that, it still does break. And as I talked about innovation, I just wanna play a video for you just to reiterate the places that we're going as an organization for new innovation
We own and operate in SGN around 75,000 kilometers of gas distribution pipelines.
The assets have been in the ground are predominantly over a hundred years old in some cases. And these assets need looking after in the way of even repairing joints, which are leaking for replacing assets. Traditional efforts of dealing with this sort of activity is to excavate on joints, which are located every 12 foot or nine foot along the, the length of the main,
We, we have a significant manage replacement program that's in place.
And we're looking to innovate in that area to minimize disruption in terms of the street works, that we carry out
One technologies, which has been of interest to distribution networks for a number of years is robotic technology largely what was brought to the UK SGN in 2013 and trialed in a live environment. This system not only allows you to launch a robotic system into a Maine, but allows you to seal every single joint that comes across in a block area. SGN and USC have started in February, 2014 to develop the NRC project, which will take robotics to a new level.
This will involve developing a system that ought seal all types, large tur metallic joints, and also develop an asset report, which allows to proactively plan how we manage our network in the future.
Essentially, it's a robot that will be inserted in the gasoline. It will perform an asset integrity check within the pipe, using an array of sensors that we'll be developing as part of the project.
Once it's collected that information, we'll also carry out a repair and remediation of the existing joints, for example, and identify any areas of the pipe that are of significant concern that we need to do something with
The gas distribution. Network's gonna be able to access a pipe in a very cost effective and streamlined way without digging up the entire street.
So just on, just on that note as well, other parts of digital transformation and innovation that we see is a as well as robotics is using drones to fly over remote parts of Scotland after a storm, and also things such as smart metering. So, so with this position, in terms of where our organization was, the currently challenges that we have with our infrastructure and need to become more agile and need to be able to support the business within innovation. These are essentially the key points that we took to the board to ask for investment for our organization to move to cloud.
First, I think it's worth pointing out from my perspective that security was part of that, but security wasn't the primary driver. If we look at some of the challenges that we have in our current environment, I don't think any of these are unfamiliar to anybody in the audience. And I think the opportunity that I saw from a security perspective was really around the ability to have real time asset management, which is a key fundamental foundation for security. And once you understand your assets, you can start to build up around where those assets are being used. I think I'm being horrid on.
So the business con, so the point that I wanted to highlight again, was really that bus, that security wasn't the primary driver for this, that it was a business decision. We have complexity that we're aware of in our own environment and the opportunity that we have in moving to the cloud allowed us to have better visibility and better management. If those of you that are familiar, there was a report last year around the cloud hopper report, which was provided by PWC and BAE systems.
And essentially what this explained was how apt 10 was using managed security providers to move across customer networks. And they were doing this by exploiting, privileged access management and creating new accounts and being able to move around without detection
As a part of a critical national infrastructure. We're obviously aware that we have risks that most other organizations don't always have. And so for us, one of the key approaches that we choose to chose to take was this process of attack path mapping.
So attack path mapping is taking something a bit more comprehensive than your traditional pen test, where essentially what we look to do is utilize in this scenario, an organization that is authorized to remove nation states out of government systems. And so what they did was they came in with a piece of work where they used the same types of techniques that are used by advanced nation states and looked to you to li look, to exploit our environment.
If you haven't taken this approach, I, I really strongly recommend it because I think it can be one of the most enlightening positions in your environment. And I think that there is often, I think there's often a misunderstanding around the capabilities of all your security tool sets, and this approach provides very good affirmation as to your ability to not only identify, but initially detect those systems.
And also within that to test your SIM and sock response systems, it also allows us to really prioritize around what is the most likely attack route given that we know, and this touches on why I'm here today, that essentially active directory is the, is the Achilles heel for any organization and for an attacker, the main priorities to be able to escalate escalate permissions up to enterprise admin. And once they have that, they have essentially captured the flag. And if like many organizations, your, your security controls are based around active directory groups.
What your tend to find is once that once those root credentials are exploited, they'll be able to move around your environment. And again, it's likely that you'll have very little visibility around what's being done. So with that in mind, we kind of took this as a key principle for the way that we wanted to manage and secure our cloud environment.
And that's why it's no surprise again, why I'm up here to explain that for us, we use CA pan as a, as a core infrastructure security infrastructure to manage the security around this.
I'll talk a bit more about the relationship there in a second, but as I touched on this slide, this slide was added in by Naresh earlier today. It wasn't meant to be in the deck. He asked me if he should take it out. And I said, no, he's our account manager for CA I said, no, I'm gonna call you out in front of the crowd and tell you that you put it in there, but, but he is a good guy. So I'll give him diplomatic immunity. And our relationship has been strong. And I'll talk about that in a second.
So some of the other opportunities that we have is really around there was a gentleman that was up before talking about trust.
And it's quite interesting because you know, there, there's a couple of views around verifying trust and, and there's another principle around zero trust around actually, I don't trust anybody and I don't trust any part of the network. And that's part of a principle that we've kind of taken into our cloud environment that says the traditional environments, where you say you have domain access, or you have access into a network and you can see everything.
We want to remove that capability. And it's a bit like his slide. Last slide said it was around who you are and what you have access to. And having the ability to restrict that along with that, what we want to do is integrate ticket author thick ticket authorization through service now, and SecOps, which is a module of service now, and also automating that into, and also automating that into a two factor control so that when you require admin privileges, it's requested, it's authorized, you're provided just in time access and then they're removed.
So this principle of, of constantly having privileged access is, is for us, hopefully a legacy position. The last thing that I just wanna, I, I realize I've rattled through this quite quickly, but I'm conscious of time. And the fact that everyone needs to go out and have a drink.
I just, I just wanna elaborate on a point here that we've taken on this position. So a lighthouse partnership for us has been really important and a lighthouse partnership means that we want a strategic security partner and a strategic vendor. And what that means is last month we had around 19 of our security partners, all in the room for two days, NCSC stands for the national cyber security center in the UK. And together, we collaborated to make sure that we are all aligned within SGN strategic security strategy. So what does that mean?
So it means that sometimes we will have vendors in the room that actually compete with each other. But actually what we do is we lay out very clearly who plays in which part, and who's responsible for managing which part of the, of the kill chain. So for example, where we may work with CA Pam, we may also work with Okta in terms of two-factor authentication with that. We may also work with Symantec and we may also work with Microsoft.
And this, this process of working through this ecosystem has been very important to us and very effective.
So on a collaboration point, I'd just like to add one point before I'm Ash it off stage and take some questions. I'm chairman for a group called the Morris club. And the Morris club is a group which is made up of vendors, security professionals, and integrators that are vested in moving forward and challenging con conventional thinking in the security space and producing white papers that are usable for any CSOs across Europe.
So if any of you are interested in joining the group, whether you are a CSO security vendor or integrator, please visit the Morris club.net. And we'll be welcome to have, will be great to have you on board.
Thank you more and again, great talk. I think we should take the time for picking at least one of the two questions I've trust. Oops. I saw some finally they disappeared for some reason.
Anyway, the, the question I saw before they disappeared was about how did you convince your admins of going through a privilege management tool?
Easy?
Well, for us, it was very easy. We took the output of the report that, or the, of the attack path mapping report, and we shared it and we were completely transparent with everybody around how our accounts were compromised, how they were, how they managed to move across the network without being identified. And that brought everybody on board.
Okay,
Cool. The second question, the attack path analyzes. Did you also do it for your old, for the entire sort of operation technology environment because that's yeah. The
Other problem, the reality of this is, is although we like to use the term, we've got an OT environment and we've got an it environment, the reality is they're, they're closer, connected than we probably like them to be. Okay.
So, so yeah, it has to be a holistic environment. Otherwise, as, as I explained, once you have domain privileges, you'll move across the forest and, and you'll, you'll achieve the same thing.
Okay,
Perfect. Thank you very much for your insights from practice. Very few quick notes. So tomorrow morning, I believe at seven in front of the hotel, the EIC 2018 run starts. We.
