CWS Book a Call
Case Study · Energy & Utilities

UAE Energy Operator Migrates 14 Sites to Palo Alto

OT-aware. 16 weeks.

How a UAE energy operator migrated 14 operational sites from a legacy NGFW vendor to Palo Alto in 16 weeks, with OT-aware deployment at the IT-OT boundary and full Palo Alto IoT Security visibility.

UAE energy operator, 14 operational sites under sector cybersecurity framework

Scope a Similar Engagement
14
Operational sites migrated
16 weeks
End-to-end
OT-aware
IT-OT boundary inspection
ICS protocols
App-ID coverage
01
The challenge

Legacy NGFW EOL and OT visibility gap

The operator's legacy NGFW estate was approaching end of support across 14 sites. The replacement decision coincided with a sector cybersecurity framework refresh that demanded better OT visibility and IT-OT boundary inspection. The operator's existing security team was IT-network-focused. OT environments were owned by engineering teams with limited security tooling. Bridging the gap required a vendor that supported ICS protocols natively. Three options surfaced.

"The IT-OT boundary was the gap our auditors kept circling. CWS delivered it as part of the migration without making it a separate project."

Head of IT Security, UAE energy operator

Why CWS

Four reasons CWS won the engagement.

  • OT-aware engineers

    CWS senior engineers experienced in IT-OT boundary deployments and ICS protocol inspection.

  • Sector framework alignment

    Engagement deliverables aligned to the operator's sector cybersecurity framework, with audit artifacts ready for review.

  • Phased site rollout

    Site-by-site cutover with documented rollback at each site reduced operational risk.

  • Engineering-team coordination

    Bilingual EN with Arabic-language coordination between IT security and operations engineering teams.

02
Timeline

Five phases. Defined ownership.

  1. Phase 1

    Discovery

    Three weeks. Site inventory, legacy policy export, OT environment audit, sector-framework mapping.

  2. Phase 2

    Design

    Three weeks. Target architecture per site type (HQ, operational sites, remote substations). IoT Security deployment plan. ICS App-ID coverage validation.

  3. Phase 3

    Build (parallel)

    Four weeks. PA-1410 pairs racked at each site, Panorama configured, IoT Security cloud-delivered service activated.

  4. Phase 4

    Site-by-site cutover

    Five weeks. One site per week with weekend cutover windows. Rollback ready at each site.

  5. Phase 5

    Stabilization

    One week. Tuning, IoT Security policy refinement, decommission of legacy hardware.

"The IT-OT boundary was the gap our auditors kept circling. CWS delivered it as part of the migration without making it a separate project."

Head of IT Security, UAE energy operator

03
Impact

What changed after the engagement.

  • 14
    sites migrated
    Site-by-site cutover with zero unplanned downtime
  • 16 weeks
    end to end
    Including parallel build phase
  • ICS
    protocols inspected
    App-ID coverage for Modbus, DNP3, BACnet, ICCP at the IT-OT boundary
  • IoT
    Security visibility deployed
    Palo Alto IoT Security inventoried OT devices across all 14 sites
  • 0
    OT operations disrupted
    Cutover windows respected operations engineering schedules
  • Sector framework
    alignment delivered
    Audit artifacts produced as engagement deliverable
What's next

Where the engagement is heading.

The operator has expanded the engagement to include Cortex XDR rollout across IT and OT-bridge environments. Cortex XSIAM is in evaluation for SOC consolidation.

Keep reading

Related reading

Ready when you are

Migrate with OT awareness.

Book a Discovery Call