As chief technology officer (CTO) of National Gas, Darren Curley oversee the technology strategy of one of the most critical entities in the UK, maintaining Britain’s high-pressure gas transmission system, transporting gas to homes, businesses and power stations through 5000 miles of pipeline.

After a 30-plus-year career in IT architecture, Curley joined the company in 2022. He now works alongside National Gas’s CISO, Polly Cameron, to align the cybersecurity strategy across three domains: enterprise IT systems, industrial systems and critical national infrastructure (CNI) systems.

Infosecurity Magazine: As a CTO, to what extent are you involved in the cybersecurity strategy of National Gas?

Darren Curley: I've been working in IT for 34 years. During those years, my involvement in setting up the security architecture for the organizations I worked for has increased quite a lot.

Today, at National Gas, my role as CTO consists of defining the IT and security strategy from a solution perspective: choosing the tech stack, the vendors and overseeing the implementation, then handing it over to our security team.

Everybody gets quite excited about security, but it's just another capability that you deploy through technology. At National Gas, we knew we didn’t have time to select the best of breed for each solution we needed and integrate each of them one by one. The approach we have taken has served us well so far.

It's quite nice, really, to be able to oversee a holistic tech stack implementation in an organization.

IM: How do you interact with other the security roles, like the CISO or the SOC team?

DC: The definition of the security components falls under my area and the implementation and every day running of the security functions falls under the CISO’s.

Of course, there will always be tensions in that relationship, because everybody has a different perspective. These are usually technology choices and it's usually from historic context. One person is used to a certain technology stack, but another one believes it doesn't fall in with our strategy.

We need to balance it up and potentially reskill staff members so that they've got the skills they need for the strategy we have chosen and the solutions we have selected. The people aspect often gets overlooked, and it's the bit that usually creates the most tension.

My way of dealing with this is to set out a common future that we want to achieve. Then I go through proper security architectural review with the CISO, the SOC team and other cyber roles so that we get the right solutions.

As a CTO, I can only see so much, but when you bring in the views of the SOC and the CISO and other people, it's a bit like a diamond, the more facets you have on it, the brighter it shines. I always look for a different facet to my own to make sure that we've got everything covered or at least we are aware of what we are missing.

I think that sometimes choosing the simple solution and retraining people is much better than trying to shoehorn something in that they used to use. A change in totality is sometimes easier to land than trying to be a facsimile of something that they thought they understood before.

Thankfully, at National Gas, we didn’t have to add budget constraints to these contentious points - which is quite unique in our sector.

IM: Do you and the CISO have a seat at the board?

DC: No, we both report to the CIO, who's on the executive board.

However, when it comes to key things – for example, the digital strategy of the organization – I'll work with the CIO and we'll land that with the board jointly.

Actually, we only just got the CIO’s seat at the board, he used to report to the CFO, who was the only board representative directly involved with the security strategy. That’s a progress! But I think the number of seats that we get at the board will always be hamstrung.

IM: We often hear from CISOs that they have to deal with too many security solutions and that their technology stack is growing exponentially. How do you deal with that at National Gas?

DC: It is true for us, but not for the usual reason. At National Gas, we've got different security domains: operational technology (OT), which I equate to the muscles that open the valves or start a compressor to pump gas; critical national infrastructure (CNI) systems, the nervous system that drives the muscles; and enterprise IT systems, which is the productivity area for the general workers.

For reasons of separation and segregation, those areas sometimes have repeats of security capabilities, which is a common pattern across all energy sector clients.

My aim has been to try to move us more towards the same tools with similar approaches in all three domains but with different deployments. For instance, if we're using Palo Alto Networks in enterprise IT and it's working, why don't we use Palo Alto firewalls on a perimeter or some of their scanning technologies inside those zones as a separate deployment?

The market for security solutions dedicated to OT systems has exploded recently, but I've got a really good architect who's starting to implement standard approaches. When you see some of the big software supply chain compromises of the past few years, like what happened to SolarWinds in 2020 or the hack affecting F5’s BIG-IP platform in 2025, you realize these the fewer solutions you use, the more understanding you've got.

You can tell yourself, “If that happens, I've got to do this and I've got to do it this way,” whereas if you've got 15 derivatives of it, you've got big problems.

IM: How does the critical national infrastructure designation shape your company’s cybersecurity strategy compared to non-CNI organization’s?

DC:  As far as the UK’s National Cyber Security Centre (NCSC) ratings are concerned, the energy sector is seen as the one that the hacktivists and the nation-state hacking groups are going after the most. In that sector, they've identified us as the most critical, so we're kind of top of the riskiest sectors, meaning we must be very careful and studious in our decisions.

The first thing you do is to make sure that the NCSC’s Cyber Assessment Framework (CAF) requirements are all met to the level that they should be, especially objective D, minimizing the impact of cybersecurity incidents.

Doing this also helps you anticipate where the next wave of cyber threats is going to come from and what they might look like. We’ve got quite a few people who scan different entities, foreign and domestic, adversary activity from hacktivists and the geopolitical side of things.

They provide us with some good intelligence that helps us understand what might happen going forward, so that we can change our response capabilities accordingly.

IM: Can you talk about any security incidents you have experienced?

DC:  We don't typically get anybody getting through the security boundaries in the traditional way. We've sometimes had some accidental insider issues, but we've been able to detect and react quickly. I probably don't want to go much further than that.

However, accidental insiders can also be in your supply chain as well and no one should assume that a contract protects them. Scan what you have and put counter measures in place to make sure that you're always safe.

The things I'm worried about are mostly in the OT space. The approach we’ve chosen to take to tackle insider threats is to introduce a white room approach whereby no one can bring anything from outside on site.

Everyone drops their devices into the white room and then we use multiple extended detection and response (XDR) technologies to scan it and then run static and dynamic application security testing (SAST, DAST) on the devices before we allow the employee to bring them into our estate.

IM: What are the main cyber threats to National Gas today?

DC: I'm not so worried about things like distributed denial-of-service (DDoS) attacks because we're on platforms like Google Cloud Platform or Microsoft Azure, who deal with them all the time. We also use other organizations that protect us against such attacks.

I think phishing is hugely critical to defend against as it generally leads to malware being implanted, but we've added some good countermeasures: we’ve implemented passwordless logon solutions with biometrics.

We monitor well and we've got playbooks to recover across most of our critical pieces.

IM:  How much do you need to keep up with geopolitical tensions and nation state threats?

DC:  I think everybody should be worried about them in the energy sector. But as I said, we've got a team of people whose specific job is to stay up to date with current threats. We also work with Mandiant and rely on them to help map the threats to our company using the MITRE ATT&CK framework.

We also ingest a lot of feeds of new vulnerabilities into our SOC so that we can detect and respond quickly to new threats.

The most important thing for me specifically is not just looking at the intelligence we receive and process but also trying to anticipate what's next and how we’ll have to adapt our strategy.

For instance, we are currently talking about post-quantum cryptography (PQC) being the next thing to think about.

Additionally, our CISO is very well connected with other people in the industry. She sits on many of the committees across the European energy industry that evaluate potential problems from a cyber perspective, but also from a physical security perspective. She managed all the physical security for the London Olympics, so she’s well versed in understanding how to keep us safe.

Read now: How Businesses Should Approach the Post-Quantum Cryptography Transition