Out of the red zone thanks to Toreon’s full security service
“Toreon’s cyber security solutions lead to good governance, and good governance always leads to good results”
Luminus is currently the second largest electricity producer and energy supplier in Belgium. The company’s ambitions, however, go far beyond the boundaries of the traditional energy market. It focuses on innovation as a tool to obtain larger societal goals: creating a carbon-neutral energy future, with a focus on renewable energy and alternative energy sources. As digital innovation is key to reaching these goals, cybersecurity has become top of mind at the company. In this digital age, Luminus relies on Toreon to help transform digital security from a disabler of progress to an enabler of innovation. Based on a series of specific solutions designed by Toreon, for Luminus, the collaboration was anything but a waste of energy!
Established back in 1978, today, Luminus offers electricity and gas to no fewer than 1.8 million private and professional customers. A part of the approximately 2,000 employees help account for about 14 percent of the electricity generation in Belgium. Beyond the traditional gas-fired power plants in various locations across Wallonia and Flanders, Luminus owns an additional seven hydraulic power stations, which are located south of the language border along the “Maas” river. Moreover, the company is Belgium’s number one producer of onshore wind energy. Furthermore, Luminus holds stakes in a number of nuclear power plants.
“As Luminus aims to take on the role of leader in the field of energy transition, the only constant is change”
David Bertholet, National Operations & Maintenance (O&M) Manager at Luminus, and Erwin Bovyn, Luminus National O&M director, can both look back on an interesting yet tumultuous time. As things keep moving forward at lightning speed on the energy market and Luminus aims to take on the role of leader in the field of energy transition, the only constant is change. Innovations related to energy production for both private and corporate clients naturally bring about changes in the digital governance of those operations.
Bertholet explains that the collaboration focusing on security began just a few years ago. Looking back, both Bertholet and Bovyn agree that this collaboration proved to be of enormous added value to Luminus; combining Luminus’ in-house knowledge and Toreon’s particular expertise, the company was able to move forward on the cyber security front by leaps and bounds in a brief stretch of time.
Potential target for cyber-attacks
Bertholet and his team decided to partner up with Toreon after Luminus’ Industrial Networks underwent a cyber risk audit by the overarching EDF group. The audit included a simulated security attack on Luminus’ industrial systems, aimed to not simply test the level of technical protection, but to also raise awareness. Bertholet stresses that “As EDF oversees nuclear powerplants, it is considered a possible target for cyber-attacks, with potentially lethal consequences. Cyber security is therefore an extremely important issue for both Luminus and the entire EDF group.”
It goes without saying that the global audit was monitored closely by management at the company’s most senior levels. Once the audit was finished, and it turned out the OT system could be penetrated via the IT system, Luminus received a report that Bertholet describes as “rather hard to digest.” He continues, “At the time, we believed we were doing quite well, but it then turned out we were not sufficiently familiar with the world of cyber security. We were given code red, which means there was a lot of work to be done in a short period of time.”
The audit clearly highlighted a number of areas where improvement was needed, not only on the technical level, but also when it came to awareness of the employees and a better understanding of the risks. Both Bertholet and Bovyn, being “very proud and passionate about our jobs”, took this report as an opportunity to get down to the bottom of the issue. It was then, Bovyn explains, that Luminus decided to look for support from an external partner, “as this is not our core business, and we lack the necessary skills and resources in-house.”
Together with the Luminus IT department, Bertholet’s team identified and mapped out which steps they believed needed to be taken. It soon became clear Luminus needed more manpower, that would come equipped with a set of specific tools and skills. “Thanks to a lead in our IT department, we came across Toreon,” says Bertholet. “The initial contact of IT personnel in the OT environment was somewhat of a struggle,” according to Bovyn. Bertholet adds, “We tend to approach things from an industrial perspective, meaning we are very pragmatic and quick to react whenever an issue arises.” It did not take long, however, before the necessity of Toreon’s ‘bigger picture approach’ became clear. Bertholet: “We trusted Toreon’s prior knowledge and experience and soon found common ground, and even a common vocabulary, seeing many concepts were completely alien to us back then!”
‘’Toreon was essential in connecting with the key functions and people within our own IT department as well as with getting to grips with some key concepts’
Based on the audit report, Toreon eventually developed a customised strategy and introduced Luminus to an appropriate approach to handle potential risks, which included full security service, with digital forensics and malware analysis support as well as security governance. “Toreon even acted as a mediator between us and the auditors, which we really appreciated,” adds Bertholet. The strategies were mapped out on a detailed matrix, which the company also used to track any progress made. Bertholet explains, “That matrix was our starting base; in fact, we still use it to this day!”
Implementation and roll-out
For the more specific implementation and roll-out of the cyber security measures, a project manager was appointed. In order to support Luminus with advice on a possible security architecture and to point out potential risks (“right down to the smallest detail, including pen tests,” Bertholet comments) Toreon and Luminus collaborated in various ways: “Toreon supported us through different channels, in physical meetings, through weekly action plans, but also in workshops and through regular one-to-one coaching – there is no single way of communication between us and Toreon,” says Bovyn.
Before Toreon was introduced in the Production department, they already supported the IT department. “The fact that Toreon had already established strong links with the IT department was extra beneficial to this project,“ Bovyn continues. “This was essential in connecting with the key functions and people within our IT department as well as with getting to grips with some key concepts.”
One of the more substantial aspects of Toreon’s collaboration with Luminus was the design of threat models, a tool through which potential security threats and vulnerabilities can be identified, so the right techniques to mitigate the attack can be selected. Bovyn comments, “We would never be able to do this by ourselves.” Moreover, Toreon helped turn those threat models into secure, reliable practices tailored to Luminus’ needs and also organised several training sessions for Production staff.
“After our first audit we were scored red, and after our collaboration with Toreon we are considered green.”
Benefits for company and customer
Bovyn applauds the sensible and human approach of the dynamic Toreon team, especially within this setting. Amidst the war for talent in the cyber security sector, Toreon manages to retain a skilled team of professionals, and, in case of employee turnover, the impact on the current project is negligible. Bertholet admits that cyber security is a “never-ending project’, and summarises that Toreon offers great service, a fairly unique skillset, plenty of cyber security expertise and respect for the allocated budget. “Implementing the changes Toreon suggested related to cyber security leads to good governance, and good governance always leads to good results – and, in the end, this benefits both us and our customer.” And, to conclude on a happy note, Bertholet discloses, “After our first audit we were scored red, and after our collaboration with Toreon we are considered green.”