Written by Jasper Hooft
Fluvius
Toreon simply manages
to put the right expert in the right place
‘Thanks to Toreon, we now proactively consider the STRIDE security threat model for each new project at Fluvius’
Utility company Fluvius, Latin for ‘river’, was given a name that truly fits it to a tee: on a daily basis, the company’s services ‘flow’ into almost every single Flemish home. Created by the merger of Eandis and Infrax, Fluvius is responsible for the natural gas and electricity networks, as well as sewerage, thermal distribution and digital networks, in Flanders. In total, the company manages an impressive 7 million connections. To counter the ever-looming threat of a security breach, Fluvius decided on a collaboration with Toreon. It gives the company the confidence to continuously and sustainably connect with society in a secure digital environment: ‘One of our core values is ‘stronger together’. As we see it, Fluvius and Toreon are definitely ‘stronger together’!’
ICS security
Threat Modeling
Data Protection
Each company operates in a unique digital environment, characterised by its own specific concerns and challenges. As Fluvius is not just a utility company for natural gas and electricity in the 300 Flemish municipalities, but is also the main drainage system operator in 84 Flemish municipalities, as well as the cable distribution network operator in 91 municipalities and manages all municipal public lighting, its digital environment stretches far and wide. Both inside and outside of the company, enormous amounts of data are processed at lightning speed. Keeping those data secure is therefore an absolute priority for both Fluvius’ Chief Information Security Officer (CISO) / Data Protection Officer (DPO) Peter Allaert, and Frederic Martens, Security Officer at Fluvius.
Keep user-friendliness in mind during every step; a tough balancing act!
Tough balancing act
Allaert: “In my job, I focus on creating effective strategies by translating security legislations into actual guidelines, aimed at our employees, customers, contractors, and other stakeholders. Privacy is key here.” Martens adds: “Whereas Peter is responsible for the strategic component, I come up with practical security solutions. This involves the development of security aspects across the digital landscape, including enhancing our employees’ security awareness and skills by providing training. My team and I have to keep user-friendliness in mind during every step of this process; a tough balancing act!” To help pull off that balancing act successfully, digital security expert Toreon was approached to step in.
Fluvius was not looking for a tailor-made solution for one specific problem but counted on Toreon to continue the mostly project-based analysis and implementation of digital security measures within the newly established company, both concerning the flow of digital information (Information Technology (IT)) and the operation of our industrial control systems ((Operational Technology (OT)). Martens: “Toreon’s security architects, for instance, introduced the STRIDE threat modeling technique, which is used to discover the security weaknesses of software and control systems system.” According to this technique, security threats are broken down into six categories, i.e. Spoofing, Tampering, Repudiation, Information disclosure (privacy breach or data leak), Denial of service, and finally, Elevation of privilege.
Toreon trained the Fluvius employees to carefully evaluate how each area could be exploited and to identify blind spots in their security measures. Then, Toreon coached them in planning the steps to limit each threat. This way, threats are proactively limited as Fluvius’ IT professionals design, build, and implement security systems. According to Martens, it is crystal clear: “The added value the Toreon experts created by finding answers to the question, ‘What can go wrong here?’ materialized almost immediately for us.” Fluvius’ Security Officer expands, “Whereas in the past we did not carry out extensive risk analysis –an absolute necessity, nowadays –, thanks to Toreon’s implementation of threat modeling through STRIDE, we are able to proactively consider how STRIDE applies whenever we embark on a new project.”
More examples of Toreon’s tasks, Allaert adds, are “the design of security architectures, i.e. the layered implementation of security, in the context of Fluvius Business projects, which include the digitalization of smart grids and Fluvius’ online Customer Portal.” Martens stresses that these projects are always proceeded by in-depth risk analysis by a mixed team of Toreon consultants and Fluvius’ security architects on both existing and conceptual solutions.
‘Toreon’s thorough in-house knowledge, both concerning IT and OT, was exactly what Fluvius was looking for’
Peter Allaert – CISO @ Fluvius
Solution-oriented approach
Are there other ways in which Toreon makes a difference? Martens swiftly replies, “Toreon experts stand out because of their independence: Fluvius is a large company, but they are able to find their way and manage their projects very autonomously.” Toreon also gets done what it sets out to do, according to Martens: “They go beyond dry, theoretical concepts, make sure we are on board and the solutions are implemented swiftly and correctly.” Both Martens and Allaert agree that the Toreon team shares an extremely pragmatic, solution-oriented approach. Martens: “The Toreon team manages to break up complicated matter into smaller chunks, which are easier to manage and implement.”
When it comes to the added value Toreon brings to Fluvius as a business, Allaert is clear: “Toreon’s presence here is directly translated into business for us, as we can use their knowledge to train and educate our own staff. This way, we are able to embed their expertise in our own daily operations.” Martens nods: “Our company also learns a lot from their experience with other companies.”
Toreon experts stand out because of their independence
Fluvius and Toreon are definitely ‘stronger together’!
Under lock and key
The average Fluvius customer also benefits from Toreon’s accomplishments at Fluvius. “We deal with vast amounts of personal data. Our customers expect us to provide them with gas and electricity, but also expect their data to be safe with us.” One striking case is that of the digital energy meters, which Fluvius started to install back in July 2019. Stories in the press concerning the data Fluvius was granted access to through these devices caused some concern among customers. “About 250,000 people have installed one of those digital energy meters,” Martens adds. “Thanks to the combined effort and the Toreon’s expertise, we are able to reassure every single one of our customers that their personal information is safe – under lock and key, so to speak – and will remain so.”
Both Frederic Martens and Peter Allaert agree: the ongoing collaboration with Toreon is a successful one. Martens: “Toreon simply manages to put the right expert in the right place. One of Fluvius core values is ‘stronger together’. As we see it, Fluvius and Toreon are definitely ‘stronger together’!”