Cybersecurity for the Utility Sector

Your OT needs just as much security as your IT

The Utility sector is going through a change. Since the NIS directive came into place, awareness increased not only at the companies in the utility production, transmission, or distribution sectors but also with hackers who have become more aware of potential gains and where to strike. On top of the growing cyber threats in IT, the Utility industry also faces the difficulty of legacy OT environments that are increasingly connected to networks and servers in the office environment. These connections need to be considered as vulnerable and need specific protection mechanisms; OT can’t be treated the same as IT. This new interconnectivity is the root cause of new trends in cyber criminality.

Our mission within the Utility sector is to help both essential and non-essential businesses with all aspects of cybersecurity, in order to build a safe society where these services are guaranteed.

Toreon simply manages to put the right expert in the right place

“Toreon experts stand out because of their independence: Fluvius is a large company, but they are able to find their way and manage their projects very autonomously. Toreon also gets done what it sets out to do.”

Frederic Martens (Security Officer at Fluvius)

Read the full article

How we can help you

Compliance

In 2018, the European Union requested all member states to adopt the Directive on security of network and information systems. As part of NIS, member states are to identify essential service providers who are required to follow the NIS regulations. These essential service providers have to promote and develop a culture of risk management, involving risk assessment and the implementation of security measures appropriate to the risks faced. Utility companies are often identified as essential service providers given their impact on society and will need to document and treat their cyber risks and demonstrate that their cybersecurity is managed in a mature way. We help our clients to set up their cybersecurity according to the ISO/IEC270001 standard, which is widely accepted to be the reference for creating an information security management system, and achieve ISO/IEC270001 certification.

The bridge between IT and OT

As seen in the press, attacks on Operational Technology (OT) infrastructure are both increasing in volume and sophistication. In this evolving threat landscape, the potential risk of an attack on your industrial control systems (ICS) is increasing daily. However, as IT and OT are environments with fundamentally different requirements, this needs to be reflected in the chosen security strategy. Toreon has ICS security consultants with hands-on experience in ICS environments. These consultants understand and respect the sometimes fundamentally different views on security in OT versus IT departments. They can help you protect your production-critical assets and act as a bridge between IT and OT, which reduces friction and frustration and increases your overall security posture.

Technical Assessments

Having a good overview of your current attack surface is a prerequisite of any cost-efficient security program. Unfortunately, this is not always easy, and especially so in Operational Technology (OT) environments. A mix of modern and legacy systems managed and supported by different parties, and sometimes involving very industry-specific protocols or technologies, make it all too easy to lose the overview of the important security risks. To assess the security of your IT and OT environment, Toreon employs a team of matter experts and seasoned threat modelers. We combine our know-how in providing international threat modeling to large organizations with our hands-on ICS/IT experience. This results in a thorough technical assessment tailored to your needs. It tells you where your risks are and provide constructive advice on how to address them, taking into account the practical considerations of your environment.