Focus on Teréga. A model of digital security in the energy industry, where cybersecurity challenges are numerous and thorny.
There are the companies that are known to the general public, and there are the others. The ones that operate in the shadows to ensure the smooth running of the public service; the ones we all depend on without knowing it. If you hear the name Teréga, chances are it won’t mean much to you. However, behind this name there is :
- a major player in energy transport and storage in Europe and France. If you live in the South-West of the country, for example, your gas passes through their pipes;
- the publisher of an industrial data storage solution used by many players;
- a high value-added service provider that assists other manufacturers in their energy transition.
Teréga’s field of expertise involves dealing with cybersecurity issues on a daily basis. How to ensure the digital impermeability of all the group’s activities – which are complementary but intrinsically different in their security challenges?
Finding the answer to these questions is the job of Philippe Puyou Lascassies, the group’s CISO, and Christophe Cuyala, the Operational Security Manager. They told us about their vision and their application of security in a particularly sensitive industry, that of energy.
Teréga, a player historically rooted in the territories
For more than 75 years, Teréga has been ensuring the development and proper management of its gas storage and transmission infrastructures. The future of energy is what guides the company, convinced that the energy transition of territories is at the heart of their economic and social development.
To improve gas transportation and develop its new applications, Teréga relies on a flexible local network. The company supports the development of local biogas production and promotes sustainable mobility, while preparing its network to handle new decarbonized gases, such as the hydrogen resulting from renewable electricity.
Historically, Teréga is a major player in gas infrastructure in France and Europe. “We are at the crossroads of Spain and France. As such, we are part of the major transits that go through Spain and up to the North. “explains Christophe Cuyala.
In addition to its transport activity, Teréga is a central link connecting energy producers and consumers, with security of supply as its core mission… Philippe Puyou Lascassies, the CISO, insists on the company’s particularity:
“Unlike other operators, we do both transport and storage. We not only carry out the major North-South transit, by unclogging certain upstream and downstream gas areas, but we also bring it to the distributors, right up to the city gates. The two activities are closely linked, and contribute to the smooth running of the delivery network to the distribution points.”
“We transport gases in the broadest sense”
This end-to-end involvement in gas transmission means that Teréga is well established in the areas it serves. This presence is reinforced by the diversity of the energies transported. “We also collect biogas, which is produced in the areas we serve. “explains Philippe Puyou Lascassies.
Christophe Cuyala, for his part, has his eyes on the future. “We are also developing our activities around hydrogen, by preparing our infrastructures. We transport gases in the broadest sense. Tomorrow it will be hydrogen, but it could just as easily be CO2.“
Teréga, crucial digital security challenges
Considering its sector of activity, it is clear that Teréga is subject to an increased duty of digital security. The company must comply with a number of French and European regulations. As an energy transporter, Teréga is, for example, subject to the NIS Directive, as well as the future NIS2.
Philippe Puyou Lascassies didn’t wait for regulations to ensure the security of the group’s activities. “Cybersecurity has been an important issue for Teréga for a very long time. We’ve always had a cyber culture, which has developed and strengthened with the company’s digital transformation. “
It must be said that the stakes are high when you are an OES, an Operator of Essential Services (a French designation). Philippe explains:
“We obviously have the same IT challenges as all companies for our management applications and the proper functioning of our corporate IS. But we also have, in addition, industrial systems that support our sensitive activities.
We operate infrastructures that are critical – all the more so in the current context – and we fulfill a public service mission. We must therefore guarantee the continuity of service, the availability and integrity of the IT infrastructures that support these processes. Availability means operating the network at all times. And integrity is the processing of sensitive data; metering, billing… These are our true cybersecurity challenges.”
Christophe, the Operational Security Manager, backs up:
“And we don’t want to be blind to an industrial accident. We have to be able to supervise what is happening on our gas network at any time. Hence the importance of having the supervision system 100% operational.”
An in-depth digital transformation
In 2017, Teréga carried out an in-depth digital transformation, with the management part on one side and the industrial part on the other. For the corporate IS, the company’s digital transformation was carried out by integrating security by design, with choices such as the disappearance of VPNs or the adoption of the Zero Trust model.
Sanctuarising the gas transport network to reduce the attack surface
For the industrial part, the strategy was different. The objective was twofold: to collect data, while reducing the attack surface of the gas transport network. Christophe Cuyala explains:
“Today, the gas network’s pipe systems must be reduced to their simplest expression: to pass gas. That’s the point, we’re here to transport gas.
On the other hand, everything that we want to do afterwards in terms of value-added services must be done in systems designed for the cloud. With all the power of the cloud, with the tools of the cloud, with the security embedded in the cloud infrastructures. So the idea was to make a digital twin. To get the data that is in our industrial IS and make it available in the cloud, and build applications around it.
So we opened up the EIS, the management part. But on the other hand, we have reduced the attack surface of the IIS. This central part, the gas control, was sanctuarized. We really closed the network electrically to separate it from the rest.”
The CISO confirms: “We limit interactions with the outside. We let data out, but we limit and control everything that can come in.“
Digital transformation: in-house solutions
A question then arises: how to get information out if the network is isolated, cut off from the rest? To meet this challenge, Teréga could not rely on traditional market solutions. Philippe remembers:
“We needed to create a digital twin to make data available, to do simulation, to do predictive maintenance. These reasons are common to almost all companies. But given our constraints, our requirements and our internal strategy of keeping our production sanctuarized, we could not apply the usual solutions.
We had to create this twin and feed it in a slightly different way, with solutions and tools that could not be the same as those used so far in other industries.”
Since they couldn’t find a suitable solution, Philippe and Christophe created their own.
“We couldn’t find a solution on the market. We needed a solution that would allow us to retrieve the data as close as possible to production. That’s why we developed the Indabox. A box that allows us to collect information as close to the field as possible, without having to bring it back to the central office to upload it unidirectionally to the cloud.”
– Christophe Cuyala, Operational Security Manager
IO Base: an industrial data storage platform
With the Indabox, Teréga has therefore developed its own industrial data collection equipment. But it’s not just about collecting information, it’s also about storing it in the cloud. Here again, Teréga’s teams decided to take matters into their own hands by developing their own software solution. Christophe explains:
“We wanted to export our data to the cloud for forecasting and simulation. But for that, the basis of everything was to be able to collect the information. So to create an application that collects and allows us to visualize the data – our measures, our pressures on the whole network… So we developed IO Base, our industrial data storage platform.”
Teréga Solutions: from energy transporter to service provider
If Teréga had not found what it was looking for among the solutions already on the market, it was likely that other manufacturers were in the same situation. Manufacturers with the same constraints and needs. Industrialists who might need the two solutions developed by Teréga, the Indabox and the IO Base platform. It was obvious these solutions had to be brought to the market. The Teréga Solutions subsidiary was born.
“Teréga has created a subsidiary called Teréga Solutions, which is the publisher of the solution. Why? Because we realized that IO Base had great potential. It was something that may appeal to other manufacturers, because it is generic.
It is a platform for storing industrial data in its broadest sense. We are talking about temperature and pressure, but we could just as easily collect volumes of flow in a water station, or the electricity consumption of a group of buildings. It’s generic data storage in real time.
And on top of this storage, we can create micro-applications on demand to add value, to process this data, to exploit it.” – Christophe Cuyala
Today, it is clear that Philippe and Christophe were right. IO Base allows Teréga Solutions to offer various services to all types of manufacturers:
- energy suppliers ;
- energy trading platforms;
- local authorities, to monitor electricity consumption and support them in their energy transition;
- companies that want to decarbonise, and monitor the consumption of their sites to make energy savings…
Integrating cybersecurity into the company ecosystem
The IO Base platform is used by many sensitive and critical manufacturers, as well as by the parent company Teréga for its gas activities. Needless to say, cybersecurity is very important to Teréga Solutions. Today, it is an integral part of the company’s ecosystem. Christophe Cuyala, Operational Security Manager, told us:
“We have collaborators with a culture of security at all levels. The architect, for example, is the driving force behind what needs to be put in place in terms of security. He implements the best practices, the most essential things.
We also have the operators, who are constantly looking for visibility on what is happening within the infrastructures in terms of security. They are really looking for the right tools in the cloud to supervise security in terms of compliance, workloads and network flows. They aggregate everything in a centralizer and look at what’s going on on a daily basis, so they can react accordingly.”
Supporting developers with repositories and automation
Software solutions come with developers. Teréga Solutions is no exception to the rule, and has to deal with the constraints inherent in a modestly sized structure. Philippe, the CISO, has been thinking for a long time about how to approach security in software creation.
“Large publishers or companies that do a lot of development can rely on the DevSecOps methodology, which integrates cybersecurity players at all stages, in all sprints. But Teréga Solutions is a small structure, almost a start-up. So we had to do things differently.
We rely on a certain number of good practices and very specific guidelines, to develop in the cloud or secure APIs for example. We trust our developers, they work independently. We also support them with automatic architecture verification and continuous code analysis tools to ensure that they do not create vulnerabilities by design.”
– Philippe Puyou Lascassies, Teréga CISO
To meet the ambition, Teréga Solutions must rely on partners to develop its offer. If all the DevSecOps expertise is internal, the trust given to developers and partners does not exclude the control of the solutions’ security. Verification cannot be done at each step of the development cycle, so Teréga has deployed automated control solutions in its CI/CD, and Yogosha, through bug bounty, establishes a form of final control. This choice allows Teréga to scale up with a high level control of security aspects.
Bug bounty: “the ultimate step, a final test with hackers”
Philippe and Christophe had already used bug bounty to test the security of the infrastructures controlling Teréga’s gas transport. The operation having been a success, the Yogosha Strike Force hackers were again considered for Teréga Solutions. This time, bug bounty was considered as a final test in the SDLC. Philippe explains his decision:
“We trust people during all stages of development, and the sanction comes at the end with the bug bounty. That’s the final stage, a final check with hackers who are really in the position of attackers. They don’t care about what happened before in the development. It’s really the result that counts. […]
We only do private bug bounty. It’s reassuring, ethical hackers have been selected and it’s not open to just anyone.” – Philippe Puyou Lascassies, CISO
Christophe, the Operational Security Manager, also confirms the relevance of bug bounty:
“We have a very pragmatic vision of security, and we found the same approach at Yogosha. For the tests we had to do on IO Base for example, we were put in touch with profiles that had the necessary skills on this technology to be relevant.”
Bug bounty, a more flexible solution than other forms of security testing
In addition to its effectiveness in detecting in-depth vulnerabilities, bug bounty offers a certain flexibility that is not always found with other forms of security tests. Here again, Teréga’s CISO testifies to the agility of Yogosha’s solutions:
“The simplicity of accessing the service is really appreciable, especially for SMEs or start-ups. Launching a pentest can be complicated. You have to make contracts, which are sometimes hard to manage. Yogosha provides real flexibility. […]
There are some excellent pentesters in IT firms, but you can never be sure of having them. Sometimes the seniors are unavailable, so you end up with juniors. It’s normal, they have to learn, but the level is not identical each time.
With bug bounty, it’s a community of researchers. There is always someone to find something. You’re not dependent on one person, who at some point may not have been keeping up with advances in certain technologies.”
– Philippe Puyou Lascassies, CISO at Teréga
Bug bounty as a training tool for developers
For Teréga’s CISO, the detection of vulnerabilities is not the only benefit of bug bounty. He raises what he calls “a second kiss cool effect”: the training of developers.
“Yogosha’s researchers have a certain ethic, and they share their experience with development teams. With bug bounty, we improve the know-how and sensitivity of in-house developers. It’s a continuous training effect.” – Philippe Puyou Lascassies, CISO at Teréga
Teréga: a bug bounty program managed internally
Teréga’s teams have chosen to take care of the bug bounty management and vulnerability triage themselves. This choice illustrates the company’s desire to be in touch with our hunters. As Operational Security Manager, Christophe is in charge of this task.
“When we launch a bug bounty, the operators, the developers of the solution we are testing and myself all have access to the Yogosha platform, where the vulnerabilities are reported. We prioritize them, then fix what needs to be fixed.”
In summary, Teréga is :
- a major player in gas transportation and storage;
- which has undergone a digital transformation by developing its own solutions, the Indabox and IO Base;
- solutions that led to the creation of Teréga Solutions, a subsidiary that offers high value-added services to all types of manufacturers;
- Both entities are now part of a global ecosystem that integrates security by design, with a sanctuarized transmission network, a digital twin that allows data to be collected and then stored in the cloud, skilled developers supported by repositories and automation tools;
- and bug bounty as a form of final control. A real-life test which, in addition to the preliminary ones, guarantees the overall security of Teréga’s infrastructures and the products that Teréga Solutions offers to its customers.
Looking for solutions to address the cybersecurity challenges of your digital transformation? Feel free to contact us, or explore our offensive security operations.