5. WURLDTECHについて
2006年に設
立
WURLDTECH is a GE company
Headquarters: Vancouver, Canada
GE Digitalは50億ドルを売上ている組織
500億以上の機器がインターネットにつな
がる世界に新しい価値を創出します。
3万人の世界中の社員が100カ国以上のお客
様をサポートしています。
Wurldtechの数百名のOTサイバーセキュリ
ティ専門家を世界中に活躍しています。
WURLDTECH はGE Digitalの
中核事業のひとつ
GE は 300,000 人の従業
員と 170ヶ国 に展開し
ている企業
2014年にGE
の子会社化
6. WURLDTECH OFFERINGS
OTセキュリティやプロセス
セキュリティのサービス、
アセスメント、認定・認証
SERVICES
DEVICE SECURITY
Device security assessment
制御機器のセキュリティ検証、
評価、対策のサービスを提供
Device security Health Check
安価で短期間に制御機器のセ
キュリティの評価レポートを提供
SOFTWARE SECURITY
Penetration Test
制御システムのソフトウェアに
フォーカスした侵入テスト
Rapid Software Assessment
制御システムソフトウェアのソース
コード評価、ストレステスト
FIELD SECURITY
Site security assessment
専門家による施設のサイバーセ
キュリティ評価、対策サービス
ACHILLES CERTIFICATION
Communication Certification
制御機器のネットワーク通信機能
にフォーカスしたセキュリティ認証
プログラム(Level 1 & Level 2)
Practices Certification
IEC62443-2-4に基づいた
セキュリティポリシー、実行、
監査基準の認証
(Bronze, Silver, Gold)
Site security Health Check
施設の短期間セキュリティ評価
IEC 62443 GAP Analysis
国際規格に準拠するための
ギャップ分析、準備・対策の提供
7. Cyber Risk Benchmark Device Security Health Check
Device Security Assessment
SDLC Health Check
SDLC Assessment
Design Review Assessment
IEC 62443-2-4 Gap Assessment
Achilles Communications Certification
Achilles Practices Certification (IEC 62443-2-4)
Site Security Assessment
NERC CIP Vulnerability Assessment
Security Training Services
WURLDTECH SECURITY: FROM BUILD TO OPERATE
Product Supplier
(Device Manufacturer)
Software
developers
Service Provider
(Integrator)
Asset Owner
(Operator)
Operate processes
securely
Validate/certify
for security
Build
security in
Understand
cyber risks
Software Penetration Testing
Threat Modeling Services
Threat Assessment
Application Vulnerability Assessment
Site Security Health Check
8. SITE SECURITY HEALTH CHECK
GAIN RAPID
SECURITY SNAPSHOT
System operators receive an
overview of the security posture
of their processes, architecture,
and technology.
IMPROVE OVERALL
SECURITY
Evaluate people,
architecture, and technology
to identify weaknesses and
mitigation strategies
JUSTIFY FURTHER
SECURITY EFFORTS
Support the need for further
analysis with our informative
report highlighting areas
requiring additional assessment
11. DEVICE SECURITY HEALTH CHECK
GAIN SECURITY
VISIBILITY QUICKLY
Take advantage of Wurldtech’s
efficient 60 hour security evaluation
Deal with security issues proactively
(not on a vulnerability disclosure timeline)
PROTECT BRAND
REPUTATION
Reduce public
vulnerability disclosures
Stay out of the hacking news
DETERMINE NEED FOR
FURTHER SECURITY ANALYSIS
Get direction for areas
of greatest concern
Justify budget for further analysis
13. Device Security Assessment Device Security Health Check
Methodology Comprehensive, in-depth assessment Rapid, economical penetration testing
Size and Scope Tailored for system under test 60 hours max
Report Length ~30-200 pages depending on system under test 10 pages
Areas of Focus Customer and analyst scoping Analyst scoping only
Regular Update Calls Yes No
Mitigation Advice Yes No
Multi-device Systems Yes 1 device and 1 firmware/software version only
Report Distribution Client and client’s customers Client only (no report distribution rights)*
COMPARISON
*For system operators, they can distribute to the respective device manufacturer.
19. Identifying cyber operational risks
Building security into processes and equipment
Understanding best practices and employing them on-site
Effectively communicating with IT security teams
Securing executive buy-in for necessary changes
Understanding the source and impact of attacks
CORE CONCERNS
MANAGE
OPERATIONAL RISK
SECURITY PLANNING AND TESTING
MUST BE INCORPORATED INTO
THE DEVELOPMENT LIFECYCLE
20. SOFTWARE
SECURITY
SERVICES
ethical hacking
to test defenses
SOFTWARE
PENETRATION
TESTING
finds lurking
vulnerabilities
APPLICATION
VULNERABILITY
ASSESSMENTS
identify security
gaps early in the
development
lifecycle
THREAT
MODELING
allows a view into
potential threats
THREAT
ASSESSMENTS
21. THREAT
MODELING
SERVICES
Identify security gaps in the
development lifecycle to reduce
zero-day exploits, ensure
successful implementation and
avoid costly reprogramming.
Applicable to OT and IT software
Establishes test and abuse cases
THREAT
MODELING
1
4
2
35
6
DeploySupport
Evaluate
Develop
and Test
DesignAssess
22. THREAT
ASSESSMENT
SERVICES
An extension to Threat Modeling
Services, the assessment provides
greater visibility of threats, attack
vectors and targets from the
attackers’ point of view.
Documentation and diagrams of
threats and penetration vectors
for better decision making
Visibility into the threat horizon
for better prevention
THREAT
MODELING
1
4
2
35
6
DeploySupport
Evaluate
Develop
and Test
DesignAssess
23. APPLICATION VULNERABILITY
ASSESSMENT SERVICES
Tailors assessment tools to potential targets
Robust analysis to find vulnerabilities
Recommended security strategy and process improvements
Validation of software code security
24. Analogous to a real attack, our
penetration testers apply both
manual and automated hacking
techniques to find vulnerabilities
before attackers can exploit them
SOFTWARE
PENETRATION
TESTING SERVICES
26. INDUSTRY-LEADING BENCHMARK
FOR ROBUST DEVICE, APPLICATION
AND SYSTEM DEVELOPMENT
VERIFY
devices meet
robustness
benchmarks
CERTIFY
against
comprehensive
requirements
ASSESS
network robustness of
industrial devices
ACHILLES
COMMUNICATIONS
CERTIFICATION
27. Embedded
Devices
Network
Components
Host
Devices
Control
Applications
TYPES OF PRODUCTS THAT CAN BE CERTIFIED
A general-purpose device running a general-purpose
operating system capable of hosting one or more
applications, data stores or functions.
Software programs executing on the infrastructure
(embedded, host and network devices) that are used to
interface with the process.
• routers, switches,
• gateways, firewalls and
• wireless access devices
• programmable logic controllers (PLCs)
• safety instrumented system (SIS) controllers
• distributed control system (DCS)
• human-machine interfaces (HMIs)
• engineering workstations
• domain controllers
A device that moves data from one device to another or
restricts the flow of data, but does not directly interact with a
control process.
• HMI software
• historian servers
• PLC ladder logic
A special-purpose device running embedded software
designed to directly monitor, control or actuate an
industrial process.
28. BENEFITS FOR MANUFACTURERS AND OPERATORS
• Certify device reliability
and integrity
• Differentiate your product
from competitors
• Demonstrate adherence to
industry best practices
• Reduce the risk of
experiencing a costly issue
in the field
• Increase customer
retention by avoiding
quality problems
ASSET
OWNERS
DEVICE
MANUFACTURERS
• Simplify the procurement
processes
• Better communicate
robustness and security
expectations to all suppliers
• Ensure your systems and
networks meet cyber
security standards
• Reduce costs associated
with verifying multi-vendor
robustness claims
• Improves security decision
making
29. ACHILLES PRACTICES CERTIFICATION
IEC 62443.2.4
industry standard
Reviews and
verifies existence of
security measures
Identify the required
documentation, and
any gaps
Develop the process
requirement from
scratch if need be
Create the necessary
documentation when
missing
30. APC SECURITY
PROGRAM CONSULTING
IEC 62443-2-4 Risk Assessment
Extended gap assessment, including:
Security risks associated with each capability
Mitigations that address risks
Capability development guidance
Define/develop customized security program
elements (E.G. Policies or standard
operating procedures/training)
31. CERTIFICATION TYPES
INTEGRATOR CERTIFICATE
Certificate for integrator security
programs. Certifies that the applicant
has a verified set of security capabilities
that can be performed for the
implementation/deployment of an
Automation Solution
MAINTENANCE PROVIDER
CERTIFICATE
Certificate for maintenance provider
security programs. Certifies that the
applicant has a verified set of security
capabilities that can be performed for the
maintenance of an Automation Solution
SOLUTION CERTIFICATE
Certificate for the application of security
capabilities during integration and/or
maintenance of a specific Automation
Solution.
Certificate for security capabilities of
Automation Solution products in support
of APC integrators and maintenance
providers certificates. IEC 62443-2-4
identifies security capabilities required of
the Automation Solution.
PRODUCT SUPPLIER
33. IEC 62443 STANDARDS AND TECHNICAL REPORTS
GENERAL
POLICES &
PROCEDURES
SYSTEM
COMPONENT
62443-1-1
Terminology,
concepts and models
TR-62443-1-2
Master glossary of terms
and abbreviations
62443-1-3
System security
compliance metrics
TR-62443-1-4
IACS security lifecycle
and use-case
62443-2-1
Requirements for an
IACS security
management system
TR-62443-2-2
Implementation guidance
for na IACS security
management system
TR-62443-2-3
Patch management in the
IACS enviroment
62443-2-4
Security program
requirements for IACS
service providers
TR-62443-3-1
Security Technologies
for IACS
62443-3-2
Security levels for zones
and conduits
62443-3-3
System security
requirements and security
levels
62443-4-1
Product development
requirements
62443-4-2
Technical security
requirements for IACS
components
International Standards
IECEE Conformance Assessment
expected (June 2016)
34. Cyber Risk Benchmark Device Security Health Check
Device Security Assessment
SDLC Health Check
SDLC Assessment
Design Review Assessment
IEC 62443-2-4 Gap Assessment
Achilles Communications Certification
Achilles Practices Certification (IEC 62443-2-4)
Site Security Assessment
NERC CIP Vulnerability Assessment
Security Training Services
WURLDTECH SECURITY: FROM BUILD TO OPERATE
Product Supplier
(Device Manufacturer)
Software
developers
Service Provider
(Integrator)
Asset Owner
(Operator)
Operate processes
securely
Validate/certify
for security
Build
security in
Understand
cyber risks
Software Penetration Testing
Threat Modeling Services
Threat Assessment
Application Vulnerability Assessment
Site Security Health Check