Wurldtech provides cybersecurity services for operational technology (OT) systems, including assessments of devices, software, and industrial sites. Their services help identify vulnerabilities, evaluate security practices, and certify adherence to standards. They also offer the OpShield product which provides network segmentation, whitelisting, and other controls to enhance OT security.

2. UKRAINEGERMANYNEW YORK
サイバー攻撃は実世界で被害をもたらす
201520142013
New York Dam German Steel Mill Power Grid

3. 66%の企業や組織がサイ
バーセキュリティに
対して対策を行って
いない
2015 Global Megatrends in Cybersecurity, Raytheon and Ponemon
…そうであっても
準備していない企業は

4. I
IT BIG
WHAT’S THE
DIFFERENCE?
O
OT

5. WURLDTECHについて
2006年に設
立
WURLDTECH is a GE company
Headquarters: Vancouver, Canada
GE Digitalは50億ドルを売上ている組織
500億以上の機器がインターネットにつな
がる世界に新しい価値を創出します。
3万人の世界中の社員が100カ国以上のお客
様をサポートしています。
Wurldtechの数百名のOTサイバーセキュリ
ティ専門家を世界中に活躍しています。
WURLDTECH はGE Digitalの
中核事業のひとつ
GE は 300,000 人の従業
員と 170ヶ国 に展開し
ている企業
2014年にGE
の子会社化

6. WURLDTECH OFFERINGS
OTセキュリティやプロセス
セキュリティのサービス、
アセスメント、認定･認証
SERVICES
DEVICE SECURITY
Device security assessment
制御機器のセキュリティ検証、
評価、対策のサービスを提供
Device security Health Check
安価で短期間に制御機器のセ
キュリティの評価レポートを提供
SOFTWARE SECURITY
Penetration Test
制御システムのソフトウェアに
フォーカスした侵入テスト
Rapid Software Assessment
制御システムソフトウェアのソース
コード評価、ストレステスト
FIELD SECURITY
Site security assessment
専門家による施設のサイバーセ
キュリティ評価、対策サービス
ACHILLES CERTIFICATION
Communication Certification
制御機器のネットワーク通信機能
にフォーカスしたセキュリティ認証
プログラム(Level 1 & Level 2)
Practices Certification
IEC62443-2-4に基づいた
セキュリティポリシー、実行、
監査基準の認証
（Bronze, Silver, Gold)
Site security Health Check
施設の短期間セキュリティ評価
IEC 62443 GAP Analysis
国際規格に準拠するための
ギャップ分析、準備・対策の提供

7. Cyber Risk Benchmark Device Security Health Check
Device Security Assessment
SDLC Health Check
SDLC Assessment
Design Review Assessment
IEC 62443-2-4 Gap Assessment
Achilles Communications Certification
Achilles Practices Certification (IEC 62443-2-4)
Site Security Assessment
NERC CIP Vulnerability Assessment
Security Training Services
WURLDTECH SECURITY: FROM BUILD TO OPERATE
Product Supplier
(Device Manufacturer)
Software
developers
Service Provider
(Integrator)
Asset Owner
(Operator)
Operate processes
securely
Validate/certify
for security
Build
security in
Understand
cyber risks
Software Penetration Testing
Threat Modeling Services
Threat Assessment
Application Vulnerability Assessment
Site Security Health Check

8. SITE SECURITY HEALTH CHECK
GAIN RAPID
SECURITY SNAPSHOT
System operators receive an
overview of the security posture
of their processes, architecture,
and technology.
IMPROVE OVERALL
SECURITY
Evaluate people,
architecture, and technology
to identify weaknesses and
mitigation strategies
JUSTIFY FURTHER
SECURITY EFFORTS
Support the need for further
analysis with our informative
report highlighting areas
requiring additional assessment

9. © 2015 Wurldtech Security Technologies Inc. All rights reserved.
Malware introduced from the enterprise
network because someone uses a control
point to check email
A server closet that isn’t locked
or protected by key pad
Equipment that is regularly updated by
third parties, without staff supervision
Plugging devices into open USB ports to
charge or download productivity tools from
the internet
Process gaps that could expose
physical danger
Make sure devices are installed correctly
for the intended use
Make sure devices that shouldn’t be
or don’t need to be on the network are
accounted for
SITE SECURITY
ASSESSMENT
SEARCHING FOR PHYSICAL VULNERABILITIES:

10. COMPARISON
© 2015 Wurldtech Security Technologies Inc. All rights reserved.
Service Components Site Security Assessment Site Security Health Check
Methodology Comprehensive, in-depth assessment Rapid, economical check
Security Gap Analysis In-Depth Targeted
Architectural Review Yes (Scaled)
Deliverables
Findings Report Yes (Scaled)
Close-Out Presentation Yes No
Detailed Asset Review Workbook Yes No
Processes
Information Gathering Yes No
Documentation Review Yes (Scaled)
Interviews and Onsite Inspection Senior analyst, 2-days on-site Analyst, 1 day on-site
Technical Testing Yes No
Offline Data Analysis Yes No
Risk Assessment Yes (Scaled)
Risk Mitigation Recommendations Prescriptive, detailed strategies High-level general direction

11. DEVICE SECURITY HEALTH CHECK
GAIN SECURITY
VISIBILITY QUICKLY
Take advantage of Wurldtech’s
efficient 60 hour security evaluation
Deal with security issues proactively
(not on a vulnerability disclosure timeline)
PROTECT BRAND
REPUTATION
Reduce public
vulnerability disclosures
Stay out of the hacking news
DETERMINE NEED FOR
FURTHER SECURITY ANALYSIS
Get direction for areas
of greatest concern
Justify budget for further analysis

12. DEVICE SECURITY
ASSESSMENT
Reengineering control devices
to find design flaws that create
vulnerabilities in the device itself
Break down the pieces and parts
and test each for vulnerabilities
SERVICE DESCRIPTION
Improve Product Security
Reduce Operational Costs
Ensure Customer Confidence
© 2015 Wurldtech Security Technologies Inc. All rights reserved.
OUTCOMES

13. Device Security Assessment Device Security Health Check
Methodology Comprehensive, in-depth assessment Rapid, economical penetration testing
Size and Scope Tailored for system under test 60 hours max
Report Length ~30-200 pages depending on system under test 10 pages
Areas of Focus Customer and analyst scoping Analyst scoping only
Regular Update Calls Yes No
Mitigation Advice Yes No
Multi-device Systems Yes 1 device and 1 firmware/software version only
Report Distribution Client and client’s customers Client only (no report distribution rights)*
COMPARISON
*For system operators, they can distribute to the respective device manufacturer.

14. PRODUCT DEVELOPMENT
SECURITY ASSESSMENT

15. PRODUCT DEVELOPMENT
SECURITY ASSESSMENT
Evaluate manufacturer adherence
to best practices for ICS
development/deployment
Helps resolve security weaknesses
during product development
SERVICE DESCRIPTION
Improve Product Security
Reduce product Costs
Enable Compliance Efforts
© 2015 Wurldtech Security Technologies Inc. All rights reserved.
OUTCOMES

16. IEC 62443-2-4
GAP ASSESSMENT

17. IEC 62443 GAP
ASSESSMENT
Understand manufacturers’ gaps in security
posture and align their practices to IEC
Validate to their customers that they follow
industry best practices for security
SERVICE DESCRIPTION
Enable Compliance Efforts
Improve Product Security
© 2015 Wurldtech Security Technologies Inc. All rights reserved.
OUTCOMES

18. SOFTWARE
SECURITY SERVICES

19. Identifying cyber operational risks
Building security into processes and equipment
Understanding best practices and employing them on-site
Effectively communicating with IT security teams
Securing executive buy-in for necessary changes
Understanding the source and impact of attacks
CORE CONCERNS
MANAGE
OPERATIONAL RISK
SECURITY PLANNING AND TESTING
MUST BE INCORPORATED INTO
THE DEVELOPMENT LIFECYCLE

20. SOFTWARE
SECURITY
SERVICES
ethical hacking
to test defenses
SOFTWARE
PENETRATION
TESTING
finds lurking
vulnerabilities
APPLICATION
VULNERABILITY
ASSESSMENTS
identify security
gaps early in the
development
lifecycle
THREAT
MODELING
allows a view into
potential threats
THREAT
ASSESSMENTS

21. THREAT
MODELING
SERVICES
Identify security gaps in the
development lifecycle to reduce
zero-day exploits, ensure
successful implementation and
avoid costly reprogramming.
Applicable to OT and IT software
Establishes test and abuse cases
THREAT
MODELING
1
4
2
35
6
DeploySupport
Evaluate
Develop
and Test
DesignAssess

22. THREAT
ASSESSMENT
SERVICES
An extension to Threat Modeling
Services, the assessment provides
greater visibility of threats, attack
vectors and targets from the
attackers’ point of view.
Documentation and diagrams of
threats and penetration vectors
for better decision making
Visibility into the threat horizon
for better prevention
THREAT
MODELING
1
4
2
35
6
DeploySupport
Evaluate
Develop
and Test
DesignAssess

23. APPLICATION VULNERABILITY
ASSESSMENT SERVICES
Tailors assessment tools to potential targets
Robust analysis to find vulnerabilities
Recommended security strategy and process improvements
Validation of software code security

24. Analogous to a real attack, our
penetration testers apply both
manual and automated hacking
techniques to find vulnerabilities
before attackers can exploit them
SOFTWARE
PENETRATION
TESTING SERVICES

25. SECURITY
CERTIFICATION SERVICES

26. INDUSTRY-LEADING BENCHMARK
FOR ROBUST DEVICE, APPLICATION
AND SYSTEM DEVELOPMENT
VERIFY
devices meet
robustness
benchmarks
CERTIFY
against
comprehensive
requirements
ASSESS
network robustness of
industrial devices
ACHILLES
COMMUNICATIONS
CERTIFICATION

27. Embedded
Devices
Network
Components
Host
Devices
Control
Applications
TYPES OF PRODUCTS THAT CAN BE CERTIFIED
A general-purpose device running a general-purpose
operating system capable of hosting one or more
applications, data stores or functions.
Software programs executing on the infrastructure
(embedded, host and network devices) that are used to
interface with the process.
• routers, switches,
• gateways, firewalls and
• wireless access devices
• programmable logic controllers (PLCs)
• safety instrumented system (SIS) controllers
• distributed control system (DCS)
• human-machine interfaces (HMIs)
• engineering workstations
• domain controllers
A device that moves data from one device to another or
restricts the flow of data, but does not directly interact with a
control process.
• HMI software
• historian servers
• PLC ladder logic
A special-purpose device running embedded software
designed to directly monitor, control or actuate an
industrial process.

28. BENEFITS FOR MANUFACTURERS AND OPERATORS
• Certify device reliability
and integrity
• Differentiate your product
from competitors
• Demonstrate adherence to
industry best practices
• Reduce the risk of
experiencing a costly issue
in the field
• Increase customer
retention by avoiding
quality problems
ASSET
OWNERS
DEVICE
MANUFACTURERS
• Simplify the procurement
processes
• Better communicate
robustness and security
expectations to all suppliers
• Ensure your systems and
networks meet cyber
security standards
• Reduce costs associated
with verifying multi-vendor
robustness claims
• Improves security decision
making

29. ACHILLES PRACTICES CERTIFICATION
IEC 62443.2.4
industry standard
Reviews and
verifies existence of
security measures
Identify the required
documentation, and
any gaps
Develop the process
requirement from
scratch if need be
Create the necessary
documentation when
missing

30. APC SECURITY
PROGRAM CONSULTING
IEC 62443-2-4 Risk Assessment
Extended gap assessment, including:
Security risks associated with each capability
Mitigations that address risks
Capability development guidance
Define/develop customized security program
elements (E.G. Policies or standard
operating procedures/training)

31. CERTIFICATION TYPES
INTEGRATOR CERTIFICATE
Certificate for integrator security
programs. Certifies that the applicant
has a verified set of security capabilities
that can be performed for the
implementation/deployment of an
Automation Solution
MAINTENANCE PROVIDER
CERTIFICATE
Certificate for maintenance provider
security programs. Certifies that the
applicant has a verified set of security
capabilities that can be performed for the
maintenance of an Automation Solution
SOLUTION CERTIFICATE
Certificate for the application of security
capabilities during integration and/or
maintenance of a specific Automation
Solution.
Certificate for security capabilities of
Automation Solution products in support
of APC integrators and maintenance
providers certificates. IEC 62443-2-4
identifies security capabilities required of
the Automation Solution.
PRODUCT SUPPLIER

32. CERTIFICATION LEVELS
IECEE
Selectable
certification
BRONZE
certification
SILVER
certification
GOLD
certification
Awarded for successful
completion of all applicable
requirements and verified
through direct measurement
or analysis

33. IEC 62443 STANDARDS AND TECHNICAL REPORTS
GENERAL
POLICES &
PROCEDURES
SYSTEM
COMPONENT
62443-1-1
Terminology,
concepts and models
TR-62443-1-2
Master glossary of terms
and abbreviations
62443-1-3
System security
compliance metrics
TR-62443-1-4
IACS security lifecycle
and use-case
62443-2-1
Requirements for an
IACS security
management system
TR-62443-2-2
Implementation guidance
for na IACS security
management system
TR-62443-2-3
Patch management in the
IACS enviroment
62443-2-4
Security program
requirements for IACS
service providers
TR-62443-3-1
Security Technologies
for IACS
62443-3-2
Security levels for zones
and conduits
62443-3-3
System security
requirements and security
levels
62443-4-1
Product development
requirements
62443-4-2
Technical security
requirements for IACS
components
International Standards
IECEE Conformance Assessment
expected (June 2016)

34. Cyber Risk Benchmark Device Security Health Check
Device Security Assessment
SDLC Health Check
SDLC Assessment
Design Review Assessment
IEC 62443-2-4 Gap Assessment
Achilles Communications Certification
Achilles Practices Certification (IEC 62443-2-4)
Site Security Assessment
NERC CIP Vulnerability Assessment
Security Training Services
WURLDTECH SECURITY: FROM BUILD TO OPERATE
Product Supplier
(Device Manufacturer)
Software
developers
Service Provider
(Integrator)
Asset Owner
(Operator)
Operate processes
securely
Validate/certify
for security
Build
security in
Understand
cyber risks
Software Penetration Testing
Threat Modeling Services
Threat Assessment
Application Vulnerability Assessment
Site Security Health Check

35. WURLDTECH OFFERINGS
Protocol Inspection Engine
Vulnerability and Threat
Signatures
Virtual Network
Segmentation
Command-Level
Whitelisting
OpShield はこれまでになかったOTサイバーセ
キュリティ対策の手段を提供する