GE Gas Power has established a product security program driven by and tied to the NIST Framework for Improving Critical Infrastructure Cybersecurity (Version 1.1) and incorporates other leading industry practices, helping our customers power the future.
Customer expectation communications: A General Engineering Knowledge (GEK) document is given to customers during the proposal process which includes a high-level summary of the product’s cybersecurity functionality. In addition, a GEH is also provided to the customer during the proposal process. The GEH includes the lower-level cybersecurity technical features of the product. One level down is the Secure Deployment / Implementation Guide, which details the security pre-requisites or post-delivery requirements for the products and informs the customer of the security associated with deployment, including hardening guidelines.
A secure development lifecycle: A lifecycle for the secure design, development, and maintenance of products, starting from conceptual design through post-release, is established with required reviews where security for the product is reviewed. GE Gas Power assigns appropriate security activities (e.g., threat assessment, Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), penetration testing, etc.) based on the assigned risk level.
Minimum technical requirements: GE Gas Power has minimum product technical requirements related to security (e.g., no hard-coded passwords) that it follows internally and requires suppliers to follow.
Technical security testing: Based on the identified product risk level, additional rigor (e.g., SAST, DAST, penetration testing) is performed to provide a deeper analysis on the risk, control, and cybersecurity features of the product being procured from the supplier.
Asset management: A Product Lifecycle Management (PLM) tool has been implemented to track each product and its sub-components. This system can be used to cross-reference a product's Cybersecurity Bill of Materials (CBoM) with Common Vulnerabilities and Exposures (CVE) lists to determine if there are vulnerable components.
Threat intelligence and monitoring: GE Gas Power subscribes to and participates in threat and information sharing feeds, including ICS-CERT, SANS ICS Forum, Kaspersky’s ICS-CERT, and E-ISAC.
Vulnerability and patch management: After a product is assessed, reviewed, and integrated, ongoing monitoring (e.g., incident response (IR), vulnerability response (VR)) and maintenance activities are performed in accordance with industry regulations and customer contracts (e.g., service contracts). GE Gas Power reviews threats and vulnerabilities received from various sources (e.g., National Vulnerability Database (NVD)) and assesses them against the product inventory to identify affected products and works internally and with suppliers to identify the appropriate remediation actions.
Customer communications: The Technical Information Letter (TIL) alerts customers of risk and actions needed to be taken, communicates to install base, sets the tone for ongoing engagement with GE Gas Power services, and provides guidance that reduces system cyber-attack exposure. In addition, GE Gas Power leverages customer support portals with dashboards to provide high-level product information.
Monitoring and metrics: Select key performance and risk indicators are collected (e.g., code scan stats, adherence to controls) from product teams and reported to leadership to evaluate the effectiveness of the product security program and provide insight into operations. Program effectiveness is reviewed annually.
Cyber “relevant product / component” supplier assessments: Secure product procurement questions are used to evaluate a supplier’s product security program and evaluate a product being procured for GE Gas Power cybersecurity controls and requirements.
Supplier product lifecycle considerations: GE Gas Power monitors to the best of its ability the end-of-life (EoL) of products procured and stipulates that no product be procured with an EoL of less than two (2) years.
Terms & conditions (T&Cs): GE Gas Power formally and consistently integrates product security into contracting.
Validation process / procedure: A validation plan provides procedural steps related to the operational and security functionality that each component must meet and pass prior to shipping.
Software and hardware providence: GE Gas Power has a software authentication / certification process.
Remote access: GE Gas Power can monitor remote access and a level of restriction against code change from outside the organization’s infrastructure is in place.
Physical security: A level of physical access controls around the manufacturing facilities include role-based access to building / facility entry, electronic access control for physical perimeter, guards, and badge security.
Factory Acceptance Test (FAT): FAT is performed prior to the final delivery of a manufactured product and includes a cybersecurity checklist of test and performance criteria to confirm the product / component and or system meets the specifications.