Home

Increased connectivity – including the increasing significance of industrial Internet of Things (IoT), supply chains, customers, and operations – brings new operational cybersecurity risks and threats which demand attention. The critical infrastructure sectors that GE Gas Power’s products support are subject to an ever-changing cyber threat landscape. As such, GE Gas Power continuously integrates end-to-end cybersecurity to ensure integrity throughout the product lifecycle.

GE Gas Power has developed a product security program based on industry leading standards, such as IEC 62443, to support the design and development of secure products across people, process, and technology and allow GE Gas Power’s customers to continue to power the future.

If you are a security researcher looking to report a vulnerability in a GE Gas Power product, please follow the guidelines listed in Vulnerability Response.

If you are looking for GE Gas Power Security Advisories, cyber-applicable TILs, or other cyber-relevant documents, please see the list of documents and links to other resources in Security Advisories.

For the latest on the Executive Order on Securing the United States Bulk-Power System, please see the following One Pager and Frequently Asked Questions released by the United States Department of Energy.

Our Commitment

GE Gas Power’s products operate in a highly dynamic operating environment which is marked by threats that are constantly changing and evolving. As such, it is critical that GE Gas Power maintains product security throughout the product lifecycle of marketed products, including components sourced from third party suppliers.

The GE Gas Power Product Cybersecurity White Paper contains a concise summary of our committment to integrating security throughout the life cycle of each of our products, from inception to end-of-life.

PRODUCT CYBERSECURITY WHITE PAPER

You can also view a summary of the various areas of the GE Gas Power Product Cybersecurity Program below.

Our Program

GE Gas Power has established a product security program driven by and tied to the NIST Framework for Improving Critical Infrastructure Cybersecurity (Version 1.1) and incorporates other leading industry practices, including NERC CIP, ISO 27001/2, IEC 62443, and NIS. The program is focused on reducing the cybersecurity risk associated with cyber applicable products, enabling GE Gas Power to be vigilant towards emerging threats and continuously improve cybersecurity early on and throughout the product development lifecycle. To accomplish this, GE Gas Power has established key areas of a product security program from a programmatic level, including, but not limited to, designating Product Security Leads (PSL), a defined product security program framework, a well-structured governance model, and product-level security controls (e.g., remote access, access management, logging and monitoring).

Design and Development

Customer expectation communications: A General Engineering Knowledge (GEK) document is given to customers during the proposal process which includes a high-level summary of the product’s cybersecurity functionality. In addition, a GEH is also provided to the customer during the proposal process. The GEH includes the lower-level cybersecurity technical features of the product. One level down is the Secure Deployment / Implementation Guide which details the security pre-requisites or post-delivery requirements for the products and informs the customer of the security associated with deployment, including hardening guidelines.

A secure development lifecycle: A lifecycle for the secure design, development, and maintenance of products, starting from conceptual design through post-release, is established with required reviews where security for the product is reviewed. GE Gas Power assigns appropriate security activities (e.g., threat assessment, Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), penetration testing, etc.) based on the assigned risk level.

Minimum technical requirements: GE Gas Power has minimum product technical requirements related to security (e.g., no hard-coded passwords) that it follows internally and requires suppliers to follow.

Technical security testing: Based on the identified product risk level, additional rigor (e.g., SAST, DAST, penetration testing) is performed to provide a deeper analysis on the risk, control, and cybersecurity features of the product being procured from the supplier.

Maintenance and Monitoring

Asset management: A Product Lifecycle Management (PLM) tool has been implemented to track each product and its sub-components. This system can be used to cross-reference a product's Cybersecurity Bill of Materials (CBoM) with Common Vulnerabilities and Exposures (CVE) lists to determine if there are vulnerable components.

Threat intelligence and monitoring: GE Gas Power subscribes to and participates in threat and information sharing feeds, including ICS-CERT, SANS ICS Forum, Kaspersky’s ICS-CERT, and E-ISAC.

Vulnerability and patch management: After a product is assessed, reviewed, and integrated, ongoing monitoring (e.g., incident response (IR), vulnerability response (VR)) and maintenance activities are performed in accordance with industry regulations and customer contracts (e.g., service contracts). GE Gas Power reviews threats and vulnerabilities received from various sources (e.g., National Vulnerability Database (NVD)) and assesses them against the product inventory to identify affected products and works internally and with suppliers to identify the appropriate remediation actions.

Customer communications: The Technical Information Letter (TIL) alerts customers of risk and actions needed to be taken, communicates to install base, sets the tone for ongoing engagement with GE Gas Power services, and provides guidance that reduces system cyber-attack exposure. In addition, GE Gas Power leverages customer support portals with dashboards to provide high-level product information.

Monitoring and metrics: Select key performance and risk indicators are collected (e.g., code scan stats, adherence to controls) from product teams and reported to leadership to evaluate the effectiveness of the product security program and provide insight into operations. Program effectiveness is reviewed annually.

Procurement

Cyber “relevant product / component” supplier assessments: Secure product procurement questions are used to evaluate a supplier’s product security program and evaluate a product being procured for GE Gas Power cybersecurity controls and requirements.

Supplier product lifecycle considerations: GE Gas Power monitors to the best of its ability the end-of-life (EoL) of products procured and stipulates that no product be procured with an EoL of less than two (2) years.

Terms & conditions (T&Cs): GE Gas Power formally and consistently integrates product security into contracting.

Manufacturing

Validation process / procedure: A validation plan provides procedural steps related to the operational and security functionality that each component must meet and pass prior to shipping.

Software and hardware providence: GE Gas Power has a software authentication / certification process.

Remote access: GE Gas Power can monitor remote access and a level of restriction against code change from outside the organization’s infrastructure is in place.

Physical security: A level of physical access controls around the manufacturing facilities include role-based access to building / facility entry, electronic access control for physical perimeter, guards, and badge security.

Factory Acceptance Test (FAT): FAT is performed prior to the final delivery of a manufactured product and includes a cybersecurity checklist of test and performance criteria to confirm the product / component and or system meets the specifications.

GE Gas Power Cyber Security

GE Power’s products operate in a highly dynamic operating environment which is marked by threats that are constantly changing and evolving. As such, it is critical GE Power maintains product security throughout the product lifecycle of marketed products, including components sourced from third party suppliers.