Service Level Agreement (SLA) and Security

PREDIX SERVICE LEVEL AGREEMENT (SLA)

Security and Compliance capabilities

  • SSAE 16 SOC 2, ISO 27001, ISO 27018, HIPAA
  • Secure SDL
  • Full-stack threat mitigation
  • Penetration testing
  • 24/7/365 Security Operations Center monitoring
  • 24/7/365 security incident management
  • Data Security and Governance

Maintenance windows
US    Every Thursday 5pm to 10pm PST for maintenance and upgrade. 
UK    Every Friday 12noon to 3pm PST (8pm to 11pm London time) for maintenance and upgrade. 
Japan    Every Friday 9am to 12noon PST ( Saturday 1am to 4am Tokyo time) for maintenance and upgrade.

SECURITY

With Predix, GE Digital has combined security certifications, hardware and software expertise, and best practices to create a trusted environment for industrial companies. GE has invested in building an end-to-end industrial cloud infrastructure in secured data centers. With Predix cloud, customer production data is not shared with other cloud services. Rather, all Predix cloud data is handled exclusively in a managed community cloud. Predix cloud is a complete, end-to-end hardware and software environment, built exclusively for industry, and managed by GE Digital to meet the demanding requirements of industrial businesses.

Security Policies

Predix maintains privacy and security policies that are published and communicated to GE employees. GE maintains a security team that is entirely focused on information security and requires privacy and security education training for individuals worldwide who support Predix data centers. GE security policies and standards are reviewed and re-evaluated annually. Predix security incidents are handled in accordance with an incident response procedure.

Security Governance and Certification

Predix has adopted the ISO 27001/27002-based Information Security Management System and the Cloud Security Alliance-based Common Controls Matrix (CSA-CCM) for building its security governance and controls framework. Through these processes, Predix enables support for more than 60 regulatory and compliance frameworks, including the following:

  • CSA/CCM 3.01: The Cloud Security Alliance Cloud Controls Matrix (CCM) is specifically designed to provide fundamental security principles to guide cloud vendors (and to assist prospective cloud customers) in assessing the overall security risk of a cloud provider. The CCM provides a control framework for understanding security concepts and principles that are aligned with the Cloud Security Alliance guidance in 16 domains. CCM also provides a customized relationship to other industry-accepted security standards, regulations, and controls frameworks, such as: ISO 27001/27002, ISACA COBIT, PCI, NIST, PCI, and NERC CIP.
  • ISO 27001/27002: Developed by the International Service Organization for Standards (ISO), these standards specify the requirements for establishing, implementing, maintaining, and continually improving information security within the organization. Once certification is attained, users are comforted that security standards are being followed, thereby reducing time and resources needed to address customer-mandated audits/reviews.
  • SOC 2 Type 1: Developed by The American Institute of Certified Public Accountants (AICPA), a Service Organization Controls (SOC) report provides insight on internal controls and risks to users/companies regarding services provided by a third party service organization (e.g. GE Digital – Predix PaaS). SOC Type 1 reports generate a point-in-time assessment reporting on the fairness of management’s description of the processes as well as advising on the design of the controls.
  • SOC 2 Type 2: Developed by AICPA, a SOC report provides insight on internal controls and risks to users/companies on services provided by a third party service organization (e.g. GE Digital - Predix PaaS). SOC Type 2 reports on fairness of management’s description on the processes and design of the controls (tests of effectiveness of controls), throughout a specified period.
  • HIPAA (protects): The Health Insurance Portability and Accountability Act (HIPAA) protect the privacy of individually identifiable health information. HIPAA compliance provides greater confidence to customers that stored and managed patient health information will be protected.
  • FedRAMP: Administered by the U.S. General Services Administration (GSA), the Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP provides government agencies greater confidence in selecting and using a cloud provider.
  • Export Controls/ITAR:The U.S. government regulates the transfer of information, commodities, technology, and software considered to be strategically important to the U.S., in the interest of national security, economic, and/or foreign policy concerns. Non-compliance with export controls can result in penalties, including the loss of government contracts and ability to export goods.

Platform Hardening

Predix employs operating system hardening and maintains base images for provisioned virtual machines. Hardening is based on internal standards (and related guidelines) developed to comply with ISO27002/01, SSAE16 SOC 2 and industry best practices. Predix and the underlying infrastructure are hardened to remove unnecessary services, applications, and network protocols, to configure OS user authentication, and to configure resource controls appropriately. Automated and manual controls are deployed to identify and patch system vulnerabilities (within predefined remediation timelines) to provide unified and clean run-time environments for customer workloads. Additionally, common and layered identity for users, devices, software, and data, are enforced.

Network and Infrastructure Security

Predix leverages firewalls to restrict network access and uses dedicated intrusion protection technologies to monitor and detect network intrusion. GE Digital regularly audits its network security technologies to verify that they are configured properly, and has implemented penetration testing procedures to detect vulnerabilities.

GE Digital understands that customers demand isolation of environments. Predix leverages virtualization to enable the following: automatic provision secure machines; security policies that automatically follow workloads when they move; automatic set up firewall rulesets for classes of servers; and automatic quarantine of compromised or out-of-compliance assets. Predix also leverages virtualization security to fully automate the elimination of configuration drift - effectively managing technical debt.

Application Security

GE Digital designed Predix to continuously improve the application platform’s security posture using cost-effective solutions. This translates into leveraging industry best practice in secure agile development when building microservices and applications as part of the Predix ecosystem.

The process starts with robust developer security training via a formal curriculum. Within the Secure Software Development Lifecycle (Secure SDL), security user stories are developed for all releases and sprints. Adequate threat modeling is then conducted with appropriate level security design review at various stage gates. Depending on the code base, either a Dynamic or Static Application Security Testing (DAST/SAST) is conducted. Predix also leverages attack surface analysis and fuzz testing. Also, depending on the scope of the release, a full Red Team assessment is conducted. Defects and vulnerabilities detected via these mechanisms are identified, enabling proper management of them.

Data Security

Predix employs asset and data classification guidelines. The guidelines help ensure that Predix assets and customer data receive the required level of protection. Customer data is classified to indicate the need, priorities, and degree of protection. Data has varying degrees of sensitivity and criticality — and GE Digital works closely with the customer if data requires an additional level of protection or special handling.

Predix protects customer data by maintaining strict isolation between production and development environments. As needed, some level of control may be passed along to the customer. Security policies at multiple layers are applied to limit access to GE Digital employees who possess a legitimate business need for such access. Additionally, data is transmitted in encrypted form through HTTPS and tokenization.

Proper encryption key management is vital to data security. Predix utilizes and provides a comprehensive set of key management services, enabling customers to: control keys, protect the integrity of applications and transactions, and make sensitive information obscure.

Identity and Access Management

Predix manages privileged identities to ensure the integrity of the platform. The management of identities and credentials used to administer devices within Predix is facilitated by Privileged Identity/Account Management (PIM/PAM) technology. 

Predix enables identity management by providing customers the capability to control access and manage their organizations and spaces. Predix offers PIM for the administrator accounts (e.g. organizations and spaces). Predix also supports federation of customer identities or a local directory for customers that don’t want federated access.

Predix also supports device identities (like user identities).  As customers connect their Operations Technology (OT) devices to the Internet (e.g., to take advantage of the analytics capability of Predix), these OT devices will need identities.  OT devices can connect to Predix to send operation information or to obtain patches and configuration updates. Predix establishes identities and manages the lifecycle of these devices.

Finally, Predix also offers customers the ability to manage their customers’ identities. As customers build services on Predix, they in turn will have end users consuming those services.  Predix offers application developer services that allow customers to manage the identities of their end users.

Monitoring and Response

GE Digital has implemented a Security Operations Center (SOC) that provides 7x24x365 security monitoring of the Predix environment up to the Predix platform layer. GE Digital has also implemented an incident response and management process for security events that may affect the confidentiality, integrity, or availability of systems or customer data in the custody of Predix. This process specifies courses of action and procedures for notification, escalation, mitigation, and documentation. Each incident priority has several Cycle Time Goals (CTGs) that dictate acknowledgement, containment, eradication, and recovery times. Personnel are trained in forensics and handling evidence in preparation for an event, including the use of third-party and proprietary tools. Incident response plans are tested for identified areas, such as systems that store sensitive customer information. These tests consider a variety of scenarios, including insider threats and software vulnerabilities. The Predix Cyber Security Incident Response personnel also work closely with the SOC and customers.

Continuous Assessment

All Predix environments are continuously assessed to ensure security and compliance controls are working to reduce risk to the ecosystem and customer data. Regular automated and manual security assessments are conducted against security controls and procedures. In addition, penetration testing is conducted to identify vulnerabilities and compliance violations. The results of these assessments are captured in a GRC system so that ecosystem risks are prioritized and a remediation plan can be developed and executed.