Security and Compliance capabilities
US Every Thursday 5pm to 10pm PST for maintenance and upgrade.
UK Every Friday 12noon to 3pm PST (8pm to 11pm London time) for maintenance and upgrade.
Japan Every Friday 9am to 12noon PST ( Saturday 1am to 4am Tokyo time) for maintenance and upgrade.
With Predix, GE Digital has combined security certifications, hardware and software expertise, and best practices to create a trusted environment for industrial companies. GE has invested in building an end-to-end industrial cloud infrastructure in secured data centers. With Predix cloud, customer production data is not shared with other cloud services. Rather, all Predix cloud data is handled exclusively in a managed community cloud. Predix cloud is a complete, end-to-end hardware and software environment, built exclusively for industry, and managed by GE Digital to meet the demanding requirements of industrial businesses.
Predix maintains privacy and security policies that are published and communicated to GE employees. GE maintains a security team that is entirely focused on information security and requires privacy and security education training for individuals worldwide who support Predix data centers. GE security policies and standards are reviewed and re-evaluated annually. Predix security incidents are handled in accordance with an incident response procedure.
Predix has adopted the ISO 27001/27002-based Information Security Management System and the Cloud Security Alliance-based Common Controls Matrix (CSA-CCM) for building its security governance and controls framework. Through these processes, Predix enables support for more than 60 regulatory and compliance frameworks, including the following:
Predix employs operating system hardening and maintains base images for provisioned virtual machines. Hardening is based on internal standards (and related guidelines) developed to comply with ISO27002/01, SSAE16 SOC 2 and industry best practices. Predix and the underlying infrastructure are hardened to remove unnecessary services, applications, and network protocols, to configure OS user authentication, and to configure resource controls appropriately. Automated and manual controls are deployed to identify and patch system vulnerabilities (within predefined remediation timelines) to provide unified and clean run-time environments for customer workloads. Additionally, common and layered identity for users, devices, software, and data, are enforced.
Predix leverages firewalls to restrict network access and uses dedicated intrusion protection technologies to monitor and detect network intrusion. GE Digital regularly audits its network security technologies to verify that they are configured properly, and has implemented penetration testing procedures to detect vulnerabilities.
GE Digital understands that customers demand isolation of environments. Predix leverages virtualization to enable the following: automatic provision secure machines; security policies that automatically follow workloads when they move; automatic set up firewall rulesets for classes of servers; and automatic quarantine of compromised or out-of-compliance assets. Predix also leverages virtualization security to fully automate the elimination of configuration drift - effectively managing technical debt.
GE Digital designed Predix to continuously improve the application platform’s security posture using cost-effective solutions. This translates into leveraging industry best practice in secure agile development when building microservices and applications as part of the Predix ecosystem.
The process starts with robust developer security training via a formal curriculum. Within the Secure Software Development Lifecycle (Secure SDL), security user stories are developed for all releases and sprints. Adequate threat modeling is then conducted with appropriate level security design review at various stage gates. Depending on the code base, either a Dynamic or Static Application Security Testing (DAST/SAST) is conducted. Predix also leverages attack surface analysis and fuzz testing. Also, depending on the scope of the release, a full Red Team assessment is conducted. Defects and vulnerabilities detected via these mechanisms are identified, enabling proper management of them.
Predix employs asset and data classification guidelines. The guidelines help ensure that Predix assets and customer data receive the required level of protection. Customer data is classified to indicate the need, priorities, and degree of protection. Data has varying degrees of sensitivity and criticality — and GE Digital works closely with the customer if data requires an additional level of protection or special handling.
Predix protects customer data by maintaining strict isolation between production and development environments. As needed, some level of control may be passed along to the customer. Security policies at multiple layers are applied to limit access to GE Digital employees who possess a legitimate business need for such access. Additionally, data is transmitted in encrypted form through HTTPS and tokenization.
Proper encryption key management is vital to data security. Predix utilizes and provides a comprehensive set of key management services, enabling customers to: control keys, protect the integrity of applications and transactions, and make sensitive information obscure.
Predix manages privileged identities to ensure the integrity of the platform. The management of identities and credentials used to administer devices within Predix is facilitated by Privileged Identity/Account Management (PIM/PAM) technology.
Predix enables identity management by providing customers the capability to control access and manage their organizations and spaces. Predix offers PIM for the administrator accounts (e.g. organizations and spaces). Predix also supports federation of customer identities or a local directory for customers that don’t want federated access.
Predix also supports device identities (like user identities). As customers connect their Operations Technology (OT) devices to the Internet (e.g., to take advantage of the analytics capability of Predix), these OT devices will need identities. OT devices can connect to Predix to send operation information or to obtain patches and configuration updates. Predix establishes identities and manages the lifecycle of these devices.
Finally, Predix also offers customers the ability to manage their customers’ identities. As customers build services on Predix, they in turn will have end users consuming those services. Predix offers application developer services that allow customers to manage the identities of their end users.
GE Digital has implemented a Security Operations Center (SOC) that provides 7x24x365 security monitoring of the Predix environment up to the Predix platform layer. GE Digital has also implemented an incident response and management process for security events that may affect the confidentiality, integrity, or availability of systems or customer data in the custody of Predix. This process specifies courses of action and procedures for notification, escalation, mitigation, and documentation. Each incident priority has several Cycle Time Goals (CTGs) that dictate acknowledgement, containment, eradication, and recovery times. Personnel are trained in forensics and handling evidence in preparation for an event, including the use of third-party and proprietary tools. Incident response plans are tested for identified areas, such as systems that store sensitive customer information. These tests consider a variety of scenarios, including insider threats and software vulnerabilities. The Predix Cyber Security Incident Response personnel also work closely with the SOC and customers.
All Predix environments are continuously assessed to ensure security and compliance controls are working to reduce risk to the ecosystem and customer data. Regular automated and manual security assessments are conducted against security controls and procedures. In addition, penetration testing is conducted to identify vulnerabilities and compliance violations. The results of these assessments are captured in a GRC system so that ecosystem risks are prioritized and a remediation plan can be developed and executed.