Securing Electrification Software products

We protect information about our employees, customers, suppliers, and company, and safeguard the technology resources we provide to our employees and contractors.

We take a risk-based and layered defense approach, using multiple layers of security controls throughout our systems, along with a security and privacy-by-design approach to build these capabilities into our tools, processes, and new products. This aims to enable us to proactively protect against, and respond to, a dynamic cyber threat landscape.

Our Chief Information Security Officer (CISO) is responsible for developing an information security program, which includes the information security organization who help develop and execute strategy. GE Vernova’s Audit Committee periodically monitors and assesses our cybersecurity practices and risk exposures and reviews compliance with such practices and controls to monitor and mitigate our exposure. We have adopted the National Institute of Standards and Technology (NIST) Cybersecurity Framework for our cybersecurity risk management program. Each function – govern, identify, protect, detect, respond, and recover – is managed by defined governance, risk assessment, control definition, and effectiveness measures. Additionally, we adopted ISO 27001 for information security.

We have implemented a risk-based and layered defense approach to cybersecurity, which combines multiple mitigating security controls to protect our resources and information, and our cyber resiliency. The cybersecurity risk framework is applied across our enterprise systems, shared services, and supply chain.

To govern, identify, and protect information we store and process, we maintain information technology and infrastructure that implements administrative and technical controls. These controls include, and are not limited to, managing customer data, personal information, intellectual property, and GE Vernova proprietary data.

Our approach to product cybersecurity includes governance of cybersecurity across product life cycles, vulnerability management, customer notifications, incident response, and issuing security bulletins and advisories. Working with product security leaders and engineering and product teams, we continuously work on secure life cycle development practices to safeguard our software and connected products.

Defense-in-depth

The Electrification Software cloud environment is designed with "defense-in-depth" of the infrastructure, platform, software, and communication layers. This covers the multitude of IT and OT devices and network connections for delivering positive digital industrial outcomes.

Continuous monitoring
We also maintain processes designed to prevent, detect, and respond to cyber threats. Our cyber crisis management function exercises, tests, and continually improves our incident response plan through periodic tabletops and incident simulations. Despite these measures, we may not be able to successfully prevent, or defend against, all cyber-related attacks

Independent technology and assessment processes evaluate asset hygiene, configurations, and vulnerabilities for our network environment and products. We prioritize and govern remediation based on the associated risk.

According to our defined policies, we identify and prioritize, and then remediate or mitigate, vulnerabilities. We use technology to identify and support our prioritization for remediating critical and high-risk vulnerabilities.

GE Vernova’s platform and applications undergo ongoing penetration testing to identify areas where business risk may exist. Considering attack vectors, a highly specialized team of researchers carries out test scenarios and a process is in place to address any findings.

Cyber is being ‘Built-In, not Bolted-On' to new Electrification Software products like GridOS^® by considering Zero Trust security principles for 9 aspects of software.

Electrification Software provides information about its compliance programs to help customers with supply chain risk management.

We respect your concerns about privacy. See our privacy page for more information.

We contractually require our suppliers to appropriately secure and maintain their information technology systems and protect our information on their systems.