Realizing a Problem Exists is the First Step to Solving It
Conventional wisdom has led most people to believe that electric companies need to be stable and reliable—above everything else. While this perception is certainly accurate, utilities also face lesser known, but equally difficult, challenges associated with managing and securing their geographically dispersed infrastructure. Florida Power & Light (FP&L) Company has thousands of networked devices that serve roughly 5.6 million accounts and 11 million residents throughout the state of Florida.
Much like the banking and healthcare industries, energy companies like FP&L are highly regulated. Where healthcare has the well-known HIPAA (Health Information Portability & Accountability Act) requirements, the energy sector’s requirements are a little less familiar. The North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) is a set of requirements designed to secure the assets required for operating North America’s bulk electric system. Although NERC CIP provides a solid framework for FP&L to follow, the fact remains that it is extremely difficult to maintain situational awareness of the broad and varying set of configuration items (CI)—components that needs to be managed to deliver an IT service—in a utility company. Manually collected data is often insufficient or out-of-date, which causes a problem that is accentuated by the many types of platforms that enable, control, and monitor their critical infrastructure. Out-of-date and inaccurate inventory and security information often lead to negative NERC CIP audit findings.
According to David Goldstein, Director of Information Technology at NextEra Energy (FP&L’s parent company), “Getting a device’s information collected and properly categorized is critical to success. If you get it wrong and classify everything as ‘critical,’ then you create a situation where the overhead becomes unmanageable.” David continued to explain, “Our biggest pain point is that we have not created baselines for groups of devices predicated on their functions. When everything is its own baseline—for 2,000 devices or more—it becomes problematic to explain how you tested it in the Change Management process.” Even the most comprehensive documentation and compliance across the full breadth of an organization must be continually updated for new and replaced assets, locations, facilities, and technologies. While dealing with these challenges was daunting, the need for cost-effective risk management also became painfully apparent. ChangeGear’s CMDB solved for this need by providing a single database, with approximately 150 device baselines, where devices are more easily grouped and managed based on their function.
FP&L was previously using IBM Tivoli Netcool Configuration Manager (ITNCM) to manage the configuration of their network devices. According to David, “Everyone was their own ‘special snowflake’ in terms of the way they were using ITNCM for baseline management. They weren’t even getting the right deviations. They were only seeing the differences because they were comparing how the device(s) looked before the change [e.g., firmware upgrade, bug fix, full replacement, etc.]—not how they should look now, in accordance with current policies.” This created a tremendous amount of risk, from a Compliance point of view.
At that moment, FP&L realized they needed a better way to group similar assets together and create baselines for each of those groups. When David began testing alternative software tools and applications, he discovered the power of SunView Software’s ChangeGear 8 Change Manager for Business Compliance with Tripwire integration and became the advocate for migrating to this new solution.
Implementing Change Requires Overcoming Internal Challenges
To thrive in the digital economy, utility companies need to increase their agility—their capacity for sensing challenges and opportunities and for quickly mobilizing the organization in response. Agility, however, does not mean destabilizing a utility’s assets or operations. Greater agility can make assets safer and more reliable by enabling companies to anticipate, detect, and resolve problems faster than ever before. Making this happen, though, requires support from senior leaders and, ultimately, from your entire organization.
One challenge that FP&L’s IT team ran into was trying to persuade senior leaders, many of whom have spent most of their careers in the sector’s more predictable former environment, to fully adopt an unfamiliar Change Management platform. Another challenge that David’s team faced was prioritizing their digital transformation effort over other projects within the organization. For example, a ServiceNow implementation was taking much longer than planned (almost 2 years) and was tapping into some of the same resources. Under the best conditions and with executives who fully support your digital-transformation agenda, it can take years for an entire company—with thousands of employees, a vast asset base, and extensive regulatory requirements—to embrace a new software application. Even with the challenges associated with cultural change, acceptance, and implementation, ChangeGear with Tripwire integration has been successfully deployed at FP&L and is demonstrating value within the organization—while their ServiceNow project is still moving back and forth between the planning and deployment stages.
Building a Compelling Business Case Requires Strong Evidence
When David Goldstein set his sights on finding a “working” alternative for ServiceNow, he knew it would not be easy to break the grip that this software heavyweight had on FP&L. After all, ServiceNow is the leader in Gartner’s Magic Quadrant for IT Service Management Tools, and it is a highly recognized name brand. Despite all its accolades, ServiceNow has not delivered (and is not anticipated to be impactful for the foreseeable future) what FP&L needed to it to do. Convincing the FP&L leadership team to seek a solution elsewhere had its own challenges.
The first concept that David needed to test and prove was that ChangeGear with Tripwire integration could allow authorized requesters to submit whitelisted change elements, while unauthorized requesters and/or elements could be stopped and immediately generate a condition report. David’s test passed as expected, since he knew that Tripwire’s NERC Solution Suite enables a risk-based solution used by hundreds of members of the North American bulk power system. Tripwire’s engineers stay current about changes to both technology and standards, helping utility companies like FP&L stay continually compliant and resilient. That ongoing intelligence enables Tripwire’s automation solution to keep FP&L current with changes to industry practices, updates to NERC CIP policies, and methods to efficiently apply new controls to new asset classes when needed.
The second concept that David Goldstein needed to prove was that ChangeGear and Tripwire could handle defects that were not ready to proceed to the next step in the normal workflow. When David and his team began testing SunView Software’s ChangeGear 8 Change Manager for Business Compliance with Tripwire integration, ChangeGear’s no-code FLEX module proved its value by allowing FP&L to essentially create their own module to handle risk mitigation. The “Mitigation” module, as David calls it, is his way of deferring defects that are not ready to move forward in the workflow. At FP&L, defects are time-sensitive and need to be applied within 35 days of being discovered. This rule helps keep everything on track. In the past, FP&L used Microsoft Excel spreadsheets stored on SharePoint to “hold” these defects, but there was no way to pull data for reports to track status. ChangeGear’s FLEX “Mitigation” module handles these special cases in a more automated fashion, reducing time and effort in dealing with spreadsheets.
Third, and perhaps most important, David needed to prove that ChangeGear with Tripwire could group similar assets together, create baselines for each of those groups, and identify deviations from the baselines. Yes, this functionality worked too.
As a bonus, being able to deploy ChangeGear and Tripwire together in a shorter time and at a lower cost, while meeting all the project objectives, made it even easier to build a compelling case to justify using ChangeGear.
Moving Ahead with ChangeGear 8
FP&L has been able to leverage ChangeGear’s no-code/low-code design and implement nearly all the monitoring and management functions of their enterprise using “out of the box” capabilities. Integrating ChangeGear with Tripwire took advantage of the API functionality, which allows the two platforms to operate seamlessly together. SunView’s partnership with Tripwire makes implementation even easier because David and his team do not have to concern themselves with the details of getting these two companies to work together. The FP&L management group essentially defines their business need, while SunView and Tripwire work together to make it happen.
Since NERC CIP requires FP&L to record, track, and justify every one of the hundreds of ports, protocols, and services on their devices and traversing their networks, FP&L is expanding their auditing capabilities. Industry auditors list this as one of the biggest challenges they see in the field, so FP&L is focused on making the process better. Given that Tripwire includes the tools needed to provide the evidence and the confidence FP&L’s managers expect, tighter integration to meet audit requirements will be a big win for everyone.
SunView Software’s partnership with Tripwire provides highly regulated industries (e.g., energy, finance, healthcare, etc.) and companies like FP&L the tools they need to handle anything that comes their way.
Florida Power & Light (FP&L) Company is the largest energy company in the U.S. as measured by retail electricity produced and sold. The company serves more than 5.6 million customer accounts supporting more than 11 million residents across Florida with clean, reliable, and affordable electricity.
FP&L operates one of the cleanest power generation fleets in the U.S and in 2020 won the ReliabilityOne® National Reliability Excellence Award, presented by PA Consulting, for the fifth time in the last six years. The company was recognized in 2020 as one of the most trusted U.S. electric utilities by Escalent for the seventh consecutive year.
FP&L is a subsidiary of Juno Beach, Florida-based NextEra Energy, Inc. (NYSE: NEE), a clean energy company widely recognized for its efforts in sustainability, ethics, and diversity, and has been ranked No. 1 in the electric and gas utilities industry in Fortune’s 2020 list of “World’s Most Admired Companies.” NextEra Energy is also the parent company of NextEra Energy Resources, LLC, which, together with its affiliated entities, is the world’s largest generator of renewable energy from the wind and sun and a world leader in battery storage.