Florida Power & Light

Electric companies need to be stable and reliable above everything else. They also face challenges associated with managing and securing their geographically dispersed infrastructure. Florida Power & Light has thousands of networked devices that serve roughly 5.6 million accounts throughout the state of Florida.

The North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) is a set of requirements designed to secure the assets required for operating North America's bulk electric system. Although NERC CIP provides a solid framework, it is extremely difficult to maintain situational awareness of the broad and varying set of configuration items in a utility company.

Manually collected data is often insufficient or out-of-date, which causes a problem accentuated by the many types of platforms that enable, control, and monitor critical infrastructure. Out-of-date and inaccurate inventory and security information often lead to negative NERC CIP audit findings.

FP&L was previously using IBM Tivoli Netcool Configuration Manager (ITNCM) to manage the configuration of their network devices. They weren't getting the right deviations—they were only seeing the differences because they were comparing how devices looked before changes, not how they should look now in accordance with current policies. This created a tremendous amount of risk from a compliance point of view.

ChangeGear proved to be the most flexible and scalable solution. FP&L implemented Service Desk, Asset Management, and CMDB. ChangeGear's CMDB solved for the need to manage disparate devices with a baseline by providing a single database with approximately 150 device baselines, where devices are more easily grouped and managed based on their function.

FP&L was able to leverage ChangeGear's no-code/low-code design and implement nearly all the monitoring and management functions of their enterprise using "out of the box" capabilities. Integrating ChangeGear with Tripwire took advantage of the API functionality, which allows the two platforms to operate seamlessly together.

Since NERC CIP requires FP&L to record, track, and justify every one of the hundreds of ports, protocols, and services on their devices and traversing their networks, FP&L expanded their auditing capabilities. ChangeGear with Tripwire integration now allows authorized requesters to submit white-listed change elements, while unauthorized requesters and/or elements could be stopped and immediately generate a condition report.

ChangeGear's no-code Flex module proved its value by allowing FP&L to create a customized module to handle risk mitigation. The "Mitigation" module deferred defects that are not ready to move forward in the workflow, handling these special cases in a more automated fashion and reducing time and effort.

FPL transformed their approach to managing and securing their digital infrastructure. By replacing older systems and single point solutions, they created a comprehensive approach to asset and change management that enabled them to more efficiently and effectively meet the stringent needs of the NERC CIP requirements and ultimately deliver on the service and support needs of their employees and customers.

Partnering with Tripwire enabled the Professional Services team to customize and integrate ChangeGear to deliver a higher level of functionality around risk mitigation and authorization.