NextEra Energy operates a 76-gigawatt generation portfolio across 49 states and 4 Canadian provinces - nuclear, natural gas, wind, solar, and battery storage at utility scale. The threat surface is straightforward: critical energy infrastructure spanning multiple jurisdictions, legacy industrial control systems co-existing with newer grid-edge tech, and over 16,000 employees accessing operational technology and enterprise IT. The attack model includes nation-state targeting of generation assets, ransomware against grid operations, and supply chain risk across a geographically distributed footprint that includes first-of-their-kind hybrid facilities pairing renewables with storage.
The security posture has to account for operational environments running everything from decades-old nuclear plant systems to real-time energy forecasting platforms built on Alteryx, SAP BusinessObjects, and open-source tooling. Engineers and data scientists work across domains - power plant engineering, grid optimization, energy analytics - which means segmentation, identity management, and secure development practices matter as much as physical site security and ICS hardening. The scale creates both complexity and opportunity: 76 GW of generation means any compromise could have grid-level consequences, but it also means resources to build mature programs.
Security teams here deal with the full stack: protecting SCADA and DCS environments at generation sites, securing enterprise tools like SharePoint and Access that support planning and operations, and managing third-party risk across a sprawling vendor ecosystem. The company's hybrid facilities and co-located wind-solar-battery projects introduce newer architectures that require different threat modeling than traditional baseload plants. Work involves hardening OT/IT convergence points, incident response planning for energy sector-specific scenarios, and coordinating with NERC CIP compliance frameworks while keeping an eye on evolving grid modernization risks.