FERC has issued a white paper and is requesting public comments on its proposed framework to incentivize cybersecurity investments in the Bulk Electric System (BES). The paper is available from FERC.

I've found that the paper represents an acknowledgement that more can be done to protect our electricity supply from cyber threats (i.e. malware and other harmful items). The NERC CIP standards are a "baseline" (e.g. minimum) set of requirements that simply don't reach the level of security controls that are warranted to deter a serious attack on the software supply chain, and greater protections are needed for the BES to remain safe, as indicated by this FERC work paper. Command and control are the "beating heart" that keeps the electricity supply running smoothly, but it is the software "brain" that is vital to this command and control operation and both must be protected from dangerous parties with an incentive to disrupt our vital supply of electricity. It is incumbent on all of us to let FERC know that we support their recommendations to protect our electric supply by ensuring that the heart and brain of the system remains safe from harm so that life saving electricity continues to flow. I will leave you with this excerpt from the FERC white paper: "augmenting the current CIP Reliability Standards with an incentive-based approach under FPA section 219 that encourages utilities to undertake cybersecurity investments on a voluntary basis
may have significant benefits."

Never trust software, always verify and report!™

Please consider filing your comments with FERC on docket AD20-19-000.