I'm sure you've already seen/read plenty of articles about security risks, but this one offers a few insights that are noteworthy:
[W]e cannot pretend that standards themselves equate to security.", Scott Aaronson, VP of security and preparedness, Edison Electric Institute
Security experts agree that the baseline level of security provided by CIP compliance is a starting point
A report from the U.S. Department of Energy last year identified more than a half dozen "capability gaps" in the power sector's defenses, including supply chain and trusted partner issues.
Eddie Habibi, CEO and founder of cybersecurity firm PAS Global, said enhanced background checks for critical private sector employees would be a good step to improve security. [this should also include software background checks too - DB]
"It's critical not to confuse compliance with security," Sharon Chand, principal with Deloitte Cyber Risk Services, told Utility Dive. The CIP standards set out minimum security requirements for assets critical to the nation's bulk electric system, she said, which "scopes out a lot of things" utilities control in their operations. [This is especially true for NERC CIP-010-3 R1 part 1.6, which only checks digital signatures - that's not security, that's compliance, real security requires a comprehensive software background check- DB]