"I'm not aware of any software providers being included," said NERC Senior Vice President Manny Cancel, who is also CEO of NERC's Electricity Information Sharing and Analysis Center (E-ISAC), which runs GridEx. "

" The lack of any planned vendor participation for GridEx VI has taken some cybersecurity experts by surprise, particularly after last year's SolarWinds software supply chain hack, which NERC said exposed about 25% of electric utilities to malware. "

This is precisely the type of scenario that makes me question NERC's ability to properly administer and guide cybersecurity policies to protect the electric grid. Vulnerabilities in the software supply chain are one of the most effective attack vectors for cyber criminals.

It's time to think seriously about putting the Cybersecurity experts at CISA and NIST at the helm of all critical infrastructure cybersecurity policies and protections. That's how we put our best foot forward on cybersecurity protections for all critical infrastructure.

FYI: Offers were made to NERC to provide GridEx testing for software supply chain risk using NIST's C-SCRM and SBOM best practices, however this offer was rejected.