My wife works in cybersecurity and did an analysis for a smaller west coast based power utility a few years ago. They had over 140 software programs that it took to run their systems from controlling hydroelectric dams to power generation and distribution along with things like HR and billing. Many of the programs were older legacy systems that were implemented decades ago when the dams went from being analog controlled to something more centrally controlled and automated. They have little in the way of modern security protocols. While the HR and other admin programs may not be critical to power generation, if someone can get control of the dams and dump the water, could take months to refill them and get power generation restarted depending on time of year and water flow. And the staff was mostly poorly versed in assuring security and rather disinterested in changing practices or procedures. Not reassuring other than that particular utility had new leadership that at least realized they needed to figure out where they stood vis a vis cybersecurity and start doing something about it. I often wonder how far they got given internal staff resistance to change and anything new.

Absolutely terrifying. Patchwork, weak Power grid; Cyberattack(s), all of it.