Worked on this problem 10 years ago, power distribution companies were sleepy enterprise environments with workforces who were just not equipped to respond to internet technologies, let alone threats. Even the lightweight requirements of NERC/CIP were treated as alien. The best security was in the smart meter infrastructure, which was designed around redundancy and combating fraud, but certainly not national security.
I don't think this is something we fix, it's something we evolve and move on from. My impression was the only real future relative to a grid security crisis is in storage and renewables, with more localized generation. The alternative is basically nationalization.
> Even the lightweight requirements of NERC/CIP were treated as alien.
I work in ICS for a wind company and this is shocking...even when you're working with other entities (regional, ISO, etc) in the same industry. Some entities don't even bother reading the details of NERC CIP V and completely bans you from even accessing their meters.
I worked on it back then too. As you say, the power companies have neither the money, the talent, nor the will to fix the problem. Getting a private company to spend money to prevent a hypothetical bad thing is always a tough sell, and most of the US grid is operated by private companies.
This could be fixed by a dramatic demonstration. Pick a medium sized metropolitan area, and authorize pentesters to try and take down the grid to the point of a (short) blackout - and make sure people know how it happened, and that a foreign adversary could do it to us.
(Perhaps an occasional electrical blackout is good for a society in the same way an occasional fast is good for a human body).
This was done a few years back in Switzerland by national television. With the approval of everyone involved, a pentester was supposed to shut down the street lights in a medium-sized town.
The pentester got in, got to the correct controls and "failed" because the UI bugged out. It was rather funny to see the journalist/moderator be relieved, while the rep from the energy company and the security specialist both clearly knew that that was sheer luck and with a little more time the pentester could've gotten around the bug too.
Edit after checking the story again: The hacker thought he found the main control but was wrong and only turned the lights off in a tiny side street. So it did work and the "bug"/"luck" was that the UI was so confusing that the attacker got it wrong :D
I don't think this is something we fix, it's something we evolve and move on from. My impression was the only real future relative to a grid security crisis is in storage and renewables, with more localized generation. The alternative is basically nationalization.