Utah renewables company was hit by rare cyberattack in March - CyberScoop

According to Cisco, these vulnerabilities were well known before the attack and could have easily been prevented.   If the affected Company had implemented a comprehensive and on-going "software background check" process, like SAG™, they would have been warned of the elevated risk, resulting from the known vulnerability, via a lower SAGSscore™ rating, allowing them to take preventative action. I am certain of one thing, the current NERC CIP 010-3 R1 part 1.6 standard is incapable of warning a customer of this type of risk, that requires an on-going comprehensive software background check of a Company's software ecosystem both before and after installation of a software object. Hopefully NERC, NIST, DOE or FERC will come forward with this much needed guidance for our industry. It took a 9/11 attack to fix the security issues with air travel, I sincerely hope that never happens to the energy industry; we need guidance now, before any real harm takes place.