When we talk about protecting the United States power grid from hacking, there are two thought camps. The utilities speak to everything they are doing to protect all the different components of their operations, hardware and software. Then there those who speak to the challenges of securing every aspect of the grid and that holes exist and determined national states with plenty of cybercapability are proficient and have likely already penetrated security systems and planted malicious code that can remain dormant and undetected until activated.
Which one is right? Likely both of them to one degree or another. See this article, 'Crash Override': The Malware That Took Down a Power Grid. Yes, this is about Ukraine, but I would not discount that everything done there is possible to do here in the USA. One of my quotes is, "Remember, being compliant means only doing the absolute minimum required."
We have very sophisticated enemies that are nation states that would like to do us harm at the appropriate time and place. Eventually someone will want to demonstrate their capabilities to us in the form of a malicious attack on our critical infrastructure.
Steve Myers shared the link above.