I am currently working with a utility and some of their control system suppliers to secure their legacy control systems for reliability considerations. The team is looking at older systems with "minimal" security that will NOT be replaced for years and newer technology with some degree of security. As the utility is not under the purview of the NERC CIP process, they can address security from an engineering perspective. The utility has an Operational Technology (OT) manager with control systems background. To date, there have been meetings with OT, Operations, and two vendors.
The October ICS Conference (www.icscybersecurityconference.com) will provide a status of the utility/vendor program. This includes a lessons-learned by the utility and vendor teams and a better idea of the scope of the problem.