Power plants frequently have extensive networks connecting data collectors and Man Machine Interfaces (MMIs) in control rooms and elsewhere. The MMIs are often Windows based and have drivers for Programmable Logic Controllers (PLCs) and other devices. Recognizing that the systems are vulnerable, enlightened engineers keep the plant systems off the Internet except for a few cases... One is the case in which control or supervision has to be remote and the second is when updating software. A third, which I hate to contemplate but it is probably happening somewhere, is that there is a hidden connection for convenience and nobody in authority knows about it.
The bad news is that people have a habit of bringing in their own laptops, connecting them to the Internet at home or even at work, and ultimately connecting them to the network. Immediately, trojans of all sorts can be transferred to the plant assets and, if they are connected to the Internet for remote supervision/operation, a cracker owns them a few hours later. Security is seldom taken seriously enough, and in the press to get work done, shortcuts are inevitable. As a result, our power grid can probably be taken by anybody who has the patience to target the assets with specific attacks. Phishing at power companies and contractors, finding techies on the Internet and attacking their home machines, penetrating the MMI software vendor sites, and various forms of social engineering can all be used.
Probably the only saving grace is that many sites are never connected to the Internet, many sites have well enforced security regulations, and focused attacks to crack into sites are a lot of work without a lot of revenue. It is probably much more profitable to spam some phishing attack than to try to penetrate power plants. When somebody with the skills dislikes us enough, the grid will go down. period.
Now, solar storms can also take down the grid and we have done nothing to protect our power distribution system from major magnetic storms. Protection is simple and fairly straightforward but it costs money and requires coordination. Basically we need the ability to take down the grid in an orderly fashion, place bypasses/shorting bars on the critical transformers and wait for the storm to arrive. After it passes, just bring the grid back up. With 24-96 hours of notice from our solar observation satellites, it is eminently practical to achieve this. While crackers can take down a plant or two, a magnetic storm can destroy major transformers for which there are no replacements. Power will be down for months and maybe a year or more. A major magnetic storm is a virtual certainty but we will cruise on the ragged edge of fate until it hits.