This recommended practice is applicable to companies involved in operating, managing and securing existing (second and third generation) substations, and describes 45 risk reducing measures, covering people, processes and technology, to minimize attack surfaces and counter threats to power systems. These measures are based on a comprehensive review of current European Union (EU) and United States (US) legislation, and currently applicable standards and guidelines on cyber security in operational technology (OT).