I missed the October publication of FERC's annual staff report on lessons learned.
Some are the usual boilerplate FERC staff "found that while most of the cybersecurity protection processes and procedures adopted by the registered entities met the mandatory requirements of the CIP Reliability Standards, there were also potential compliance infractions."
The report also includes previous Lessons Learned from four prior annual reports.