About a quarter of electric power utilities were vulnerable to hackers via the SolarWinds attack, but the organization overseeing grid security does not invite software vendors to its biennial security exercise.