Market conditions are forcing fossil electricity generation facility owners and operators to implement advanced digital technologies. These technologies enable efficiencies, operational flexibility, operations and maintenance efficiencies, and adapting to a transitioning workforce. These digital technologies, however, can increase the cybersecurity attack surface. The purpose of this research was to develop a holistic cybersecurity risk reduction framework for fossil generation facilities. The framework begins with assessing how cyber risk changes across facility life cycles, including plant, system, vendor, and business life cycles. The next phase performs consequence analysis to prioritize high consequence events. Focusing on high consequence events allows owners to use a graded, risk-informed approach to prioritize cybersecurity efforts. The final phase identifies the digital asset attack surface in sensors and instrumentation and control equipment. After the vulnerabilities are identified, the owner selects mitigating cybersecurity control measures (or countermeasures) based on the risk analysis from the previous phases. This report describes the current industry cybersecurity best practices in fossil generation that are based on the first principles for cybersecurity engineering. The report is divided into five sections that describe the implementation of the risk reduction framework and present identified research, methodological, and technology gaps that were identified through this course of research and development.