Shared Intel Q&A: Can risk-informed patching finally align OT security with real-world threats? – Source: www.lastwatchdog.com

By Byron V. Acohido

Cyber threats to the U.S. electric grid are mounting. Attackers—from nation-state actors to ransomware gangs—are growing more creative and persistent in probing utility networks and operational technology systems that underpin modern life.

Related: The evolution of OT security

And yet, many utility companies remain trapped in a compliance-first model that often obscures real risks rather than addressing them.

That’s the problem Bastazo co-founder Philip Huff is calling out. As a longtime OT cybersecurity expert, Huff argues that current regulations—especially the North American Electric Reliability Corporation’s (NERC) patching requirement CIP-007-6 R2—create   incentives.

In theory, NERC’s patching rules promote security. In practice, Huff says, they too often force asset owners to blindly chase updates with little regard for exploitability, threat intelligence, or operational risk.

This is what Huff calls “compliance theater.” The curtain may be rising on the next act.

With Bastazo, Huff and his team are advancing a bold alternative: risk-informed remediation. Their platform uses vulnerability intelligence, AI-assisted prioritization, and contextual awareness to help utilities focus on what matters most—actual exploitable risks—without taking unnecessary action that could disrupt critical operations.

This comes at a moment when utility cybersecurity is at a crossroads. There’s growing pressure from policymakers, regulators, and the public to improve defenses. At the same time, operators must balance security upgrades against aging infrastructure, limited budgets, and uptime requirements.

In this Q&A, Huff unpacks why it’s time to move beyond checkbox compliance and how Bastazo hopes to lead the charge.

LW: What convinced you the current NERC patching rules do more harm than good?

Huff: The NERC security patching standards were written in 2016 when annual vulnerabilities averaged around 6,000. Today, we face over 40,000 vulnerabilities annually. We also have resources like the Known Exploitable Vulnerabilities Catalog. As written, t existing rules incentivize blanket patching rather than intelligent, risk-based remediation, resulting in a wasteful use of resources that fails to prioritize actual security risks.

LW: How does Bastazo shift focus from compliance checklists to real risk reduction?

Huff

Huff: When patching everything, there is minimal thought given to security. It becomes more of an operational necessity. However, there are real supply chain risks to patching. You are trusting a large number of vendors to make changes to the code running critical systems. There should be more analysis on what the patch is doing and whether the patch was successful. When you’re patching thousands of vulnerabilities, that type of deep analysis is just not possible, but when you are patching only the handful that truly matter, you are improving both the security and reliability of your systems.

LW: What does “risk-informed remediation” look like in practice?

Huff: It balances the risk and work to stay within the bounds of what is both acceptable and feasible. The tools and metrics to measure risk are more readily available, but I don’t think we have enough spotlight on what the remediation work requires. Risk-informed remediation ensures you are fixing unacceptable risk to your organization, but it also ensures you have the resources to perform that work. If I create a work ticket to apply several hundred patches and I only have one or two people performing the work, then there’s a real problem.

LW: Why do most utilities still stick with the status quo?

Huff: Utilities currently face greater immediate risks from non-compliance penalties than from cybersecurity threats. Compliance is measurable, predictable, and financially enforced. While utilities recognize cybersecurity risks clearly, the cost and operational effort required to transition away from compliance-first toward more risk-informed approaches remain significant barriers.

LW: What’s the right way to bring AI and intel into OT patching—without adding new risks?

Huff: Incorporating AI requires clear verification and transparency. AI should initially handle tasks with low-risk impact, such as adversary identification, where occasional errors have minimal operational consequences. For high-stakes tasks like detailed remediation guidance, AI recommendations must be clearly outlined as advisory and supplemented by expert human oversight.

LW: What’s Bastazo’s edge? What are you offering that others aren’t?

Huff: While most OT cybersecurity solutions stop at asset inventory and vulnerability scoring, Bastazo bridges the gap to actionable remediation. Our edge is combining deep industry knowledge with advanced scientific knowledge to solve one of the hardest problems in OT security: what can asset owners realistically do to de-risk their infrastructure?

LW: What’s the origin story? How did the idea take shape?

Huff: Bastazo emerged from a Department of Energy Industry-University Collaborative Research Center (IUCRC), responding to the industry’s initial experiences with stringent NERC CIP patching requirements. There was not really any research on this problem because the world had never seen a “patch everything” regulatory standard. We have since been dedicated to solving this problem, and as AI innovation has accelerated, we have been able to pull in new approaches that really, for the first time, give defenders an upper-hand.

LW: Can your approach hold up under regulatory scrutiny—and what reforms are overdue?

Huff: The standard allows a mitigation plan to be developed when patching is not possible. This is not really a viable option because the amount of manually collected data required to justify not patching is almost impossible to obtain. Our approach lets you develop a mitigation plan,automating the data collection necessary for it. However, I think the standards are long overdue for reform. The requirements should focus on assessing risk and remediating vulnerabilities rather than enforcing patch compliance.

LW: What’s the risk if the industry doesn’t move past compliance theater?

Huff: I wouldn’t say it’s compliance theater because utilities have to address both the security and compliance risks. But the risk of the “patch everything” approach is that it distracts security and operations teams from the real threats. The work should be meaningful in addressing real risk, and that’s hard when over 90% of the work has no real impact on improving security.

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

June 9th, 2025 | Q & A | Top Stories