A decade after federal regulators mandated strict security patching rules for the power grid, Bentonville-based Bastazo is arguing that the approach is actually making the grid less secure.
Philip Huff, co-founder and chief scientist at Bastazo, believes utilities need a more selective approach to cybersecurity that prioritizes critical vulnerabilities without disrupting operations. Oftentimes, when energy systems need a patch, it can cause blackouts or grid issues, Huff told Arkansas Business. And energy systems need patches frequently.
“Fixing security holes on the machines that keep the lights on is nothing like updating a laptop,” Huff said. “Power-station computers run nonstop, often on specialized software that can’t simply be rebooted.”
In a white paper published last week, the company said the current system is outdated and actually makes the grid less secure.
And the problem is growing. According to data from the National Vulnerability Database, security vulnerabilities have “exploded” from a few thousand annually a decade ago to more than 25,000 today. But regulations still require utilities to patch virtually every vulnerability within tight timeframes.
The current regulatory standard, known as NERC CIP-007-6 R2, requires utilities to either patch security vulnerabilities within 35 days or create detailed mitigation plans. According to NERC’s 2024 Mid-Year report, it is the most frequently violated standard in the industry.
And since the standard became enforceable in 2016, cybersecurity vulnerabilities have grown more than 520%. However, the requirements remain unchanged.
“Utilities need a smarter, more selective way to stay safe without switching off the grid,” Huff said. “Blind patching can introduce instability. Modern artificial intelligence lets us map which vulnerabilities are being weaponized, which devices are exposed and which controls will reduce risk fastest. Patching remains vital, but it [should be] the last step, not the first.”
Huff said “compensating controls,” or actions before patching that could be taken include network segmentation, allow-listing and protocol filtering, among others. This would require a “fundamental” shift from compliance-driven patching to strategic, risk-based remediation.
Bastazo’s platform analyzes vulnerabilities and prioritizes them based on four key factors: whether the vulnerability is being actively exploited, the system’s exposure level, how easily attacks can be automated and potential human impact.
The software then categorizes vulnerabilities into four priority levels — defer, scheduled, out-of-cycle and immediate. It also creates corresponding remediation plans that align with the existing NERC CIP compliance requirements.
“Our aim is action and not just more metrics and dashboards,” Huff said.
As the current “patch-all” mandate approaches its 10-year anniversary, Huff said Bastazo hopes to spark discussions about risk-based, intelligence-driven compliance that both regulators and utilities can adopt. He believes the grid can be safer, “even when fewer patches are applied.”
“Cybersecurity is moving from reactive, manual triage to predictive, data-driven defense,” Huff said. “Expect rapid advancements in attack path forecasting, autonomous remediation and more realistic simulation environments.”
He also sees applications beyond the power sector.
“The grid is just the beginning,” Huff said. Hospitals, pipelines and factories all face the same operational technology (OT) patching dilemma as the electric sector. “Bastazo’s mission is to become the go-to platform that turns overwhelming vulnerability noise into clear, executable work orders across every critical sector.”
Huff is also an associate professor in the department of computer science at the University of Arkansas at Little Rock. He previously worked at the Arkansas Electric Cooperative Corporation in Little Rock for more than 15 years, specifically as the director of critical infrastructure security.
“Arkansas sits at the crossroads of America’s transmission systems and hosts one of the highest concentrations of electric utilities per capita,” Huff said. “Our Arkansas university labs have spent over a decade researching OT cyber defense, producing home-grown talent. Bastazo was founded here, draws on that expertise, and is committed to building high-tech jobs in state.”
Sign up for Daily E-news
