A new whitepaper from Bastazo, a cybersecurity firm specialising in operational technology (OT), argues that the current compliance-driven approach to patching is failing to adequately protect the electric sector.
The report contends that decades of regulatory mandates have led to a system of ‘ticking boxes’ rather than effectively addressing real-world cyberthreats.
Bastazo’s research, titled A Risk-Informed Remediation Management Approach for NERC CIP Compliance, advocates for a fundamental shift towards a risk-based remediation model. The approach prioritises vulnerabilities based on the actual threats they pose, rather than adhering to rigid compliance deadlines.
The whitepaper highlights the ineffectiveness of the existing regulatory framework. Despite the stringent requirements set by the North American Electric Reliability Corporation (NERC), CIP-007-6 R2 is identified as the most frequently violated NERC standard. According to Bastazo, this leaves power grid systems more vulnerable than many stakeholders appreciate.
The report points to the ever-increasing volume of known vulnerabilities. Critical infrastructure teams are struggling to cope, often lacking the resources to effectively assess which vulnerabilities present the greatest risk. The situation forces organisations into one of two problematic approaches: either applying every patch indiscriminately, leading to wasted time and resources, or falling behind on patching, resulting in compliance failures and significant security gaps.
Bastazo’s platform aims to provide a solution by integrating threat intelligence, operational impact assessments and regulatory requirements. The integration enables organisations to make more informed remediation decisions. Instead of a blanket application of every patch within a fixed compliance window, utilities can prioritise vulnerabilities based on factors such as the likelihood of exploitation, the exposure of affected systems and the potential operational risk. Bastazo argues that this risk-based approach not only enhances security but also minimises unnecessary disruptions to critical infrastructure operations.
The risk-based framework outlined in the whitepaper leverages established standards such as Stakeholder-Specific Vulnerability Categorisation (SSVC) and the Common Security Advisory Framework (CSAF). Bastazo claims the framework enables organisations to:
- Prioritise vulnerabilities based on actual risk, moving away from arbitrary deadlines.
- Automate remediation workflows to align with both operational and compliance needs.
- Reduce downtime by selecting the most appropriate and safest mitigation strategies.
- Improve auditability and compliance processes without compromising security.
Bastazo’s report concludes that a risk-informed approach is essential for the electric sector to effectively address the evolving cybersecurity landscape and protect critical infrastructure from increasingly sophisticated threats. The current compliance-driven model, it argues, is no longer fit for purpose.
“Utilities are stuck in a cycle of patching for compliance instead of security,” said Bastazo Chief Scientist, Co-founder and the paper’s author Philip Huff.
“Our research shows that this approach fails to address real risks and may contribute to leaving systems exposed. A risk-informed remediation model is the only way to keep up with the constant influx of vulnerabilities and align security efforts with real-world threats.”
