Patrick Miller reconvenes with Joy Ditto (Joy Ditto Consulting) and Earl Shockley (INPOWERD) for a tour of the past two months in critical infrastructure policy. The episode opens on the administration's new National Cybersecurity Strategy and its six pillars, with focus on the openly offensive "shape adversary behavior" posture and the asymmetric risk it creates for asset owners likely to absorb retaliation.

The panel then digs into the pressures reshaping the bulk electric system: data center designation, cloud-hosted control centers running NERC standards while the underlying compute is unregulated, and the physics of computational loads that behave nothing like traditional load. Earl walks through the recent NERC Level 3 alert on large load connections, an unusually serious signal that industry processes are behind.

The discussion also covers April infrastructure executive orders that release funding but ignore cybersecurity, hyperscalers displacing utilities as the top buyers of bulk electrical equipment, the multi-agency zero trust in OT guidance, and CISA's leadership uncertainty after Sean Plankey withdrew his nomination. On the AI front, the group unpacks what Anthropic's Mythos and the Glasswing response mean for vulnerability discovery at scale, and why no OT vendors are on the Glasswing list.

Closing thoughts include Joy's note on satellite cybersecurity and a rare bipartisan Senate trip to China, Earl's emphasis that computational load is now an enterprise governance issue rather than a technical one, and Patrick's plea to stop making the adversary's job easy.

Topics covered

• The new National Cybersecurity Strategy and its six pillars
• Offensive cyber posture and the asymmetric risk to asset owners
• Data center designation as critical infrastructure
• Cloud control centers and the NERC 100-series standards
• Computational load, grid stability, and loss of system inertia
• NERC Level 3 alert on large load connections
• April infrastructure executive orders and the missing cyber language
• Supply chain shifts and hyperscalers as the top equipment buyers
• Zero trust principles for OT environments
• CISA Fortify guidance and CISA's current leadership status
• Anthropic's Mythos, the Glasswing response, and the OT vendor gap
• Satellite cybersecurity and bipartisan engagement on China policy
• Basic hygiene: get exposed devices off the internet

Welcome to the Policy Pulse Panel, a new monthly series within the Critical Assets Podcast. Hosted by Patrick Miller (Ampyx Cyber), Earl Shockley (CEO, Inpowerd), and Joy Ditto (CEO, Joy Ditto Consulting), this recurring panel dives into the most significant policy shifts and regulatory developments impacting critical infrastructure, operational technology (OT), and industrial cybersecurity. Each month, we unpack emerging legislation, agency actions, and standards updates - connecting the dots between policy and the practical realities faced by asset owners, utilities, vendors, and government partners. If you're trying to stay ahead of your auditors and your legislators, this is your monthly must-listen.

https://ampyxcyber.com/podcast/policy-pulse-regulatory-roundtable-nerc-cip-cybersecurity-strategy-ai-electric-sector

In this episode, Patrick Miller speaks with Kylie McClanahan, CTO at Bastazo, about the practical (and often messy) realities of patch and vulnerability management in operational technology (OT) environments. Kylie shares grounded insights into patching challenges, the gaps between IT and OT remediation cycles, and the real-world implications of relying too heavily on scoring systems like CVSS.

The conversation covers CISA’s Known Exploited Vulnerabilities (KEV) catalog, exploring how it’s being used (and possibly misused) in prioritization workflows, and where the disconnects lie between policy directives and operational feasibility. Kylie also critiques the current state of vendor responsiveness, machine-readable vulnerability disclosure (CSAF), and the importance of asset and exposure awareness.

This episode is essential listening for practitioners wrestling with patching fatigue, program prioritization, and the tradeoffs between theoretical vulnerability data and applied security outcomes in critical infrastructure environments.

Links:

CISA KEV: https://www.cisa.gov/known-exploited-vulnerabilities

CISA vulnrichment: https://github.com/cisagov/vulnrichment

Vulnrichment, Year One: https://www.youtube.com/watch?v=g5pSVMnWD7k

CISA SSVC: https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc

Carnegie Mellon SSVC: https://certcc.github.io/SSVC/

CSAF: https://www.csaf.io/

VulnCheck KEV: https://vulncheck.com/kev

Kylie McLanahan on LinkedIn: https://www.linkedin.com/in/kyliemcclanahan/

Bastazo: https://bastazo.com