AI finds vulnerabilities faster

Software that runs parts of the power grid now faces a machine-speed problem: new artificial intelligence tools can spot flaws faster than many utilities can patch them. (powermag.com) Anthropic said on April 7 that it launched Project Glasswing with 12 companies, including Amazon Web Services, Cisco, Google, Microsoft, Nvidia and Palo Alto Networks, to use its Claude Mythos Preview model for defensive security work. Anthropic said it also extended access to more than 40 additional organizations and committed up to $100 million in usage credits plus $4 million in donations to open-source security groups. (anthropic.com) POWER Magazine reported on April 11 that the same capability that helps defenders find bugs can also compress the time between a flaw being discovered and a real attack against utilities, generators and grid operators. The article said operators need tighter visibility into their systems, faster patch cycles and products that ship with safer default settings. (powermag.com) A software vulnerability is a coding mistake or unsafe setting that can let an intruder into a system, like a bad lock on a control-room door. In the power sector, those systems include industrial control software and other operational technology that keeps electricity flowing, where outages and instability can have physical consequences. (nerc.com) Federal guidance has been moving in the same direction. The Cybersecurity and Infrastructure Security Agency says products should be “secure by design,” with multi-factor authentication, logging and single sign-on available out of the box at no extra cost. (cisa.gov) The North American Electric Reliability Corporation, which oversees bulk-power reliability standards, published a Critical Infrastructure Protection roadmap in January 2026 after its 2025 work plan called for a review of whether existing standards are enough for emerging risks. That roadmap says the industry needs a path for continued improvement as the grid and its threat environment change. (nerc.com) One of the core utility rules already on the books, Critical Infrastructure Protection standard CIP-010-4, requires configuration change management and vulnerability assessments for bulk electric system cyber assets. Its stated purpose is to prevent and detect unauthorized changes that could lead to misoperation or instability in the bulk electric system. (nerc.com) Audits still find gaps. The Federal Energy Regulatory Commission said in an October 20, 2025 staff report that most audited entities met mandatory requirements, but potential noncompliance and security risks remained, and staff listed additional voluntary practices that could improve security. (ferc.gov) The pressure is not only theoretical. The Cybersecurity and Infrastructure Security Agency maintains a Known Exploited Vulnerabilities catalog specifically to track flaws that attackers are already using in the wild, a sign that defenders are often racing a live threat rather than a hypothetical one. (cisa.gov) CISA’s secure-by-design push has also widened since it began. Its signer page now lists 350 companies that have joined the agency’s Secure by Design pledge, a larger pool of vendors that utilities can press for safer defaults and clearer security roadmaps. (cisa.gov) The immediate shift for utilities is less about buying one new tool than about shortening every step after a flaw is found: seeing affected assets, testing fixes, applying patches and isolating systems that cannot be updated quickly. The faster bug hunters get, the less room the grid has for slow repairs. (powermag.com)