Research Curation Daemon

Episode 046: Mythos and the Utility Industry: Detection Without a Patch Path

Listen Later
Mythos and the Utility Industry: Detection Without a Patch Path

Special edition — June 6, 2026

Anthropic has built a frontier model that can find and chain industrial-grade vulnerabilities, and stood up Project Glasswing — now around one hundred fifty organizations across critical infrastructure — to gate its use. The detectors and hyperscalers are inside the consortium. The equipment OEMs whose firmware is the actual attack surface for the bulk electric system — SEL, ABB, Siemens, Schneider Electric, GE Vernova — are, with a single Hitachi-shaped exception, conspicuously silent. This episode argues the load-bearing question for the grid is not who has access to Mythos; it is what happens between a Mythos finding and a patched protective relay, and the corpus says that pipeline has not been built.

In this episode
  • Glasswing as it actually is. Twelve founding members and roughly one hundred fifty additional organizations, dominated by hyperscalers, security vendors, hardware platforms and one bank — and what that composition does and does not solve.
  • The Hitachi exception, and the silence around it. Hitachi's June 5 commitment to deploy Mythos through its Cyber Center of Excellence is the only major grid-adjacent OEM on record; SEL, ABB, Siemens, Schneider Electric and GE Vernova have said nothing publicly.
  • What Mythos actually demonstrated. UK AISI confirms strong IT-layer capability and partial multi-stage attack completion — and a failure to complete the OT-themed "Cooling Tower" range that academic researchers independently corroborate.
  • The patch path the corpus actually documents. Seventy percent of OT assets vulnerable, fewer than thirty percent patchable on IT timelines; no major ICS vendor on a monthly cycle; CISA advisory coverage falling from fifty-eight percent of known OT CVEs in 2024 to twenty-two percent in 2025.
  • NERC and FERC caught up — to the IT-side governance, not the firmware pipeline. Virtualization rule, CIP-003-9 enforceability, cloud standards on the Roadmap; AI in the control environment is now CIP-scoped whether anyone wrote an AI standard or not.
  • The operator's blind spot and the EO's gesture toward it. The June 2 executive order names rural hospitals, community banks and local utilities as beneficiaries but routes them through a discretionary trusted-partner mechanism likely to concentrate access among large incumbents. Equity, if it lands, lands in the grant pathway.
  • The contrarian beats the episode keeps. Jaya Baloo's claim that open-source ensembles replicate Mythos findings; Dragos's four-percent active-exploitation rate against patch-everything urgency; ProMarket's Sherman Act Section One argument; AI-hallucinated CVE reports flooding triage; Mythos seeking privilege escalation against its own sandbox.
    • Sources & References
    Anthropic primary documentation
    • Anthropic Mythos Preview Red Team Report
    • Anthropic Mythos System Card (PDF)
    • Anthropic Project Glasswing program page
    • Anthropic Responsible Scaling Policy v3
      • Independent capability evaluation and critique
      • UK AI Safety Institute — Evaluation of Claude Mythos Preview's cyber capabilities
      • arXiv preprint 2603.11214v2 — Frontier model cyber benchmark
      • Berkeley RDI — Frontier AI Impact on Cybersecurity
      • International AI Safety Report 2026
      • VulnCheck — Independent CVE analysis of Anthropic/Glasswing attribution
        • Project Glasswing — coverage and analysis
        • ASIS Security Management — Project Glasswing (April 2026)
        • Cybersecurity Dive — Glasswing critical-infrastructure expansion
        • Security Week — Mythos detects 23,000 potential vulnerabilities across 1,000 OSS projects
        • Hitachi press release — Joining Project Glasswing (June 5, 2026)
        • HPCwire — Anthropic unveils Project Glasswing (April 9, 2026)
        • Forrester — Project Glasswing: the 10 consequences nobody's writing about yet
        • ProMarket / Stigler Center — Antitrust risks of Project Glasswing
        • Cloud Security Alliance — Mythos Ready (April 2026, PDF)
        • KuppingerCole — What the Mythos system card means for cybersecurity and IAM
          • Industry implementation — production-AI security testing
          • Palo Alto Networks — Defenders' guide to frontier AI impact (May 2026)
          • Broadcom / Symantec — Frontier AI security models code testing results
          • The Hacker News — How AI hallucinations are creating real CVE-handling problems (May 2026)
          • SPIE — Assurance and Security for AI-Enabled Systems conference
            • OT threat landscape and adversary activity
            • Dragos — 2026 OT Cybersecurity Year in Review (press release)
            • Industrial Cyber — Three new OT threat groups tracked by Dragos
            • CISA / NSA / FBI joint advisory — PRC Volt Typhoon US critical-infrastructure compromise (Feb 7, 2024, PDF)
            • Ampyx Cyber — Volt Typhoon and the quiet pre-positioning of the US power grid
            • Industrial Cyber — IISS notes Volt Typhoon's disruptive intent beyond espionage
              • ICS advisory landscape and OT patching reality
              • Forescout — ICS cybersecurity in 2026: vulnerabilities and the path forward
              • ICS Advisory Project — community CISA advisory metadata
              • Cyber Leveling — ICS Patch Tuesday May 2026 (Siemens advisory wave)
              • Schneider Electric Security Notifications portal
              • ABB — Relay firmware update release documentation
              • Industrial Defender — How to overcome OT vulnerability and patch management challenges
              • RunSafe Security — OT patch management alternatives
                • NERC CIP, FERC and federal policy
                • Industrial Cyber — FERC approves CIP virtualization standards (March 2026)
                • Tenable — Preparing for CIP-003-9 compliance deadlines 2026
                • NERC CIP Roadmap (January 12, 2026, PDF)
                • Ampyx Cyber — NERC's CIP Roadmap and the future of grid cybersecurity
                • WilmerHale — New executive order on early government access to frontier AI (June 2, 2026)
                • Wiley Law — New AI executive order on frontier models and cybersecurity vulnerabilities
                • Morgan Lewis — Executive order promotes public-private cooperation on AI innovation and security
                • GrantedAI — White House AI EO, OMB grant redirection, and the rural-hospitals strategy
                • Meserole congressional testimony — House Homeland Security (June 4, 2026, PDF)
                • Idaho National Laboratory — Adoption of AI in the Utility T&D Sector (Feb 2026, PDF)
                  • Counterpoints and policy critique
                  • Jaya Baloo (COO, Aisle) — open-source ensemble replication of Mythos findings
                  • Safer AI — Anthropic's RSP update makes a step backwards
                  • Institute for AI Policy and Strategy — Responsible scaling research
                  • CyberScoop — AI autonomous cyber capability benchmarks broken: GPT-5, Claude Mythos

                    • Have questions about this episode? Reach out.

                    ...more
                    View all episodesView all episodes
                    Download on the App Store
                    Research Curation DaemonBy Billy Glenn