In this episode, Patrick Miller speaks with Kylie McClanahan, CTO at Bastazo, about the practical (and often messy) realities of patch and vulnerability management in operational technology (OT) environments. Kylie shares grounded insights into patching challenges, the gaps between IT and OT remediation cycles, and the real-world implications of relying too heavily on scoring systems like CVSS.

The conversation covers CISA’s Known Exploited Vulnerabilities (KEV) catalog, exploring how it’s being used (and possibly misused) in prioritization workflows, and where the disconnects lie between policy directives and operational feasibility. Kylie also critiques the current state of vendor responsiveness, machine-readable vulnerability disclosure (CSAF), and the importance of asset and exposure awareness.

This episode is essential listening for practitioners wrestling with patching fatigue, program prioritization, and the tradeoffs between theoretical vulnerability data and applied security outcomes in critical infrastructure environments.

Links:

CISA KEV: https://www.cisa.gov/known-exploited-vulnerabilities

CISA vulnrichment: https://github.com/cisagov/vulnrichment

Vulnrichment, Year One: https://www.youtube.com/watch?v=g5pSVMnWD7k

CISA SSVC: https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc

Carnegie Mellon SSVC: https://certcc.github.io/SSVC/

CSAF: https://www.csaf.io/

VulnCheck KEV: https://vulncheck.com/kev

Kylie McLanahan on LinkedIn: https://www.linkedin.com/in/kyliemcclanahan/

Bastazo: https://bastazo.com

In this episode of the Critical Assets Podcast, Patrick Miller interviews Darren Highfill, former CISO of Norfolk Southern, for a candid look behind the curtain of life as a security executive. Darren shares hard-won lessons from building and leading a cybersecurity program in a critical infrastructure environment, including how to gain executive buy-in, scale a team, and align security with business priorities. He reflects on the challenges of translating cyber risk into business risk, managing real-world incidents, and the evolving expectations of the CISO role. Whether you're in the chair now or working toward it, this conversation is packed with practical insights for anyone navigating cybersecurity leadership.

Show links:

• Darren Highfill LinkedIn Profile - https://www.linkedin.com/in/darrenhighfill/
• NIST Cyber Security Framework (CSF) - https://www.nist.gov/cyberframework
• Ankrd website - https://www.ankrd.com/

In this episode, we sit down with Lesley Carhart (@hacks4pancakes), a renowned expert in OT/ICS incident response and forensics, to explore the unique challenges of defending critical infrastructure against cyber threats. Lesley shares insights into how internal OT teams can better support external IR teams, evaluates global and sector-specific preparedness, and discusses the impact of regulations on effective incident response. We delve into the complexities of defining and reporting incidents, the potential for improved approaches, and actionable advice for those looking to enhance their IR and forensics skills. Lesley also gives a glimpse into the future of their work and their continued mission to strengthen cybersecurity in critical infrastructure.

Show Links:

https://www.linkedin.com/in/lcarhart/

https://www.threads.net/@hacks4pancakes

https://bsky.app/profile/hacks4pancakes.com

https://infosec.exchange/@hacks4pancakes