OT Security Vendors Fear Exclusion from Anthropic’s Mythos AI Model Threatens Critical Infrastructure
What Happened — Anthropic announced Mythos, an agentic LLM capable of autonomously discovering zero‑day flaws and generating exploits. Access to Mythos is limited to members of Project Glasswing – a coalition that currently excludes pure‑play OT and industrial‑control‑system (ICS) security firms.
Why It Matters for TPRM —
- OT vendors without Mythos access may lag in identifying critical vulnerabilities, widening the security gap for their downstream customers.
- Third‑party risk assessments that rely on vendor‑provided vulnerability data could be incomplete, inflating exposure scores.
- The concentration of advanced AI‑driven exploit discovery in a closed consortium creates a supply‑chain‑style risk for critical‑infrastructure operators.
Who Is Affected — Critical‑infrastructure manufacturers, utilities, and OT security vendors (e.g., Claroty, Nozomi, Dragos) that are not members of Project Glasswing.
Recommended Actions —
- Review contracts with OT vendors to confirm their vulnerability‑management processes and AI‑tool access.
- Require vendors to provide evidence of alternative zero‑day detection capabilities (e.g., open‑source LLMs, bug‑bounty programs).
- Incorporate AI‑access gaps into third‑party risk scoring and consider supplemental monitoring services.
Technical Notes — Mythos is marketed as an “agentic” LLM that can scan codebases, validate exploits, and even write patches. Its capabilities surpass prior LLM‑based scanners and rival DARPA‑funded open‑source tools. Exclusion of OT‑focused vendors means they must rely on less‑advanced methods, increasing the likelihood of undiscovered zero‑days in SCADA, PLC, and DCS environments. Source: DataBreachToday