The publication of CISA's Binding Operational Directive 26-04 is a signal to federal agencies that exploitability must be the driver of exposure remediation. The message is clear: Prioritize based on risk, and accelerate remediation.
This is reasonable for IT environments, but for enterprises managing cyber-physical systems (CPS), this is untenable, especially in a post-Mythos world. Machine-speed, AI-driven vulnerability discovery and exploitability has compressed response times and increased the volume of exploitable security issues. In a matter of weeks since Mythos was made available in a private preview, we’ve already seen leading technology providers provide updates addressing hundreds of vulnerabilities. As a result, traditional vulnerability management assumptions such as find-prioritize-and-patch break down in operational environments such as hospitals, manufacturing facilities, utilities, and other critical infrastructure where CPS assets have direct impact on outcomes in the physical world.
Beyond the CVE Blindspot: Navigating Structural CPS Exposures
Why? Many exposures in CPS assets are secure-by-default or have design weaknesses rather than exploitable software or firmware vulnerabilities. Many CPS assets run on insecure communications protocols that were designed to ensure interoperability, and not operate within connected and potentially harmful environments. Basic security capabilities such as authentication and message encryption are lacking, and present an inviting gap that even low-skilled threat actors may leverage to access an environment.
These conditions may never receive a CVE identifier, yet they remain highly exploitable and extraordinarily prevalent across operational environments.
Another area where agencies bound by BOD 26-04 may struggle is patching and mitigations. CPS—operational technology (OT) and medical devices in particular—seldom have routine maintenance windows built in for security updates; any downtime results in operational consequences. Also complicating patching processes: even when patches exist, they cannot be immediately implemented. Healthcare organizations require FDA approval to implement cybersecurity updates to medical devices, for example. Many industrial OEMs require that control systems run at certain patch levels, delaying the implementation of new fixes. As a result, remediation timelines inevitably trail vulnerability disclosure timelines.
Finally, many CPS assets cannot be patched at all. Operational environments routinely contain equipment designed to remain in service for decades. Legacy programmable logic controllers, building automation systems, imaging devices, and other specialized equipment frequently outlive vendor support periods. These assets become functionally unpatchable long before they are retired.
Overcoming CPS Security Constraints Under BOD 26-04
In a post-Mythos world, this creates a dangerous asymmetry: adversaries gain the ability to discover and exploit vulnerabilities faster, while defenders remain constrained by maintenance windows, regulatory requirements, and aging infrastructure. To overcome these constraints:
Federal agencies heavy in CPS assets must strive toward resilience, in order to maintain operational continuity and avoid catastrophic outcomes. BOD 26-04 is a signpost for CPS asset operators, who must see beyond its patching mandates and instead focus on resilience and limiting the blast radius once an incident is detected.
Segmentation that limits communication between enterprise and operational environments must be table stakes. It limits the number of pathways between critical systems available to attackers and prevents lateral movement. Segmentation prevents an exploitable vulnerability from becoming an agency-wide risk.
Privileged third-party remote access also plays a pivotal role in reducing the blast radius of an incident. Enforcement of least privilege, just-in-time access, in conjunction with strong authentication and comprehensive session monitoring dramatically reduces the opportunities available to adversaries.
BOD 26-04 foundationally can be used as leverage by technology leaders to motivate OEMs and medical device manufacturers to deliver products to be designed secure by default. AI coding tools can be part of development lifecycles and identify weaknesses during design, testing, and deployment phases, ensuring products are secure by design and secure by default before they ever enter operational environments.
Post-Mythos, CPS protection must evolve from vulnerability remediation toward exposure reduction, resilience, and architectural risk elimination. CPS cannot mitigate nor remediate faster than vulnerabilities are found and exploits developed. The question is no longer whether defenders can patch faster than vulnerabilities emerge.
For many CPS intensive environments, they cannot. The question is whether we can design systems where inevitable vulnerabilities no longer translate into catastrophic outcomes. Mythos accelerated vulnerability discovery. Physics did not accelerate maintenance windows. Federal CPS security strategies must acknowledge both realities simultaneously, and strive to go further than the dictates of BOD 26-04.
