This Month’s Q & A: March 2022
Updated: Mar 16, 2022
Philip Dale Huff, Ph.D.,
Assistant Professor of Cybersecurity
and Director of Research,
Trojan Cyber Arena,
University of Arkansas Little Rock
Photo: Brian Chilson
DR. PHILIP HUFF is an educator and a research scientist. But it may come as a surprise to outsiders to know that, like many researchers, he’s also an entrepreneur. A couple of months ago, we at ACDS received an invitation from Dr. Huff to attend a ribbon-cutting ceremony for a startup called Bastazo. “This is a company I co-founded with UA Fayetteville researchers to commercialize technology coming out of the SEEDS research center,” Huff explained. We couldn’t make the ribbon-cutting, but we were intrigued, and wanted to know more.
So, Bastazo: What is it, how did it come about, what does it do?
It’s a university startup. It came about through Dr. Alan Mantooth at the SEEDS Center in Fayetteville. SEEDS, an acronym for Secure Evolvable Energy Delivery Systems, is one of the Department of Energy’s cybersecurity R&D centers.
Back in 2015, Dr. Mantooth received a $12 million, five-year research grant from the DOE. At that time, I was in the power industry and was working on SEEDS’ industry advisory board. I was the industry chair, doing research on power grid cybersecurity issues. And through a power industry focus group, we were presented the problem of vulnerability management. “We just don’t have the tools to do the needed automation,” they said.
So we founded Bastazo in 2020 and I started working with Dr. Qinghua Li at Fayetteville, who is an expert in cybersecurity and machine learning and an associate director of SEEDS. He was willing to take a chance on this. For a lot of these industry problems, researchers look at them and say, “We’re not going to be able to publish on that.” And they move on. But Dr. Li was willing to take a chance on what has become kind of a niche field: open research for an industry need.
The fourth member of the founding team is Dr. Jia Di, who is the Department Head in Computer Science and Computer Engineering at UA-Fayetteville. He was one of the principal investigators to start up with the SEEDS Center and also another associate director. We also have several Ph.D. and Master’s Degree students working with us. Kylie McClanahan is a Ph.D. student at Fayetteville who’s working on her dissertation right now. She’s one of the key architects in actually developing the application. On the UA Little Rock side, Matt Kennett is also a Ph.D. student doing research on the project and a key architect. Dr. Thao Le-Vasicek was also hired to manage the research and innovation grants.
You mentioned “developing the application,” which I assume refers to your product. Tell me about it.
Yes, our initial product is called SPARTAN, which is an acronym for Secure Patch Automated Remediation and Vulnerability Analysis. It will enable electric utilities large and small to manage the overwhelming number of security patches to their operations technology much more efficiently to reduce the risk of cyberattack. It will automate the process of spotting these thousands of vulnerabilities that utilities have to sort through each month.
And it will answer the questions they wrestle with every day: “Hey is this something that I need to immediately do something about? Or can it wait for a few months? Or is this no risk at all and I can just completely ignore it?”
And by making that optimal decision-making process, you can save up to 4,000 person-hours per year for a small control-center environment in the power sector. That’s really what justified forming Bastazo. “Okay,” we said, “there’s a real need, a real product here. If we automate this, utilities can have more focused work and save resources. Rather than spending their time analyzing and patching vulnerabilities needlessly, they can focus on what really matters to reduce risk to the power grid.”
Are we talking about just normal risk, everyday life risk, weather risk, things like that? Or are we talking about----
We’re talking about the risk of a cybersecurity breach. Of those thousands of vulnerabilities, there may be one that could bring a power company down. For example, in the power system control center where they manage the generation and flow of power, there may be a vulnerability that an adversary could take advantage of to gain access to their system. And right now there’s just nothing that will distinguish which vulnerability that is.
So how does this SPARTAN app work?
It’s data science. We use machine learning over tens of thousands of vulnerabilities using the data from utilities combined with intelligence we gather about the vulnerabilities. Then, we make the machine learning accessible to the utilities to use and tweak. Another problem we address is that a lot of utilities aren’t going to be able to just run everything in the Cloud, which means we can’t provide a centralized Cloud-based machine learning.
So what we do is give them all the vulnerability data and machine learning models. Whatever they have within the bounds of their organization, they collect and keep on site. And we send information to them about the vulnerabilities. Then, they tie that together to perform the machine learning that comes out with the optimal decision.
That’s one way. The other way is a methodology called natural language processing, in which you’re ingesting a lot of data that humans wrote. It’s more like an operator’s descriptions, notes about what people are doing, information about threads, discussions, chats, and such. A human would sift through it and infer the meaning almost immediately. Our job, then, is to automate the process of understanding meaning. Our app answers the question, “What does this passage mean?” It gives the operator the salient features that they need to pull out of it. In other words, we train the natural language processing models to do the same thing a human would do, thereby reducing the magnitude of that task. Because when you multiply that by thousands, it’s not something a human could or should be doing. But a machine can do that same task in a few seconds.
That’s the research part, but maybe the best thing is for me to read you this in-house description of SPARTAN. “This unique product utilizes data from the National Vulnerability Database, hacker discussion threads, and dozens of software manufacturers. Then, the tool scores the likelihood of an impactful attack on a patch-by-patch basis using proprietary machine learning algorithms. Through this analysis, and with input from the customer as to what decisions they would make, the tool learns the way in which to rank the patches and schedule work deadlines. With such a daily report, what now takes three to four fulltime employees to manage can be reduced to one person only spending a fraction of their time addressing patch management and deployment issues.”
You must be working with some power companies to do your research.
Yes, we are, but they don’t allow us to disclose their identities. That’s all a part of working with industry. We have strict policies on how we work with their real, live, day-to-day problems. But yes, we use them as the basis of our research, and we do all of our field testing with the utilities.
How did you come up with the name Bastazo?
[Laughs] Well, we started with SPARTAN, which got us on the Greek theme. And when you’re looking for a company name, you have to look for something that nobody’s used so you can buy the rights to the Domain Name. In Ancient Greek, Bastazo means to carry another’s burden. And that’s what we’re doing with artificial intelligence and machine learning. The tool doesn’t replace people. The aim with SPARTAN is not to eliminate engineers, but rather to enable utilities to deploy them in other critical areas. So Bastazo kind of captured that theme that we’re developing products that will ease the burden of cybersecurity.
You’ve used the future tense in referring to how SPARTAN will help utilities. Is it not on the market yet?
The product is available from Bastazo’s website at bastazo.com, but we’re still in the prerelease phase for a target set of customers. We follow a research startup model going after these Small Business Innovation Research funds that most of the agencies will have for research and innovation investment. That allows us to spend a few more years putting more innovation into the product.
Because a lot of times when you’re running a tech startup, you go immediately into sales and marketing. And your budget starts moving more in that direction. But a university startup provides a kind of incubation period. These are ideas that we’ve had as professors and students. As I said earlier, we have Ph.D. students and a few Masters students, and even a few undergraduate students, participating in the funded research. A lot of this is commercialization projects out of the Department of Energy and the National Science Foundation. The idea is to eventually move this innovation onto a traditional investment path.
I mean, it would be nice if we could go straight from the lab to an immediate market. But it just doesn’t happen that easily. So it’s really up to the researchers to say, “Okay, I’ve got to bridge this gap. If this is going to happen at all, we have to get this over that line to where companies can actually make use of it.”
How do you see your market? And what other products are you thinking about?
In addition to the electric power sector, Bastazo will offer SPARTAN to the oil and gas sector as well, given the commonalities in the two industries from a patch management perspective.
Going forward, we’re looking at similar situations—the data science problem associated with cybersecurity. So, anywhere that there aren’t already tools available on the market and we can automate that analysis. We’re not automating cybersecurity end to end—I think that would be a bridge too far. Instead, we’re helping the professionals do their jobs better.
Our product is essentially vulnerability intelligence. For our customers, we want to be able to identify what the adversarial view is. So when an adversary—be it a criminal organization or a state-sponsored adversary—is looking at your network, looking at your organization, what do they see? Our job is to provide that information to the operator so that they can make better decisions.