Do utilities introduce cybersecurity measures too late?

Operational technology cybersecurity is still introduced too late in most industrial capital projects, increasing long term risk and cost, according to a new survey.

The study, Secure by Design, was conducted to examine how cybersecurity is integrated into industrial capital projects, with emphasis on design, build and commissioning stages.

Industries represented include industrial manufacturing, oil and gas, chemical processing and refining, power utilities, gas utilities, water/wastewater utilities and other critical infrastructure sectors.

According to the survey, 72% of respondents said cybersecurity enters industrial capital projects late or not at all, despite respondents agreeing that early cybersecurity reduces risk: 78% linked early cybersecurity adoption to reduced downtime and operational disruption across connected OT systems and networks.

The survey emphasises that the most consequential cybersecurity decisions are made at the beginning of a project, when OT systems and industrial control system architecture, network connectivity and accountability are defined. 

Once detailed design and construction are underway, it adds, opportunities to meaningfully influence security narrow significantly, often forcing organisations into costly and disruptive retrofits after commissioning.

Around 43% of respondents cited lack of expertise as a barrier and 77% shared that moderate to significant external support would help them start earlier, indicating the importance of having the right people involved throughout the process.

According to the survey, although cybersecurity plans are needed, they are often missing: only 24% reported that cybersecurity is always or often included early in industrial projects;

Additionally, approximately three-quarters of respondents identified that a demonstrated business case was the strongest incentive for adoption.

Charlie Sanchez, President of Infrastructure Advisory for Black & Veatch, said: “Cybersecurity cannot be an afterthought: it must be embedded early into capital requirements and procurement decisions. 

“If it isn’t defined in the project scope, it won’t be delivered. Cybersecurity is a critical factor affecting public safety, economic stability and national resilience.”

Cybersecurity deprioritised

According to the report, organisations often deprioritise early cybersecurity because it competes with visible delivery milestones, while its benefits are realised over the operational life of the asset. 

Additionally, ‘build and run’ costs are typically owned by different parts of the organisation - project teams are rewarded for delivering on time and on budget, while operational teams inherit long-term risk.

This separation, says the report, helps explain why organisations struggle to implement early cybersecurity consistently. The challenge is governance models that do not incentivise early implementation of controls whose risk-reduction value becomes clear only post-commissioning.

Ian Bramson, Vice-President of Global Industrial Cybersecurity at Black & Veatch, said: “Security must be validated at every phase, from early OT system and industrial control design through acceptance testing and handover. As regulations evolve, compliance alone is no longer enough. 

“It establishes a baseline, but it does not ensure defensibility when design decisions are scrutinised after an incident. Leaders must move beyond minimum standards and design for durable, long term resilience.”

Have you read?
EU cybersecurity gets a boost with new partnership
How AI security gaps in energy create high-consequence risks

Technology raising the stakes

The report adds that the need for early integration is amplified by the nature of modern OT environments. 

Specifically, it says, control platforms and field devices routinely include web interfaces, remote management capabilities, embedded operating systems, application programming interfaces and default services enabled for remote maintenance. Integrated connectivity across operational data historians, execution systems, cloud analytics and vendor platforms is now a baseline capability across industries.

According to the report, these features expand the attack surface regardless of organisational intent. Even organisations that consider themselves conservative inherit cyber risk through default configurations and integration requirements. 

The survey’s data reflects this, says the report, with respondents consistently associating early integration with stronger cyber architecture and improved asset management. These outcomes depend on decisions made early in the lifecycle rather than tools deployed after systems are live.

According to Deloitte in a post on cybersecurity in the power and utility sector, although the integration of digital technologies and IoT has improved efficiency and control for utilities, it has at the same time expanded the attack surface through increased connectivity of OT services with IT infrastructure.

The global professional services firm adds that the sector has seen an increase in attacks on the OT devices environment resulting from compromised IT systems that have provided attackers access into the OT/Industrial Control Systems (ICS) networks.

Additionally, says the company, the sector often relies on legacy systems and equipment that are not designed with cybersecurity in mind and are thus vulnerable. 

The company also cites the sector’s reliance on complex supply chain providing an area to exploit, the potential of ransomware attacks – which are increasing across industries- to disrupt operations, and the impact of successful attacks on critical infrastructure as having severe consequences, potentially disrupting electricity supply, water management, and other essential services.