For decades, the blueprint for a massive industrial capital project—whether a new chemical processing plant, a water treatment facility, or a semiconductor fab—followed a predictable rhythm. Engineers focused on throughput, thermodynamics and structural integrity. Cybersecurity was viewed as an IT concern, a digital fence to be erected around the facility once the physical walls were up and the machinery was humming.
But as operational technology (OT) merges with the cloud and the Industrial Internet of Things (IIoT), that “bolt-on” approach has become a systemic liability. A recent analysis of industrial capital projects highlights a persistent and dangerous gap: cybersecurity is still being introduced far too late in the project lifecycle, often during the commissioning phase when the cost of correcting architectural flaws is at its peak.
As a former software engineer, I’ve seen this pattern in the digital world—building a feature and trying to “secure” it right before launch. In the industrial sector, however, the stakes aren’t just leaked data or a crashed app; they are physical safety, environmental containment, and the viability of critical infrastructure. When security is treated as a final checklist item rather than a foundational requirement, the result is a fragile system that is expensive to fix and easy to exploit.
The Friction Between EPC and the CISO
The root of the problem often lies in a cultural and organizational divide. Most large-scale industrial builds are managed by Engineering, Procurement, and Construction (EPC) firms. These entities are incentivized by timelines and budgets. To an EPC project manager, a cybersecurity requirement that demands a redesign of the network architecture mid-stream is seen as a “scope creep” or a costly delay.
Meanwhile, the Chief Information Security Officer (CISO) often remains siloed from the project’s early conceptual phases. By the time the CISO is brought into the loop, the hardware has been ordered, the Programmable Logic Controllers (PLCs) are installed, and the network topology is locked. This creates a “security gap” where the operational reality of the plant does not align with the corporate security policy.
This misalignment leads to several critical vulnerabilities:
- Hardcoded Credentials: Devices installed by third-party vendors often come with default passwords that are never changed because there is no centralized identity management plan in place.
- Flat Networks: To simplify installation, contractors often build “flat” networks where every device can talk to every other device, allowing a breach in a low-security area to migrate instantly to critical control systems.
- Unsupported Legacy Hardware: In the rush to meet a deadline, components may be installed that are already nearing end-of-life or lack the processing power to support modern encryption.
The Cost of the “Late-Stage” Approach
The financial implications of delaying OT security are staggering. In the engineering world, the “Rule of Ten” generally applies: a change that costs $1,000 to implement during the conceptual phase costs $10,000 during detailed engineering and $100,000 once the plant is operational.
When cybersecurity is introduced during commissioning, the “fixes” are often superficial. Instead of rebuilding a network for proper segmentation (the gold standard), companies resort to “band-aid” solutions like adding a few firewalls or relying on a “perimeter-only” defense. This creates a false sense of security while leaving the interior of the plant exposed to lateral movement by attackers.
| Project Phase | Traditional “Bolt-On” Approach | Secure-by-Design Approach |
|---|---|---|
| Conceptual/FEED | Security ignored; focus on capacity. | Threat modeling and risk assessment. |
| Detailed Engineering | Generic IT requirements applied. | Network segmentation and ISA/IEC 62443 alignment. |
| Procurement | Lowest cost/performance hardware. | Vendor security audits and SBOM requirements. |
| Commissioning | Security patches applied as “final step.” | Validation of security controls and penetration testing. |
Defining the “Secure-by-Design” Mandate
To close this gap, the industry is shifting toward a “Secure-by-Design” philosophy. This requires cybersecurity to be integrated into the Front-End Engineering Design (FEED) phase. In this model, security is not a separate work package but a core specification, much like electrical or mechanical requirements.
Key stakeholders—including the plant owner, the EPC firm, and the technology vendors—must agree on a security framework (such as the NIST Cybersecurity Framework or the ISA/IEC 62443 series of standards) before a single piece of hardware is purchased. This ensures that the “Crown Jewels”—the most critical control loops and safety instrumented systems—are isolated and protected from the start.
The transition is not without its hurdles. It requires EPC firms to hire or partner with OT security specialists and requires owners to accept that the initial design phase may take longer. However, the alternative is a cycle of constant retrofitting and an ever-increasing risk of operational downtime due to cyber incidents.
The Human Element and the Skill Gap
Beyond the technical architecture, there is a critical shortage of professionals who speak both “ladder logic” (the language of PLCs) and “Python” (the language of modern security). The gap in industrial cybersecurity is as much about people as It’s about software. When the person installing the pump doesn’t understand the risk of an open USB port, and the person monitoring the SOC (Security Operations Center) doesn’t understand why a PLC cannot be rebooted for a patch on a Tuesday afternoon, the system fails.
Bridging this gap requires cross-training initiatives where IT security teams spend time on the factory floor and OT engineers are trained in basic cyber hygiene. Only then can the “Secure-by-Design” approach move from a theoretical ideal to a standard operating procedure.
For organizations looking to audit their current capital projects, the CISA Cross-Sector Cybersecurity Performance Goals (CPGs) provide a practical starting point for identifying gaps in industrial environments.
The next major milestone for the industry will be the widespread adoption of Software Bill of Materials (SBOMs) in industrial procurement. As regulatory pressure increases, owners will likely begin requiring vendors to provide a full inventory of software components in every PLC and sensor, making the “blind spot” in the supply chain a thing of the past.
Do you think the responsibility for OT security lies with the EPC firm or the asset owner? Share your thoughts in the comments or join the conversation on our social channels.
