Industrial cybersecurity risk management is often treated as a controls problem: which tools to deploy, which dashboards to monitor, which policies to enforce. But in critical infrastructure environments, cyber risk is largely determined long before operations begin, by the capital and design decisions made early in a project’s lifecycle.

Based on market‑informed survey data and real‑world project experience, the following best practices outline how organizations can reduce long‑term cyber risk by addressing it where it is most effectively shaped: during capital planning and early design.

Best practice 1: Treat cyber risk management as a design input, not a retrofit activity

In new construction and major modernization projects, the most consequential cybersecurity outcomes are shaped by:

• System architecture

• Connectivity and integration patterns

• Trust boundaries across control, safety and enterprise systems

These decisions are typically locked in during concept development and pre‑FEED. Once those stages pass, cybersecurity risk management shifts from a design input to a retrofit effort, increasing cost, complexity and operational disruption.

What this means in practice:

• Cybersecurity risk management requirements should inform architecture decisions, not react to them

• “Adding security later” often manages symptoms, not root exposure

Best practice 2: Focus cybersecurity risk management on the concept–pre‑FEED window

Industrial projects follow a predictable lifecycle and the window where cyber risk can be most effectively reduced is narrow. By the end of pre‑FEED, teams have typically locked in:

• System boundaries

• Data flows and network strategy

• Integration patterns between OT, IT and cloud environments

Because OT systems are long‑lived and tightly coupled to physical processes, these choices are difficult, and sometimes impossible, to reverse once assets are operational.

Best‑in‑class organizations:

• Explicitly define cybersecurity objectives during concept development

• Validate segmentation feasibility and trust boundaries before design freeze

Best practice 3: Avoid relying on IT controls to compensate for design decisions

In OT environments, cybersecurity is inseparable from engineering design. Modern control systems often include:

• Embedded operating systems

• Remote management interfaces

• APIs and default enterprise or cloud connectivity

These features expand attack surfaces regardless of intent. When cybersecurity is addressed late, teams rely on compensating IT controls to manage exposure created upstream. Retrofitting segmentation or tightening access post‑commissioning often requires outages, revalidation and complex coordination, increasing both cost and cyber risk.

Best practice organizations:

• Design cybersecure architecture first; use controls to reinforce it, not replace it

Best practice 4: Establish clear ownership for early cybersecurity requirements

Early integration often fails because accountability is fragmented. Survey respondents reported responsibility spread across:

• EPCs (29%)

• Asset owner IT / corporate security (28%)

• Asset owner OT engineering (22%)

• Procurement (7%)

Only 4% report shared responsibility, while 10% report no clear owner at all. Without clear ownership, cybersecurity requirements are inconsistently applied or omitted entirely from basis‑of‑design documents, procurement criteria and acceptance testing plans.

Best‑practice organizations:

• Assign explicit ownership for cybersecurity during capital planning

• Embed requirements into contracts, specifications and acceptance criteria

Best practice 5: Take the cybersecurity business case to the capital committee

Nearly half of respondents (49%) have never compared the cost of early cybersecurity integration with the cost of retrofitting later. When this tradeoff is not quantified, organizations tend to optimize for initial project cost, unintentionally accepting higher lifecycle exposure.

The survey shows what drives adoption:

• 76% identify a demonstrated business case as the strongest incentive for early integration

That business case is not about tools. It is about lifecycle outcomes: fewer emergency engineering cycles, smoother commissioning, reduced downtime exposure and lower long‑term operational risk.

Bottom line for cyber risk management

In industrial environments, cyber risk is not something organizations patch in after the fact. It is designed in or designed out through capital decisions made early in the project lifecycle.

Black & Veatch’s industrial cybersecurity team helps organizations integrate cybersecurity early into project planning, engineering governance and capital execution, where those risk shaping decisions are made. By aligning cybersecurity with architecture, delivery constraints and long-term operational realities, we help asset owners develop systems that are more resilient, operable and defensible over their full lifecycle, reducing downstream risk, rework and disruption before assets ever go live.

The Secure by Design in Industrial Projects guide translates these best practices into execution frameworks, checklists and survey‑backed insights for capital project teams.

Download the guide to support early cybersecurity integration in your next project.