In industrial new construction and major modernization, OT cybersecurity risk is often framed as a technology problem. But the data shows something else: it’s a coordination and accountability problem across EPCs, asset owners and operators. And it surfaces early, when capital decisions lock in architecture and integration patterns.
A global survey of 451 industrial cybersecurity leaders, led by Black & Veatch and TakePoint Research, “Secure by Design: A Market-Informed Guide to Cybersecurity for New Critical Infrastructure”, found strong alignment on the “why,” but weak follow-through on the “how.” Respondents overwhelmingly associate early OT cybersecurity adoption with operational outcomes: 95% link early adoption to improved safety and operational resilience and 78% link it to reduced downtime and disruption. Yet 72% report OT cybersecurity is introduced late or not at all in industrial projects. That’s the core contradiction and it’s driven by structural gaps in how projects are governed, contracted and handed over.
The first fault line is the classic build-versus-run misalignment. Project delivery teams are typically measured on schedule and budget, while operators inherit the system’s long-term risk profile after commissioning. When OT cybersecurity isn’t embedded into early gates, it competes poorly against visible milestones, despite the fact that cyber incidents can disrupt operations as quickly as physical failures. This matters because industrial projects lock in critical cyber-determining decisions in concept and pre-FEED: connectivity assumptions, trust boundaries, remote access models, integration patterns across control/safety/enterprise systems and segmentation feasibility. Once those decisions are set, OT cybersecurity becomes a retrofit effort—more expensive and more disruptive—rather than an engineered outcome. What operators experience: late-stage security often arrives as “rework”—changes to architecture, access and testing after designs are frozen and vendors selected, adding friction during commissioning and increasing operational risk.
The second fault line is fragmented ownership. Survey respondents report OT cybersecurity responsibility during design/build spread across multiple parties: EPCs (29%), asset owner IT/corporate security (28%), asset owner OT engineering (22%) and procurement (7%). Only 4% report shared responsibility and 10% report no clear owner at all. This fragmentation drives predictable outcomes:
Requirements fall between teams, so they don’t show up consistently in basis-of-design documents, project execution plans or procurement packages.
“Security” becomes assumed rather than specified until it becomes a late-stage negotiation.
Operators inherit gaps in documentation, monitoring baselines and operational workflows (access management, patching, incident response, etc.).
It’s no surprise, then, that 68% of respondents cite unclear ownership as a core breakdown.
A third gap shows up at the contract boundary. Only 8% of respondents describe EPC/asset owner alignment on OT cybersecurity as very strong, while 57% describe it as poor or nonexistent. This is why “EPC resistance” is often structural rather than adversarial. When cybersecurity expectations are unclear at bid stage, or introduced after design decisions are locked, EPCs experience security requirements as scope change rather than baseline deliverables. Conversely, when cybersecurity is embedded early into specifications, contracts and acceptance criteria, resistance tends to decline because scope is clear and measurable. Procurement is an underused lever here. The survey shows 68% want contract/specification templates to support early integration and 76% prioritize embedding cybersecurity directly into specifications and contracts. That demand signals a practical truth: organizations don’t just need standards—they need enforceable delivery elements.
Bridging EPC–owner–operator gaps requires moving from intent to execution. The market guide outlines what “secure by design” looks like across the project lifecycle, including early-stage deliverables that prevent late surprises:
Concept & feasibility: initial cyber risk framing aligned to business and safety objectives; first-pass zone/conduit intent; early decision on remote access model and trust boundaries.
Pre-FEED: security requirements embedded in basis of design; defined cyber scope in the execution plan; draft cyber acceptance criteria for factory acceptance test (FAT) and site acceptance test (SAT); draft responsibility model across asset owner, EPC, OEMs and integrators.
FEED: detailed security architecture engineering can implement; cybersecurity clauses and evidence requirements in EPC/vendor specs; defined logging/monitoring baseline plan; identity and privileged access requirements.
A key enabler is a cross-functional secure-by-design lead, not purely technical, but responsible for aligning decision-makers, translating standards into executable requirements, enforcing accountability and ensuring evidence is validated through FAT/SAT and readiness gates.
Capital projects or CAPEX are planned investments to create, expand or modernize long-lived assets-facilities, infrastructure and other capital assets that operators will rely on for years. That includes a new building, major renovation and construction projects such as substations, water treatment upgrades, pipeline expansions or a new operations center. Across delivery models, the pattern is the same: early capital decisions lock in architecture, interfaces and access pathways. If OT cybersecurity is treated as a late add-on instead of an engineered deliverable, the project bakes in risk that is expensive to unwind after design freezes and commissioning pressure rises, leaving operators to manage exposures embedded into the asset’s long-term performance profile. Security by design implementations allow assets-facilities to go live with defensible architecture, workable operating procedures and reduced long-term risk.
In OT environments, cybersecurity gaps between EPCs, asset owners and operators don’t just create paperwork issues, they create inherited risk. When responsibilities are unclear and requirements aren’t embedded early, cybersecurity becomes a late-stage retrofit that increases cost, disrupts delivery and leaves operators accountable for exposures they didn’t design. Black & Veatch’s industrial cybersecurity team helps organizations close this gap by operationalizing secure-by-design across the capital lifecycle, aligning owners, EPCs, procurement and operators around clear accountability, embedding cybersecurity into specifications and contracts and validating requirements through FAT/SAT and commissioning readiness so assets go live with defensible architecture, workable operating procedures and reduced long-term risk.
