Cyber‑Resilient Infrastructure Starts With Early, Strategy-Driven Design

As adversaries increasingly attack the operational technology (OT) and industrial control systems and networks that keep power flowing, water running and industrial processes moving, a large majority of industrial capital projects still introduce cybersecurity too late in the development process, or not at all, according to a new global Cybersecurity Report from Black & Veatch and Takepoint Research. ‘

Secure by Design: A Market-Informed Guide to Cybersecurity for New Critical Infrastructure reveals a persistent gap in execution: while organizations recognize the value of early cybersecurity, 72% of respondents say cybersecurity enters industrial capital projects late or not at all. The report shares insights from more than 450 owners, critical infrastructure operators, engineering leaders, and engineering, procurement and construction (EPC) stakeholders worldwide.

“Cybersecurity cannot be an afterthought; it must be embedded early into capital requirements and procurement decisions,” said Charlie Sanchez, president of Infrastructure Advisory for Black & Veatch. “If it isn’t defined in the project scope, it won’t be delivered. Cybersecurity is a critical factor affecting public safety, economic stability and national resilience.”

'Secure by design’ emphasizes that the most consequential cybersecurity decisions are made at the beginning of a project, when OT systems and industrial control system architecture, network connectivity and accountability are defined. Once detailed design and construction are underway, opportunities to meaningfully influence security narrow significantly, often forcing organizations into costly and disruptive retrofits after commissioning.

“Security must be validated at every phase, from early OT system and industrial control design through acceptance testing and handover. As regulations evolve, compliance alone is no longer enough,” said Ian Bramson, vice president of Global Industrial Cybersecurity at Black & Veatch. “It establishes a baseline, but it does not ensure defensibility when design decisions are scrutinized after an incident. Leaders must move beyond minimum standards and design for durable, long‑term resilience.”

Additional key insights from the report include:

• Respondents agree early cybersecurity reduces risk: 78% link early cybersecurity adoption to reduced downtime and operational disruption across connected OT systems and networks;
• Forty-three percent of respondents cite lack of expertise as a barrier and 77% shared moderate to significant external support would help them start earlier, indicating the importance of having the right people involved throughout the process;
• Cybersecurity plans are needed, but often missing — only 24% of respondents report that cybersecurity is always or often included early in industrial projects;
• Three-quarters of respondents identify a demonstrated business case as the strongest incentive for adoption.

To access ‘Secure by design’ in industrial projects: A market-informed guide to building cybersecurity into new construction of critical infrastructure, visit bv.com/resources/cybersecurity-report.

About Black & Veatch

Black & Veatch is a 100-percent employee-owned global engineering, procurement, consulting and construction company with a more than 100-year track record of innovation in human critical infrastructure. Since 1915, we have helped our clients improve the lives of people around the world by addressing the resilience and reliability of our most important infrastructure and energy assets. Learn more about us at the Black & Veatch newsroom and follow us on LinkedIn, Facebook and Instagram.