Key Takeaways
- Expertise Gap: 43 % of respondents cite a lack of cybersecurity expertise as the main barrier to early implementation, while 77 % say moderate‑to‑significant external support would enable them to start sooner.
- Low Early Adoption: Only 24 % report that cybersecurity considerations are “always or often” incorporated at the outset of industrial projects.
- Business Case Drives Action: Approximately three‑quarters of respondents identify a clear, demonstrated business case as the strongest incentive for adopting early cybersecurity measures.
- Leadership Insight: Industry leaders stress that cybersecurity must be embedded in project scope, procurement, and capital planning; otherwise it will not be delivered and will leave critical infrastructure exposed.
- Misaligned Incentives: Because project teams are rewarded for on‑time, on‑budget delivery while operational teams inherit long‑term risk, “build and run” costs are split, discouraging early security spend.
- Governance Shortfall: Current governance models fail to reward controls whose risk‑reduction benefits appear only after commissioning, leading to inconsistent early implementation.
- Expanding Attack Surface: Modern OT environments now routinely include web interfaces, remote management, embedded OSes, APIs, and cloud connectivity—features that enlarge the cyber‑attack surface regardless of intent.
- Legacy and Supply‑Chain Risks: Reliance on outdated systems, complex supply chains, and growing ransomware threats amplify potential impacts, including disruption of electricity, water, and other essential services.
- Phase‑Level Validation Needed: Security must be validated at every lifecycle stage—from design and acceptance testing to handover—to ensure defensibility beyond basic compliance.
Cybersecurity Expertise and External Support
Close to half of the surveyed organisations (43 %) identify a shortage of internal cybersecurity expertise as the primary obstacle to embedding security early in industrial projects. This gap is compounded by the belief that external assistance could markedly improve readiness: 77 % of respondents indicate that moderate to significant support from outside specialists would allow them to initiate cybersecurity activities earlier in the project lifecycle. The data suggest that building in‑house capability alone is insufficient; leveraging third‑party knowledge is seen as a practical shortcut to overcoming skill deficits and accelerating secure design.
Current State of Early Cybersecurity Integration
Despite widespread recognition of its importance, cybersecurity is rarely a front‑line consideration. Only 24 % of participants say that security is “always or often” included at the outset of industrial initiatives. The low figure highlights a systemic tendency to treat cybersecurity as an after‑thought rather than a foundational requirement. Consequently, many projects proceed with designs that later demand costly retrofits or expose assets to avoidable risk during operation.
The Role of a Demonstrated Business Case
When asked what would most effectively drive early adoption, roughly three‑quarters of respondents pointed to a clear, quantified business case. Demonstrating how early cybersecurity investment reduces long‑term operational costs, avoids downtime, or protects reputation appears to outweigh vague compliance motivations. A concrete ROI narrative—showing reduced incident probability, lower insurance premiums, or preserved service continuity—seems essential to secure budgetary approval and stakeholder buy‑in.
Leadership Perspectives on Embedding Security
Charlie Sanchez, President of Infrastructure Advisory for Black & Veatch, warns that cybersecurity cannot be deferred: “If it isn’t defined in the project scope, it won’t be delivered.” He links early security to public safety, economic stability, and national resilience, urging organisations to treat it as a non‑negotiable component of capital planning. Similarly, Ian Bramson, Vice‑President of Global Industrial Cybersecurity at Black & Veatch, insists that security must be validated at every phase—from OT system design through acceptance testing and handover—because compliance alone does not guarantee defensibility when designs are later scrutinised after an incident.
Why Cybersecurity Gets Deprioritised
The report attributes the frequent deprioritisation of early cybersecurity to competing visible milestones. Project teams are typically measured and rewarded for delivering on time and on budget, while the benefits of security controls—such as reduced long‑term risk—materialise only during the asset’s operational life. Moreover, “build and run” costs are often split between distinct organisational units: the project team handles upfront construction, whereas the operations team inherits ongoing exposure. This misalignment creates a disincentive to invest in security whose value is not immediately apparent to those controlling the budget.
Governance Models Lacking Proper Incentives
Current governance structures frequently fail to reward controls whose risk‑reduction impact emerges post‑commissioning. Because the payoff of early cybersecurity is realised over years of operation, traditional performance metrics do not capture its value, leading to inconsistent implementation. The report argues that redesigning incentive systems—such as linking a portion of project bonuses to long‑term risk metrics or incorporating security milestones into stage‑gate reviews—could align short‑term project goals with enduring resilience outcomes.
The Expanding Attack Surface in Modern OT
Contemporary operational technology environments are far more connected than their legacy predecessors. Control platforms and field devices now routinely feature web interfaces, remote management capabilities, embedded operating systems, application programming interfaces, and default services enabled for maintenance. These components create extensive connectivity across operational data historians, execution systems, cloud analytics, and vendor networks—capabilities that have become a baseline expectation across industries. Regardless of an organisation’s intention to be “conservative,” such default configurations and integration requirements inevitably enlarge the cyber‑attack surface, exposing systems to threats that were once considered peripheral.
Digital Transformation, IoT, and Heightened Risk
Deloitte’s analysis of the power and utility sector echoes these concerns: while the integration of digital technologies and IoT has improved efficiency and control, it has simultaneously broadened the attack surface by linking OT services more tightly to IT infrastructure. Compromised IT systems frequently serve as stepping stones for attackers to gain access to OT/Industrial Control Systems (ICS) networks. The sector’s reliance on legacy equipment—often not designed with security in mind—further exacerbates vulnerability. Additionally, complex supply chains present exploitable entry points, and the rising prevalence of ransomware threatens to disrupt critical services such as electricity distribution and water management, with potentially severe societal and economic consequences.
The Need for Phase‑Level Security Validation
To counter these risks, leaders advocate validating security at every stage of the asset lifecycle. This includes examining OT system design, conducting rigorous acceptance testing, and verifying controls during handover to operations. Such continuous assurance ensures that security is not merely a checklist item but a durable property of the system, capable of withstanding evolving threats and post‑incident scrutiny. By moving beyond minimum compliance standards and designing for long‑term resilience, organisations can better protect essential services, maintain public trust, and uphold national security imperatives in an increasingly interconnected industrial landscape.