New data from Black & Veatch-Takepoint Research finds a persistent execution gap in the manner cybersecurity is integrated into industrial infrastructure, with 72% of organizations introducing cybersecurity late in capital projects or not at all, despite widespread recognition of its importance. The findings, based on more than 450 global respondents, highlight that cybersecurity is still treated as a downstream consideration, often resulting in costly retrofits and increased operational risk once systems are live. While 95% of respondents associate early cybersecurity adoption with improved safety and resilience, only 24% report that it is consistently included during early design and build stages, pointing to structural, rather than awareness-driven, challenges.
Titled ‘Secure by design: A Market-Informed Guide to Cybersecurity for new Critical Infrastructure,’ the report takes into account that cybersecurity is too critical to be treated as an afterthought in infrastructure design, despite organizations still delaying it until after deployment, increasing costs and risk, as cyber incidents can disrupt operations as severely as physical failures.
The Black & Veatch-Takepoint Research report examines why this gap persists and what can be done to address it. Drawing on 451 survey responses from organizations worldwide across multiple industrial sectors, the market-informed guide analyzes the forces behind the trend and outlines how organizations can embed secure-by-design practices throughout the industrial project lifecycle.
It also underscores that decisions made during the earliest project phases, particularly pre-FEED and design stages, largely determine long-term cybersecurity outcomes. Early integration is strongly linked to operational benefits, with 78% of respondents connecting it to reduced downtime and disruption, and 61% associating it with lower lifecycle costs.
However, competing project incentives, fragmented ownership, and governance misalignment continue to delay adoption, with 68% citing unclear accountability and 57% pointing to poor alignment between asset owners and engineering contractors. This disconnect often leaves operational teams to inherit long-term cyber risk after commissioning, reinforcing a cycle of reactive security.
‘Secure by design’ emphasizes that the most consequential cybersecurity decisions are made at the beginning of a project, when OT systems and industrial control system architecture, network connectivity and accountability are defined. Once detailed design and construction are underway, opportunities to meaningfully influence security narrow significantly, often forcing organizations into costly and disruptive retrofits after commissioning.
“Cybersecurity cannot be an afterthought; it must be embedded early into capital requirements and procurement decisions,” Charlie Sanchez, president of Infrastructure Advisory for Black & Veatch, said in a Tuesday media statement. “If it isn’t defined in the project scope, it won’t be delivered. Cybersecurity is a critical factor affecting public safety, economic stability and national resilience.”
| If it isn’t defined in the project scope, it won’t be delivered – Charlie Sanchez, Black & Veatch
The data suggests organizations understand the value of early cybersecurity but still fail to operationalize it. Addressing where, specifically, accountability breaks down across the project lifecycle, and who ultimately needs to own cyber risk before assets are commissioned, Ian Bramson, vice president – global industrial cybersecurity at Black & Veatch, told Industrial Cyber that cybersecurity is a shared responsibility throughout the engineering and construction process.
“This is what makes it so difficult to identify a single point of failure,” Bramson added. “From asset owners to EPCs and OEMs, everyone needs to play their role. Cyber begins and ends with the asset owner, who needs to include it from capital planning and requirements setting, and who ultimately will be the one accepting the commissioned asset. However, each organization involved in engineering and constructing stages needs to know its role and play its part.”
Across the research, the core issue was not a lack of controls or frameworks, but it was the fragmentation of ownership across the lifecycle, Jonathon Gordon, directing analyst at Takepoint Research, told Industrial Cyber. “Asset owners, engineering firms, and operators are each acting within their own scope, but there is limited continuity of security decisions from design through to operations. Most organizations do not have a control problem. They have an ownership problem across the lifecycle.”
|They have an ownership problem across the lifecycle – Jonathon Gordon, Takepoint Research
In practice, a more aligned model starts with asset owners defining enforceable security requirements upfront, embedding them into engineering specifications, and carrying them through procurement and delivery without dilution. The critical shift is removing what we call the ‘handover reset,’ where responsibility effectively restarts once systems become operational.
Recognizing that alignment is not something that can be fixed in operations, Gordon said that it has to be established during design, where requirements, architecture, and trade-offs are actually defined. “Control continuity is equally important. The controls defined during capital projects must be the same ones that are implemented, monitored, and validated in production environments. It is not alignment if controls are redesigned or abandoned at handover. That is where risk is reintroduced.”
Organizations rarely define clear ownership of cybersecurity during projects. Survey data shows organizations distributing responsibility across EPCs at 29%, asset owner IT at 28%, asset owner OT engineering at 22% and procurement at 7%. Only 4% report shared responsibility, while 10% report no clear owner at all.
The Black & Veatch-Takepoint Research report identifies that the primary challenge with secure by design is not agreement on its value, but execution. “Across industrial organizations, leaders widely recognize early cybersecurity as a risk and cost reducer, yet it’s often applied inconsistently across capital projects. The reasons are structural and embedded in how organizations govern projects, divide responsibilities and experience risk, cost and accountability during delivery. These barriers are structural rather than technical and explain why secure by design remains difficult to operationalize despite broad agreement on its value.”
Secure by design’ is widely endorsed but rarely enforced. Bramson looks into the concrete mechanisms, contractual, financial, or regulatory, that are required to make early cybersecurity integration non-negotiable rather than optional in capital projects.
“’Secure by design’ needs to be reinforced at every phase of design, engineering and construction,” Bramson said. “It starts with making it an important part of the capital planning committee and the core requirements documents. This sets the direction, expectations and scope for cybersecurity. However, it does not stop there. It also should be part of key steps, including supplier selection, specifications, architecture reviews, acceptance testing and commissioning testing. Baking cybersecurity into the core processes and phases of design, engineering and construction turns it into a natural component of building a safe and resilient asset.”
|Secure by design’ needs to be reinforced at every phase of design, engineering and construction – Ian Bramson, Black & Veatch
At the same time, the research highlights growing external and internal pressure to shift cybersecurity earlier in the project lifecycle. 83% of respondents cite regulation as a primary driver for earlier integration, but the report is clear that compliance does not equal security. Many regulations are still in early phases and have not kept pace with the actual threat environment. Organizations that rely on compliance as their primary driver are setting a floor, not a ceiling. 76% of respondents identify a clear business case as the strongest incentive for adoption. Yet compliance alone is not enough, as many regulatory frameworks lag evolving threats and fail to enforce comprehensive security outcomes.
Instead, the Black & Veatch-Takepoint Research report emphasizes a ‘secure by design’ approach, where cybersecurity is embedded into architecture, procurement, and testing from the outset, enabling organizations to reduce long-term risk, avoid operational disruption, and improve resilience across increasingly connected and complex industrial environments.
With only 24% of respondents reporting that cybersecurity is always or often included early in industrial projects, secure-by-design endures only when organizations embed it into capital governance, project gates, procurement elements, and factory and site acceptance testing (FAT and SAT). Greater integration of cybersecurity into core engineering and construction processes consistently correlates with higher asset resilience. Developing a clear cyber plan is essential to success. It’s important to show the business case for cyber, as 76% of respondents identify a demonstrated business case as the strongest incentive for adoption. Secure by design delivers value when cybersecurity is evaluated across the full asset lifecycle.
Additionally, survey findings link early integration to improved safety, reduced downtime and lower long-term cost. Companies need to incorporate total cost of ownership analysis as well as use cyber risk quantification (CRQ) analyses to bolster the business case for cybersecurity in construction.
Operators experience risk continuously over the asset lifecycle. Their priorities center on uptime, safety and predictable change. This explains why survey respondents strongly associate early cybersecurity with operational outcomes. Reduced downtime and operational risk are cited by 78%, while improved safety and resilience are cited by 94%. From an operational perspective, secure by design is valuable when it delivers clear network boundaries, known access paths, enforced privileged sessions and reliable handover documentation that simplify day-two operations.
The Black & Veatch-Takepoint Research report noted that procurement plays a decisive but underused role. When cybersecurity requirements are embedded into bid criteria, contracts and supplier deliverables, they become enforceable rather than aspirational. Survey data shows that 68% of respondents want contract and specification templates to support early integration, and 76% prioritize embedding cybersecurity directly into specifications and contracts. Without this, the lowest-cost bids often exclude the security scope that was never defined.
Gordon said that working through the Black & Veatch-Takepoint Research data and interviews reinforced something easy to state but harder to act on – cybersecurity risk in capital infrastructure is largely determined before an asset is operational. “By the time systems are deployed, the ability to make meaningful changes is constrained by uptime, safety, and cost pressures. The most consequential cybersecurity decisions are being made during design and procurement, often without security being meaningfully embedded in those processes.”
He added that what also stood out was that operational teams are inheriting environments they did not design, with limited ability to remediate structural issues without significant disruption.
“Operational teams are being asked to manage risk they did not create and often cannot fully control. The organizations making the most progress are not necessarily those with the most advanced tools. They are those that maintain continuity of security requirements from design through to operations, and that treat secure by design as a governance and accountability issue, not just a technical one. Confidence at the program level does not always translate into consistency at the asset level.”
|Operational teams are being asked to manage risk they did not create and often cannot fully control – Jonathon Gordon, Takepoint Research
The Black & Veatch-Takepoint Research report identified that secure by design gains traction when cybersecurity is framed in terms that align with stakeholder incentives rather than abstract risk language. Different functions respond to different drivers, and uniform messaging often creates resistance even when objectives are shared. Secure by design rarely succeeds when organizations treat it as a security-only initiative. Early alignment across engineering, operations, IT, procurement and risk functions is required to prevent assumptions from hardening into architectural and contractual constraints.”
The Black & Veatch-Takepoint Research report outlines a phased roadmap grounded in how industrial organizations actually implement change. It emphasizes that authority and accountability must be established first, followed by practical execution, integration into active projects, and eventual institutionalization across the portfolio. Survey findings show that efforts consistently fall short when ownership, tooling, and measurement are introduced too late to influence outcomes.
The roadmap is designed to move secure-by-design from intent to repeatable execution across capital programs, with each phase building on the previous one to reduce reliance on individual effort and improve resilience to delivery pressure, organizational shifts, and leadership turnover.
It stresses that alignment must come before tooling, with clear authority, ownership, and escalation paths embedded within capital governance. Standards must then be translated into actionable deliverables that engineering and procurement teams can consistently apply, before being integrated in stages across projects to enable controlled scaling. Ultimately, embedding these requirements into governance and project gates is critical to ensure long-term durability and prevent regression.
