For critical infrastructure, cybersecurity should be an integral part of project planning and design. Rather than retrofitting cyber defenses at the end of a project, the Security by Design approach incorporates cybersecurity measures from the outset. This method ensures that every phase—from initial planning to ongoing operations—accounts for cybersecurity risks and mitigations, creating a resilient infrastructure from the ground up.
Here are six core steps of Security by Design that critical infrastructure owners and operators should consider building a strong cybersecurity foundation:
The Security by Design process begins with defining cybersecurity risk tolerance and objectives; this step is crucial to set the scope and standards not just for one project but for all future projects. Organizations should start by meeting mandatory regulations (NERC CIP, AWIA 2018, NIS2 Directive) to establish a baseline of compliance. From there, they can determine additional security measures to address their specific operational needs, vulnerabilities and risk tolerance. By clarifying objectives early, organizations avoid the risks of projects with an undefined scope, which can lead to confusion, inconsistent security measures and unanticipated costs.
Preparation involves creating policies, standards and architectural blueprints that guide the entire cybersecurity process. This includes adapting frameworks like ISA/IEC 62443 or NIST SP800-53 to suit the unique needs of projects, ensuring that policies are both comprehensive and practical. For sectors with limited regulatory requirements, organizations can customize these frameworks based on industry-specific guidelines and standards. Clear cybersecurity policies and standards not only provide internal guidance but also ensure external vendors understand security expectations, contributing to a consistent security posture across each project lifecycle.
Cybersecurity requires active collaboration across different teams, particularly in critical infrastructure projects where both industrial control systems (ICS) and IT resources are involved. Establishing an ICS Cybersecurity Governance Committee or similar structure helps coordinate responsibilities, track compliance and respond efficiently to new security requirements. This committee should conduct regular reviews, both scheduled and in response to significant cybersecurity events, such as the discovery of a new vulnerability. A well-organized governance structure ensures that all project stakeholders are aligned on cybersecurity priorities and equipped to adapt to evolving risks.
One of the key principles of Security by Design is simplicity, achieved by standardizing configurations for security technologies. By implementing uniform configurations—such as using a standardized setup for network radios or switches—organizations reduce complexity and minimize human error, which is a common vulnerability in cybersecurity. Standardization also streamlines future updates and maintenance, making it easier to manage and audit security measures across systems. Critical infrastructure providers benefit from this approach, as it allows them to build their program once with intention rather than repeatedly reconfiguring systems, which can be costly and risky.
Engineering secure systems requires balancing the needs of ICS operations, networking and cybersecurity in a cohesive design. Cybersecurity experts use collaboration frameworks, such as Responsible, Accountable, Consulted, and Informed (RACI) matrices, to clarify roles and responsibilities among multidisciplinary teams. These frameworks ensure that every aspect of the project is secured without compromising operational functionality. Organizational alignment is especially important for ICS systems, where security measures need to account for both physical and digital risks. By fostering strong collaboration, organizations create a resilient infrastructure that supports secure operations and reliable system performance.
The commissioning phase provides a critical opportunity to validate cybersecurity measures before the project goes live. Cybersecurity acceptance testing (CAT) should be an integral part of commissioning, although it’s often overlooked. By including cybersecurity in site acceptance and factory acceptance testing, organizations can catch discrepancies between written security policies and practical implementation. Common issues—such as configuration gaps or unaddressed vulnerabilities—can be identified and corrected at this stage, ensuring that the security measures in place meet the project’s cybersecurity goals.
Security by Design is a comprehensive, proactive approach to embedding cybersecurity into critical infrastructure projects. By following a structured Security by Design process, organizations can ensure that cyber defenses are robust, up-to-date and aligned with regulatory requirements from the start. This approach reduces the need for costly retrofitting and minimizes operational disruptions due to cyber threats. Black & Veatch's Cyber Asset Lifecycle Management (CALM) services provide solutions with a continuous improvement mindset, including regular reviews and updates to security policies and configurations to stay ahead of emerging threats. For critical infrastructure providers, Security by Design is not just a best practice—it’s an essential strategy for resilience in today’s cyber landscape and CALM services provide a detailed implementation plan at each phase of the project to help ensure a long-term cybersecure posture. Learn more about Black & Veatch’s industrial cybersecurity solutions here.
