September 22, 2025 Making Cybersecurity a Capital Delivery Imperative

To build resilient, secure infrastructure, cybersecurity must move upstream and become a priority.

By Ian Bramson, vice president, Global Industrial Cybersecurity, Black & Veatch

Capital project teams might nod to cybersecurity in meetings with perhaps a slide or passing acknowledgment that it matters. But that rarely turns into action unless a regulation forces their hand. Cyber is almost never treated like a safety issue, an outdated approach that needs rethinking.

Don’t fool yourself into thinking this can wait. Digitalization is expanding the attack surface, and AI is accelerating both the speed and sophistication of threats. If you can connect it, attackers can too. That reality is pushing the need for a stronger, more resilient foundation.

Ask a capital project team what they prioritize and you’ll hear about cost, schedule and safety. Yet cybersecurity rarely makes the list. Not because it doesn’t matter but because it lacks a clear champion. Everyone assumes someone else is handling it or perhaps they’re simply unaware of cybersecurity in the first place.

Safety officers shape asset design, guide operations and influence compliance because they’re in the room from the start. Why not apply the same model to cybersecurity? Just as consumers expect built-in security controls and “always-on” protections when they buy new phones or laptops — not bolted on software to patch the product later — we should design new infrastructure with cybersecurity baked in.

Understanding the Clean Build

When we talk about building in cybersecurity, let’s distinguish between capability and clean build. Capability is what you install. Clean build is how you ensure it works. Most people focus on capability — things like segmentation, monitoring and access control. A clean build ensures that those capabilities function as intended. It’s the discipline of reducing vulnerabilities introduced during design and construction.

Without that rigor, even the best security tools won’t be enough if the security gear gets left unconfigured, disconnected or ignored. One global energy company I worked with had mandated cybersecurity for every new build and significant modification. But when we asked about clean build enforcement — what controls they used during construction, how they validated systems before handoff — they were left flummoxed. “Oh,” they said. “We hadn’t thought about that.”

They were thinking in terms of tools, not processes—focused on what you build in, rather than how you protect what gets built.

Why It Keeps Happening

Cyber has no natural home in the capital delivery model. Engineers focus on systems, procurement manages supply and finance tracks spending. But risk ownership blurs, so no one takes full responsibility.

Even when cybersecurity professionals join a project, the capital delivery team often doesn’t act on their input because the two sides aren’t speaking the same language. IT experts may understand threats, but they rarely know how to translate those concerns into the structure of a construction schedule or a procurement spec. Meanwhile, capital teams don’t know how or when to surface cyber risk in the conversation.

That realization hit me early in my work with project teams. I understood cybersecurity inside and out but didn’t know how infrastructure gets built. So, I sat down with our operations leads and asked them to walk me through the delivery process.

They started talking about FEL-1 and FEL-2, short for Front-End Loading stages that shape early design and engineering decisions. These were foundational to how they worked, but they meant nothing to me at the time. It felt like I was in a foreign country, trying to follow a conversation without subtitles. We subsequently adapted to that build environment.

That experience showed me that knowing cyber isn’t enough. You must understand how to map it to the rhythm and vocabulary of capital delivery.

Clean builds can reduce integration costs significantly. Retrofits aren’t just more expensive — they’re disruptive. But cyber costs often get misclassified. CapEx teams see them as line items with no corresponding value because the OpEx savings show up later, outside their budget.

Some industries are beginning to close the gap. The rail sector, for example, is already aligning cyber with delivery frameworks. Others remain behind. Water utilities often resource-constrained, making the build-in option much more affordable. For them, a clean build can be a question of survival. Power companies face different obstacles. They talk about NERC CIP but rarely translate it into capital specs. As a result, only a fraction of what matters gets implemented.

We’re working with a broad array of technology partners to help clients close the gap and model how early-stage cyber controls reduce threat exposure, probability curves and recovery costs. We’re also collaborating with insurers to demonstrate how clean builds affect risk premiums. When you frame cybersecurity regarding uptime, impact and asset survivability, it stops being a compliance task and becomes a business advantage.

What Must Change

First, capital committees must include someone who understands OT cybersecurity and can map that knowledge into construction schedules, contractor scopes and investment requests.

Second, cyber needs to fit the build process. Right now, even motivated teams stumble. They skip asset inventories, avoid cyber acceptance testing and assume clean handoffs—because no one told them what “clean” really means.

And finally, stop assuming that the risk belongs to someone else. EPCs, OEMs, suppliers — everyone pushes cybersecurity downstream. But it’s not their name in the headline when something goes wrong. “Guess whose name shows up when it fails?” I tell clients. “Yours.”

The urgency is real. AI-enabled attacks, remote access vulnerabilities and interconnected systems are collapsing response timeframes. You don’t get a second chance to harden the foundation. You either build it securely from the start or you build it twice.

About the Author:
Ian Bramson, Vice President, Global Industrial Cybersecurity – Ian Bramson is vice president of Black & Veatch’s Global Industrial Cybersecurity Practice, responsible for the strategy, commercialization and business growth of all the company’s integrated cybersecurity solutions and capabilities. He’s a highly experienced leader in the fields of cybersecurity, risk management, and digital transformation with a career spanning over 25 years. Ian works closely with top-level executives in critical infrastructure industries to provide innovative solutions that minimize cybersecurity risks. He has successfully built two cybersecurity consulting services over the past decade, both of which were supported by global sales organizations and implemented in multiple industries. Ian is a respected thought leader and market developer in the emerging threat landscape of attacks on industrial operations and critical infrastructure. He holds a bachelor’s degree in Economics and English from Cornell University.

Subscribe to Industry Today