These thoughts are a culmination of witnessing too many large-scale projects where the client has tried to retrofit cybersecurity standards compliance into Industrial Automation and Control Systems (IACS) after the project is commissioned. At that stage, the difficulties in taking safety critical and operational systems offline to reconfigure core elements becomes exceeding difficult and lead to a poor security outcomes for all stakeholders.  My view is that construction bids for major infrastructure projects especially those involving IACS, which frankly almost all of them do, cannot afford to treat cybersecurity as an afterthought.

With a lot of large-scale infrastructure projects, cybersecurity is often mis-scoped, misunderstood, or even ignored entirely during early project phases. The result typically is a costly mess during commissioning, non-compliance with government and industry mandates, and exposure to real-world threats and difficult and expense retro fitting of patchwork solutions. It is not a compliance matter or ticking a box. It is about building cyber resilience into the foundations of the operational system.

And most importantly, if we are serious about safety, functionality, and long-term sustainability, we need to be smarter as an industry about how we scope cybersecurity from day one in the infrastructure projects.

The Problem with “After-the-Fact” Cybersecurity

Too often, cybersecurity is scoped reactively, bolted on after design is finalised, or worse, after build is complete. In projects where Operational Technology (OT) components like Supervisory Control and Data Acquisition (SCADA), Programmable Logic Controllers (PLC), Remote Terminal Units (RTU), and Human Machine Interface (HMI) are central to delivering water, energy, or transport services, this gap is a dangerous practice and downright gamble with security. Key issues we frequently observe include:

  • Cybersecurity not mapped to asset lifecycles and lifestyles — OT assets are designed to operate for decades – the cyber protections must as well.
  • Vendors providing proprietary solutions with unclear security postures — leading to integration blind spots.
  • Confusion between IT and OT roles and responsibilities — especially where enterprise architects attempt to treat control systems like cloud platforms.
  • Delayed threat modelling and risk assessments — missing the windows to design secure-by-default solutions particularly with compliance to standards such as IEC 62443.
  • Limited alignment with regulatory obligations — like the Commonwealth Critical Infrastructure Risk Management Program (CIRMP).

Scoping Cybersecurity: Where the Real Work Begins

So how do we scope cybersecurity properly into these large-scale, often publicly funded construction bids? Here is a practical approach that we have seen work well:

  1. Establish a Cybersecurity Scope Matrix Early

Map out the intended systems, interfaces, and operational environments. Define responsibilities for cybersecurity between key roles and use this to inform security requirements in the Request for Tender (RFT) or Scope of Works and Technical Criteria (SWTC) documentation.

  1. Apply a Control System Security Framework

It is recommended to carefully select and combine frameworks that will give you different lenses: For instance, picking one framework which focusses on control systems specifically, and another on broader cyber hygiene and maturity.  Cyber security frameworks are designed to be tailored to specific scenarios and can be utilised and combined. Some of the well-developed frameworks in this context include:

  • ISA/IEC 62443 — specifically parts 2-1 (security policies), 3-2 (security risk assessment), and 3-3 (system security requirements)
  • ASD’s Principles of OT Cybersecurity and Environments and Working Securely with Defence guidance, where applicable

A word of caution – burdening projects with pages and pages of cyber standards for compliance without a clear intention and purpose leads to confusion and overly detailed compliance matrixes doesn’t add any value from better security posture in my opinion.

  1. Conduct Preliminary Threat and Risk Assessments (PTRA)

Early-stage risk assessments help by identify target security levels (SL-T) for zones and conduits, network segmentation (if using IEC 62443) and other key protections for remote access, account management etc. This can’t wait for post-award. The goal here is to design systems that are secure by design, not secured by later retrofit.

  1. Align Procurement and Commissioning with Security Requirements

Security obligations must flow down through your contracts, for example requiring vendors to deliver security configuration baselines and bill of materials with Software versions allow for adequate asset inventory and configuration states.

Ensuring throughout the design and build that penetration testing, account audits, validation of logging/alerting capability during commissioning, patching regimes, backup/recovery processes and vulnerability management are being considered and deployed. And of course, making sure our colleagues in OEM teams provide documentation and procedures with a cyber security perspective to keep things secure once completed.

What Makes It Hard?

Scoping and embedding cybersecurity into control systems is not easy, especially with large and complex projects where there are many years of planning and multiple parties involved, Some of the common difficulties include:

  • Misunderstanding between cross-disciplinary teams — Mechanical engineers may not fully comprehend the need and complexity of network infrastructure and concepts such as segregation. ICT teams participating in the project may not have the detailed OT expertise and underestimate legacy protocol risks and other IACS specific threat vectors.
  • Unnecessary vendor black-boxing — Some OEMs don’t like to reveal underlying OS, hardcoded accounts, or patch histories and appear to follow security by obscurity philosophies which is a recipe for low (not zero) likelihood but high consequence disasters.
  • Rapid delivery pressures — Project timelines often prioritise tangible and more visible milestones such as physical construction over ‘in the box’ detailed work needed for secure system deployments and configuration leading to some shortcuts undertaken.
  • Cost avoidance — Cybersecurity (like other security aspects) spend doesn’t always show immediate ROI, making it a tough sell to finance teams unless linked to compliance or contractual liability. I am sure everyone is aware of – “We haven’t been breached for years, why are we still paying for cyber security?” quip which sums up the challenge of constantly justifying investment in cybersecurity.

How can we address These Issues?

  • Get Cyber Professionals Involved Early

Engage cybersecurity specialists during bid preparation, not just design. They’ll help translate project requirements into measurable, enforceable cyber controls that stand up under audit.

  • Use a Standard Led Regime

There’s a growing body of work that can help you shortcut bespoke scoping. For example, the IEC 62443 standards are incredibly useful and extensible for applying as part of design lifecycles.

  • Educate the Project Team

Many cyber gaps stem from well-meaning engineers or contract managers who simply aren’t aware of what’s required. Running short, targeted awareness sessions during the early design phases can help refer to guidance such as the ASD Principles of Operational Technology Cyber Security.

Where Anchoram Consulting Comes In

At Anchoram Consulting, we understand that successful cybersecurity integration begins well before the first cable is laid or PLC is commissioned. Our team works across project lifecycles—from bid preparation and requirements scoping through to validation and final audit—to embed cyber resilience where it matters most.

We offer:

  • Cybersecurity Scoping Workshops tailored to IACS and large-scale infrastructure bids.
  • Development of security specifications aligned with industry standards (IEC 62443, including those required for specific agencies within New South Wales, Queensland and Victoria.
  • Gap assessments and control validation during FAT/SAT and commissioning
  • Risk management advisory aligned to CIRMP, CSMS/ISMS and state-specific legislation.
  • Our approach is grounded, practical, and deeply aligned to how infrastructure gets built in Australia.

In the world of large-scale infrastructure, it is a foundational design consideration. Don’t just scope it in—design it in and build it in. Let Anchoram Consulting help you get it right from the start.