Manufacturers are excited about 2026. The latest Sikich Industry Pulse shows that 65 % of respondents feel pressure from rising demand, 56 % are planning new equipment and automation projects, yet only 19 % intend to invest in cybersecurity. This gap exposes a critical vulnerability: as operational technology (OT) becomes the backbone of modern production, security is often treated as an afterthought.
https://www.sikich.com/insight/sikich-industry-pulse/
The most effective way to close that gap isn’t to bolt on technology after a system is installed; it’s to embed security from day one—during the specification phase. When security requirements are written early, they become contractual obligations, guide procurement, and can be validated during Factory Acceptance Testing (FAT) and Site Acceptance Testing (SAT).
A security requirement must be achievable, unambiguous, concise, complete, singular, and verifiable. These six attributes mirror solid engineering practice and ensure the requirement can be evaluated objectively. Achievable means the control can meet the security goal. Unambiguous requires precise language rather than a vague idea. Concise keeps the statement short and avoids unnecessary wording. Complete covers the entire security objective. Singular ensures each requirement addresses only one issue. Verifiable defines measurable acceptance criteria. When these qualities are baked into the specifications, vendors cannot claim ambiguity, and testers have a clear checklist for FAT and SAT.
A Request For Proposal (RFP) that merely says “provide a secure system” invites vendors to prioritize deployment over hardening. Instead, embed each security requirement in the RFP’s technical specifications and attach a verification clause that must be satisfied during FAT. This makes security a contractual deliverable and clarifies who is responsible for meeting each requirement.
Testing security after the plant is live is too late; gaps discovered then may require costly retrofits. FAT, performed at the vendor’s facility, verifies that the equipment meets the security requirements in a controlled environment. SAT, conducted after installation, confirms that the security posture holds in the real plant network. Both phases should produce a formal test report signed off by the engineering team, the vendor, and the OT security team.
Specification-level controls are only the first layer. A sustainable security posture also requires a program that addresses people, processes, and technology. Begin by drafting an OT security policy that references the specification requirements, defines roles and responsibilities, and outlines incident-response procedures tailored to your industrial environment. Follow with procedural documentation that provides standard operating procedures for risk management, change management, and equipment obsolescence. Training and exercises are essential; run tabletop drills and live simulations involving engineering, operations, maintenance, and management. Emphasize the “least viable ICS” concept: identify the minimal set of components needed to keep the plant running under duress, and practice operating in local/manual mode if required.
Security is inseparable from resilience. The survey notes that 39 % of manufacturers prioritize operational efficiency; maintaining production during an incident is a direct expression of that efficiency. Implement immutable backups of PLC programs, HMI configurations, and historian databases, storing copies offline in separate physical locations. Incorporate restore drills to verify that fresh devices can be configured from backup. Design control logic to default to a safe state if communication with supervisory layers is lost, document that safe-state behavior in the specification, and test it during FAT. These measures ensure that security investments also enhance the plant’s ability to sustain operations under abnormal operating conditions.
Even with rigorous specifications, the threat landscape continues to evolve. Establish a continuous-improvement loop. Periodically assess whether the security controls performed as expected during normal operation and simulated incidents. Subscribe to OT-focused intelligence feeds and map new indicators of compromise to existing requirements, updating the specification for future projects accordingly.
Adding a dedicated OT governance board strengthens oversight. The board should meet quarterly to review assessments, incidents, tabletop exercises, and training findings, and to approve any deviation from the baseline security requirements. Aligning the board’s charter with corporate risk appetite ensures that security decisions receive executive backing without slowing project timelines.
Embedding robust, testable security requirements during the specification stage transforms security from an afterthought into a contractually enforceable design element. By coupling precise requirements with RFP integration, early validation through FAT and SAT, a dedicated OT security program, and disciplined resilience practices, organizations can protect their automation investments without sacrificing the speed and efficiency that drive today’s competitive edge. The time to act is now. Start drafting those security requirements before the next RFP goes out.
OT Cybersecurity Specification FAQ
1. Why embed OT cybersecurity during the specification stage?
Bolting on security after installation is risky and costly. Embedding it during the RFP stage makes security a contractual obligation that vendors must deliver from day one.
2. What makes a strong OT security requirement?
A solid requirement must be achievable, unambiguous, concise, complete, singular, and verifiable. This removes vendor ambiguity and gives testers a precise checklist.
3. How are OT security requirements validated?
Validation happens in two phases: Factory Acceptance Testing (FAT) at the vendor’s facility, and Site Acceptance Testing (SAT) once the equipment is installed in the live plant network.
4. How does OT security improve overall plant resilience?
Security and resilience go hand in hand. Practices like maintaining immutable, offline backups and programming safe-states directly ensure the plant can sustain or quickly recover operations during a cyber incident.
About the author
