Only 19% of manufacturers plan to invest in cybersecurity despite 56% planning new automation projects in 2026, according to the Sikich Industry Pulse survey. IIoT World covers OT cybersecurity strategy through practitioner articles, case studies, and expert panels — including sessions on embedding security requirements at the specification stage before automation procurement begins.
https://www.sikich.com/insight/sikich-industry-pulse/
The most effective way to close that gap isn’t to bolt on technology after a system is installed; it’s to embed security from day one—during the specification phase. When security requirements are written early, they become contractual obligations, guide procurement, and can be validated during Factory Acceptance Testing (FAT) and Site Acceptance Testing (SAT).
A security requirement must be achievable, unambiguous, concise, complete, singular, and verifiable. These six attributes mirror solid engineering practice and ensure the requirement can be evaluated objectively. Achievable means the control can meet the security goal. Unambiguous requires precise language rather than a vague idea. Concise keeps the statement short and avoids unnecessary wording. Complete covers the entire security objective. Singular ensures each requirement addresses only one issue. Verifiable defines measurable acceptance criteria. When these qualities are baked into the specifications, vendors cannot claim ambiguity, and testers have a clear checklist for FAT and SAT.
A Request For Proposal (RFP) that merely says “provide a secure system” invites vendors to prioritize deployment over hardening. Instead, embed each security requirement in the RFP’s technical specifications and attach a verification clause that must be satisfied during FAT. This makes security a contractual deliverable and clarifies who is responsible for meeting each requirement.
Testing security after the plant is live is too late; gaps discovered then may require costly retrofits. FAT, performed at the vendor’s facility, verifies that the equipment meets the security requirements in a controlled environment. SAT, conducted after installation, confirms that the security posture holds in the real plant network. Both phases should produce a formal test report signed off by the engineering team, the vendor, and the OT security team.
Specification-level controls are only the first layer. A sustainable security posture also requires a program that addresses people, processes, and technology. Begin by drafting an OT security policy that references the specification requirements, defines roles and responsibilities, and outlines incident-response procedures tailored to your industrial environment. Follow with procedural documentation that provides standard operating procedures for risk management, change management, and equipment obsolescence. Training and exercises are essential; run tabletop drills and live simulations involving engineering, operations, maintenance, and management. Emphasize the “least viable ICS” concept: identify the minimal set of components needed to keep the plant running under duress, and practice operating in local/manual mode if required.
Security is inseparable from resilience. The survey notes that 39 % of manufacturers prioritize operational efficiency; maintaining production during an incident is a direct expression of that efficiency. Implement immutable backups of PLC programs, HMI configurations, and historian databases, storing copies offline in separate physical locations. Incorporate restore drills to verify that fresh devices can be configured from backup. Design control logic to default to a safe state if communication with supervisory layers is lost, document that safe-state behavior in the specification, and test it during FAT. These measures ensure that security investments also enhance the plant’s ability to sustain operations under abnormal operating conditions.
Even with rigorous specifications, the threat landscape continues to evolve. Establish a continuous-improvement loop. Periodically assess whether the security controls performed as expected during normal operation and simulated incidents. Subscribe to OT-focused intelligence feeds and map new indicators of compromise to existing requirements, updating the specification for future projects accordingly.
Adding a dedicated OT governance board strengthens oversight. The board should meet quarterly to review assessments, incidents, tabletop exercises, and training findings, and to approve any deviation from the baseline security requirements. Aligning the board’s charter with corporate risk appetite ensures that security decisions receive executive backing without slowing project timelines.
Embedding robust, testable security requirements during the specification stage transforms security from an afterthought into a contractually enforceable design element. By coupling precise requirements with RFP integration, early validation through FAT and SAT, a dedicated OT security program, and disciplined resilience practices, organizations can protect their automation investments without sacrificing the speed and efficiency that drive today’s competitive edge. The time to act is now. Start drafting those security requirements before the next RFP goes out.
OT Cybersecurity Specification FAQ
1. Why embed OT cybersecurity during the specification stage?
Bolting on security after installation is risky and costly. Embedding it during the RFP stage makes security a contractual obligation that vendors must deliver from day one.
2. What makes a strong OT security requirement?
A solid requirement must be achievable, unambiguous, concise, complete, singular, and verifiable. This removes vendor ambiguity and gives testers a precise checklist.
3. How are OT security requirements validated?
Validation happens in two phases: Factory Acceptance Testing (FAT) at the vendor’s facility, and Site Acceptance Testing (SAT) once the equipment is installed in the live plant network.
4. How does OT security improve overall plant resilience?
Security and resilience go hand in hand. Practices like maintaining immutable, offline backups and programming safe-states directly ensure the plant can sustain or quickly recover operations during a cyber incident.
5. Why should OT cybersecurity be embedded during the specification stage?
Security requirements embedded in technical specifications and RFPs become contractual deliverables, not afterthoughts. When cybersecurity is specified upfront, vendors are evaluated on it during procurement and held accountable during Factory Acceptance Testing. Adding security after installation is significantly more expensive and creates gaps that attackers exploit. Strong security specifications must be achievable, unambiguous, concise, complete, singular, and verifiable — the six characteristics described in this article.
6. What is Factory Acceptance Testing for OT cybersecurity?
Factory Acceptance Testing (FAT) validates that cybersecurity requirements have been met at the vendor’s facility before equipment ships to the plant. It confirms that security configurations match specifications and that access controls function as intended. Site Acceptance Testing (SAT) then confirms security in the live plant environment. Both are necessary because security behavior can change between factory and production environments.
7. What percentage of manufacturers invest in OT cybersecurity?
According to the Sikich Industry Pulse survey, only 19% of manufacturers plan to invest in cybersecurity, while 65% face demand pressure and 56% plan automation projects. This gap between automation investment and security investment creates significant risk as new connected equipment expands the attack surface without corresponding protection.
About the author
