Publication Target Date: July 7
Submission Deadline: June 20
Article Working Title: Secure by Design Across the OT Project Lifecycle
Editorial Brief: Most critical-infrastructure security debt is created before a system is ever operated, during the capital project that designs, procures, and commissions it. When security is pushed from the project budget into operations, the operator inherits an environment with no inventory, no monitoring, undocumented vendor access, and an architecture that must be retrofitted at far greater cost. The article should map the project lifecycle — concept, feasibility, front-end engineering design, detailed design, procurement, factory and site acceptance testing, commissioning, handover — and identify exactly where security must enter at each phase and what it costs to defer it. It should connect to the lifecycle requirements in IEC 62443, the role of security levels and vendor capability verification in procurement, and the practice of running security factory and site acceptance tests separately from functional tests. It should be specific about the greenfield-versus-brownfield distinction, the moment of handover where operations discovers what was and was not built in, and the contractual levers an owner has to force secure design from integrators and vendors. The lessons apply to any operator commissioning new assets — a substation, a treatment plant, a terminal, a production line — and to anyone writing the requirements that vendors must meet.
