#insights

Cybersecurity in critical infrastructure can no longer be approached as an additional layer or as a reaction to incidents. In the current context—shaped by regulations such as NIS2 and the Cyber Resilience Act (CRA)—security must be integrated from the concept and design phase of systems. It is not an added value; it is the minimum requirement for designing, building, and operating critical assets sustainably.

For an engineering company like Sener, this approach translates into a very clear idea: every digital asset is born with security built in. From a PLC deployed in the field to a large-scale OT monitoring platform, cybersecurity is part of the initial design rather than a later phase based on patches, exceptions, or reactive solutions.

This approach significantly reduces the risk of service interruptions and enables a more predictable, efficient, and cost‑effective operation throughout the entire lifecycle of the infrastructure.

What Does “Cybersecurity by Design” Really Mean?

Talking about security by design means incorporating cybersecurity requirements and controls across all stages of the hardware and software lifecycle. It is not merely about deploying technology, but about treating security as a functional requirement of the system, on the same level as availability, operational safety, or performance.

In practice, this approach relies on five key pillars:

• Risk and threat analysis from the earliest engineering phases
• Secure architecture design, aligned with OT and IT environments
• Design and development decisions based on the principle of least privilege
• Security testing and controlled commissioning
• Secure operation, with update capability and managed change control

From this model, essential and measurable principles are derived: reduced attack surface, defence in depth, effective segmentation between OT and IT networks, robust identity and access management, and secure update mechanisms throughout the system’s lifespan. All of them align with new regulatory requirements for products and systems with digital elements.

From Theory to Practice: OT Cybersecurity in the Railway Sector

A representative example of this approach is the “OT Cyber Security Uplift” programme developed for Sydney Trains, where Sener has integrated advanced cybersecurity capabilities into existing OT systems.

The goal was not merely to deploy tools, but to measurably increase the security maturity of the most critical railway assets. This work has reduced vulnerabilities in safety‑critical environments, aligned operations with regulatory best practice, and reinforced the resilience of Sydney’s railway network against increasingly sophisticated threats.

In projects such as Sydney Metro Western Sydney Airport, the same approach is applied from the engineering phase, aligning communications, signalling, and digital platforms with secure‑by‑default architectures designed to operate for decades.

Impact on Energy, Industry, and Mobility

In the energy and industrial sectors, Sener’s approach combines international frameworks such as IEC 62443 with national and European security requirements—such as the Spanish ENS adapted to NIS2—to design DCS, SCADA, and other complex industrial systems featuring:

• Proper OT/IT segmentation
• Dedicated security monitoring capabilities
• Vulnerability management integrated into operations

In the mobility sector, OT Security solutions connect the design of resilient infrastructure with near real‑time detection and response, ensuring new projects are prepared both for NIS2 audits and for the demands introduced by the Cyber Resilience Act.

Design Secure Today to Operate Tomorrow

In critical infrastructure, there is no room to improvise cybersecurity. Designing secure systems from the outset not only reduces risks: it improves availability, simplifies operations, and protects investments aligned with business objectives.

Cybersecurity is no longer a patch. It is—and must be—a design decision.