Secure-by-Design in OT: Why Training Still Focuses on Retrofits

This post addresses a shift that is underway in the industry but has not reached most cybersecurity training programs.  

Regulators, asset owners, and vendors are moving OT security from a retrofit discipline to a secure-by-design discipline. CISA’s Secure by Design pledge, the European NIS2 directive, and the TSA’s pipeline security directives all point in the same direction. Security should be a property of the product and the project from the beginning, not a layer added to a deployed system after a consultant’s gap assessment. 

Training has not caught up. Most OT security curricula still teach the retrofit mindset. What does this mean? 

1. Assess the existing environment.  
2. Identify gaps against a framework.  
3. Recommend compensating controls. 
4. Move on.  

That mindset made sense when nearly every control system in service had been designed before cybersecurity was a recognized engineering concern. It makes less sense as a new generation of controllers ships with security built in, and as asset owners begin to specify security requirements in procurement rather than discover them during commissioning. 

What secure-by-design changes 

A secure-by-design approach starts with the assumption that the system will be attacked, that the attack will succeed at some layer, and that the system must continue to operate safely and recover gracefully. This leads to very different decisions than a retrofit approach.  

• Authentication is built into the protocol, not bolted on at the network boundary.  

• Configuration changes on controllers are logged and signed, not merely network-segmented. Engineering workstations are treated as high-value targets from the first day of the project, not as office PCs that happen to run vendor software.  

• Vendor remote access is architected through a plant-controlled gateway, not added later after the vendor’s engineers have already established their own connection. 

The practical differences become visible in incidents. The TRITON intrusion in 2017 reached the safety instrumented system partly because the Triconex controllers of that era had a physical key switch that could be left in PROGRAM mode, and because the engineering workstation that talked to the SIS was a general-purpose Windows machine with the same trust profile as any other corporate endpoint. A secure-by-design SIS architecture would have made both of those configurations harder. 

The CyberAv3ngers attacks on Unitronics PLCs in 2023 and after tell a similar story. The affected devices shipped with default credentials and were commonly deployed on the public internet on default ports. 

 A secure-by-design product would have required a credential change during commissioning, would not have supported default-internet exposure, and would have shipped with its administrative interface disabled until explicitly enabled with logging.  

None of that is exotic engineering. It is the same hardening that has been standard in enterprise IT for a decade, and the OT industry has been slow to adopt it because asset owners have not demanded it in procurement and practitioners trained in retrofit thinking often do not know to ask for it. 

The pattern repeated at the end of 2025. In December 2025, attackers compromised operational technology at several organizations in Poland’s energy sector — renewable energy plants, a combined heat and power plant, and a manufacturer — and pivoted onto the HMIs and RTUs by exploiting default credentials.  

CERT Polska documented the intrusion in a report published at the end of January 2026, and CISA amplified it the following month; both urged operators to change default passwords immediately and to require integrators and OT suppliers to enforce credential changes during commissioning. 

 Three years after CyberAv3ngers, the same unforced error was still open on production energy systems. A secure-by-design product would have closed it at the factory, because no controller should ship in a state where a known default password is all that stands between an adversary and a renewable generation plant. 

What training should be teaching now 

A curriculum that takes secure-by-design seriously looks different from the current standard. It should teach practitioners to: 

• Write and evaluate procurement language — security requirements in a controller RFP, and how to judge a vendor’s response. 

• Threat-model new projects, not just assess existing ones. 

• Understand how modern control protocols handle authentication, and why the legacy protocols dominating installed bases cannot without replacement. 

• Recognize the secure development practices vendors are adopting, so they can ask the right questions at factory acceptance testing. 

Retrofit skills still matter. Most OT environments will stay brownfield for the next decade, and defenders need to apply compensating controls to equipment that cannot be upgraded. But a pipeline that produces only retrofit practitioners leaves the industry unprepared for the projects starting now — and those projects will define the security posture of the next twenty years. 

Training for what comes next 

CyberEd.io builds for both realities. ICS/OT courses cover the retrofit skills practitioners need for brownfield environments, and they cover the procurement language, threat modeling, and secure development practices a secure-by-design program requires.  

Simulation exercises include greenfield scenarios in which learners translate regulatory requirements into RFP language and evaluate vendor responses, alongside brownfield scenarios modeled on TRITON, CyberAv3ngers, and the 2025–2026 Poland energy intrusion that require compensating controls on equipment that cannot be replaced.  

Programs are tailored to the client’s stack, so a learner at a plant facing a controller refresh works through different scenarios than a learner responsible for a thirty-year-old installed base. 

Wrapping up our blog series on OT 

You may have noticed we have been writing about OT for the past few months. The argument running through this series has been pretty narrow.  

Frameworks are useful. Certifications have their place. But the education that produces capable OT security practitioners requires exposure to real systems, real incidents, real trade-offs, and real engineers, and most current training programs are structured to avoid exactly that exposure.  

The incidents cited in this series, from Ukraine through TRITON, Colonial, NotPetya, Oldsmar, CyberAv3ngers, and now Poland’s energy sector, were not defeated by frameworks. They were defeated, where they were defeated, by people who understood their plants and had rehearsed under realistic conditions.  

Building those conditions is the work CyberEd.io exists to do. The industry does not need more certificates. It needs more practitioners who have done the work before the attack arrives. 

Contact our experts to learn more about OT security training for your team.

References: CISA, Secure by Design pledge and guidance (2023 onward); EU NIS2 Directive (2022); TSA Security Directives for pipelines and rail (2021 onward); Mandiant/FireEye TRITON reports; CISA Alerts AA23-335A and AA26-097A; CERT Polska, Energy Sector Incident Report (January 2026); CISA alert amplifying the Poland energy sector incident (February 2026); IEC 62443-4-1 and 62443-4-2 (product security development and technical requirements).