Lessons Learned from Leading Engineering and Cybersecurity Projects in Regulated Industries.
Lee Clough
Expert in Rolling Stock Engineering & OT Cybersecurity | Securing Critical Infrastructure with Proven Leadership & Strategic Governance in Regulated Industries & Law Enforcement.
In today’s world, projects in regulated industries such as transportation, engineering, and critical infrastructure sectors demand a meticulous balance between technical excellence, security, and compliance. Aligning with regulations and standards however, is not just a tick box exercise, but a key fundamental of successfully deploying a project in these industries.
Having had the opportunity to be involved, and often take a leading role in, engineering and cybersecurity initiatives across transportation (specifically, rolling stock) and education sectors, supported by a decade in law enforcement, I've encountered both common challenges and unique insights that shaped the way I approach governance and assurance in these highly-regulated fields.
Here are some key lessons learned from those experiences:
1. Compliance Is the Foundation, Not the Goal
We have all been in positions where red-tape and bureaucracy seems to hinder progress and the number of hoops to jump through seems endless, however this could not be further from the truth. In safety driven environments such as the public transportation, compliance is crucial both for limiting liability, but also to ensure effective steps have been taken to deliver safe, secure outcomes.
When it comes to digital security, it is imperative that governance compliance is not viewed in isolation from the security objectives. Compliance frameworks such as NIST CSF , ISO 27001 , and specific safety regulations in the transport sector provide a solid foundation but do not encompass all that is required to prevent risks. Organisations often focus heavily on ticking compliance boxes, but compliance alone doesn’t guarantee security.
Regulatory compliance ought to be a by-product of creating robust security policies and procedures, not and objective for creating them. That is to say, you should achieve compliance by creating robust strategies, not select and implement strategies in order to gain compliance. A balanced approach that integrates security best practices alongside compliance can better safeguard sensitive data and operational technology (OT) assets.
In the railway sector, critical systems often follow standards like EN 50128 for software development in safety-critical systems, but real security improvement comes when you align these requirements with a cybersecurity framework, effectively covering both safety and security.
2. Implementing Security Frameworks Early Saves Time and Resources Later
Spending the time in the early days to adequately research, plan for, and deploying a security strategy, backed by an established framework, provides a clear path to follow and allows objectives to be developed with a safety first approach.
Delaying the integration of a security strategies and frameworks —such as NIST-2, or other industry standards—into a project’s lifecycle often leads to costly and extensive retrofitting and greater challenges making the framework fit. A proactive approach that integrates security governance at the inception stage significantly reduces both risk and cost.
In several rolling stock projects, we initially embedded security within the project design phase, mapping to both NIST CSF and emerging European cybersecurity regulations such as EN 50128, EN 50129 & IEC 62443. This saved countless hours (and resources) amending systems down the line as a strong foundation had been laid and project objectives had been set with the guiding principles of these standards ad frameworks in mind.
This security first culture also made certification and reporting easier as our usual project reporting mechanisms contained the required information by default.
3. Tailored Communication Is Key to Winning Management’s Trust
Building on section 2, the reporting mechanisms and key stakeholders identified at the start of the project will be critical to keeping things on track when the inevitable delays and unexpected deviations arise. The speed, accuracy and transparency of which the communications are transmitted will ensure all stakeholders are making informed decisions.
In heavily regulated industries, especially during cybersecurity projects, there’s often a gap between technical teams and executive decision-makers who may focus on the business impact and commercial implications, rather than the technical details and deeper security objectives. Ensuring your message resonates at every level of an organisation is essential for fostering management support.
领英推荐
When conveying project status to non-technical teams or executives, focus on real-world impacts by translating objectives, vulnerabilities and risks into something quantifiable—both in terms of commercial and financial exposure. Another critical strategy is emphasising how security measures align with overall business goals and regulatory requirements. - Executives love hearing how you are minimising organisational liability.
In a transport project involving OT systems, instead of focusing solely on technical terminology, we linked OT security risks directly to potential operational downtimes and regulatory fines. By doing this, decision-makers felt security improvements weren’t just technical necessities but core business actions ensuring profitability and compliance.
4. Risk Prioritisation and Pragmatism Over Perfectionism
One of the most significant lessons I learned—often the hard way—is that in regulated industries, focusing on addressing the highest-priority risks yields better results than trying to achieve perfection across all compliance points. Perfectionism can waste resources on minor issues while the biggest risks remain at large.
Organisations that aim for 100% compliance or security perfection in every dimension can get bogged down, missing glaring, more urgent risks and miss compliance completely. It’s essential to recognise that security is a journey, not a destination, and that evolving threats often make absolute perfection unattainable.
In a recent project for a client, we prioritised securing critical control systems and mission-critical assets that could either directly impact peoples safety, or cause the largest organisational disruption, opting to address secondary less-urgent assets in a phased approach while maintaining ongoing risk assessment.
5. Document Everything—Your Deliverables Are Your Legacy
Working in roles where peoples safety (and sometimes lives) depend on the decisions I made and the actions I did, or don't take, I learned quickly that documenting everything - and i mean everything - is the only way you ensure that you are covered.
In any regulated environment, documentation isn't just a requirement—it's a legacy of your leadership. An excellent technical project won’t count for much if it’s not appropriately documented for compliance, governance, and future stakeholders. Your reports should be thorough, actionable, and aligned with both security goals and regulatory mandates.
After delivering a cybersecurity solution for an education client, I ensured the reporting was structured to not only meet DfE Cyber Security Standards for Education, but also provided the necessary steps and information to serve as a continuity plan—providing both legal protection and groundwork for successive operations teams and incident response.
Bonus - Continuous Monitoring and Learning — Threats Evolve, So Should Your Response
Regulated environments must acknowledge that threats continuously evolve, which means that compliance checks or audits should not be seen as once-off activities. They are part of an ongoing cycle. Building in continuous monitoring, OT/IT convergence and incident response plans aligned with industry standards are crucial.
In Conclusion
Heavily regulated industries bring with them a host of compliance requirements and unique technical challenges. Yet, with the right frameworks, strong leadership, and an emphasis on both security and compliance, engineering and cybersecurity projects can achieve not only regulatory success but also operational resilience. By ensuring that security is integrated early, fostering clear communication, and prioritising risks, you will be well on your way to leading successful projects in even the most regulated environments.
OT Cyber Security Consultant | OT Security Leader | Trusted Advisor | Pre-Sales | Cyber Security Strategy | ISA England President
2 个月Insightful article