Articles
Engineering·6 min read

Shifting security left: the economics of secure-by-design OT

The cheapest place to fix a network-security flaw is the place it never gets built. In operational technology, the gap between a design-time fix and a production fix is the difference between a revision and an outage.

In 1981 Barry Boehm put numbers to something every engineer has seen in practice: the cost of fixing a defect rises sharply the later it is found. A problem caught in requirements or design costs a fraction of the same problem caught in testing, and a small fraction of one caught in production. Decades of software and systems-engineering data bear out the shape of that curve.

Relative cost to fix a flaw, by lifecycle stage

Designon the canvasBuildintegrationCommissionFAT / SATOperatein productionSYNAPSE · 1×36×

Drag to move where the flaw is caught

Caught at Commission, the fix costs 36× what it would at design — shifting it left is 97% cheaper.

Illustrative ratios after Boehm's cost-of-change curve. The exact multipliers vary by study; the exponential shape does not.

In OT, the curve is steeper

For information systems the late-stage penalty is costly. For industrial control systems it is worse, because the assumptions that make software cheap to change do not hold. You cannot take a substation offline for a maintenance window on demand, or patch a protection relay mid-season. Devices live for fifteen to twenty years, vendor-locked and change-controlled. And the defect in question is often a missing zone boundary, or a flat network that now has live plant hanging off it.

So the same flaw that is a five-minute edit on a design canvas becomes, later in the lifecycle:

  • At build / integration: a re-cabling and re-addressing exercise, and a slip in the integration schedule.
  • At commissioning (FAT/SAT): a redesign under time pressure, with the integrator, vendor and asset owner all in the room.
  • In production: a change request against a running plant, or the incident, outage or non-conformity raised at audit.

IEC 62443 is a shift-left framework

This is why the ISA/IEC 62443 lifecycle front-loads the work: assess risk, partition the system into zones and conduits, set a target security level, design the countermeasures, and verify, all before a cable is pulled. In effect the standard encodes Boehm's curve as method. The work it asks for is the cheap work, done at the cheap time.

The gap has never been the framework. It has been the tooling. Zoning, conduit definition and security-level assignment are still done by hand in Visio and spreadsheets: applied inconsistently, checked late and by eye, and hard to evidence. The design intent and the as-built record drift apart, and the verification that should happen at design time slides right, toward the expensive end of the curve.

Move the verification, not just the drawing

Synapse pulls that work back to the cheapest point on the curve. The architecture is structured, queryable data rather than a picture, so the same model the engineer draws is the model that gets checked. A flat network spanning two zones, a missing DMZ between enterprise and OT, a conduit that permits everything, a zone with no security level: these are caught on the canvas as they are created, not flagged at the acceptance test or discovered after commissioning.

Secure-by-design is not a compliance checkbox bolted on at the end. Done at design time it is the cheapest engineering decision on the project, and the one with the highest payback.

See the check happen at design time

Open the 20-asset wind-farm reference and watch the segmentation, conduit and security-level checks run on the canvas.

Launch Synapse Studio