ENISA just published a playbook on Security by Design and Default. It is a solid document. The core message is correct: cybersecurity is no longer a one-time configuration step — it is a continuous discipline that has to be built into systems from the ground up, embedded in architecture before a single line of code ships or a single device gets racked.
Hard to argue with that.
But here is the problem most organizations face when they read guidance like this: they are not building new infrastructure. They are running the infrastructure they built ten, fifteen, twenty years ago. PLCs that cost more to replace than a new building. SCADA systems that control processes you cannot shut down. Networks that were never designed for the threat landscape they now operate in.
For them, “secure by design” is great advice for the next procurement cycle. It does nothing about the problem on the floor today.
The Installed Base Reality
Walk into any manufacturing plant, utility, or critical infrastructure facility and look at what is running. You will find hardware that predates modern threat intelligence. You will find flat networks where a compromised HMI can reach a PLC with nothing in between. You will find protocols that were designed for reliability, not security.
Secure by design did not apply when this equipment was built. And for most of it, a redesign is not coming. The capital is not there. The operational risk is too high. The downtime is not acceptable.
So the question ENISA’s playbook does not fully answer is the one that matters most to the practitioners actually running these environments: what do you do right now, with what you already have?
Continuous Security Has to Work Without Disruption
ENISA is right that resilience depends on execution, not just design. That is the part worth holding onto. But execution in a live OT environment has rules that do not apply anywhere else:
- You cannot install agents on a PLC
- You cannot take a production line offline to patch
- You cannot redesign the network topology between shifts
- You cannot afford the collateral damage of a tool that blocks the wrong traffic
Effective security in these environments has to be transparent — meaning it inserts into the traffic path without requiring network redesign, without device-side software, and without disrupting the processes it is there to protect.
That is not a nice-to-have. It is the only way anything actually gets deployed and stays deployed.
Minimizing Attack Surface Without Touching the Design
ENISA emphasizes minimizing attack surfaces and enforcing least privilege. Both are correct. The question is how you do that when you cannot modify the systems themselves.
The answer is enforcement at the traffic level. Not at the device, not at the boundary firewall three layers up, but inline, in the path of actual communication. When you control what can reach what, at the protocol level, with the granularity to distinguish between legitimate operational traffic and reconnaissance — you have achieved attack surface reduction without touching a single device configuration.
That is not theoretical. It is how organizations with the most sensitive OT environments — the ones that cannot afford a disruption, ever — are actually solving this problem today.
Resilience Is Built In or It Is Not There
One more thing ENISA gets right: resilience has to be validated continuously, not assumed from a design document. That means enforcement that keeps working even when components fail. Hardware bypass when power or hardware fails. Continuous monitoring that does not depend on a human reviewing a dashboard at the right moment.
The goal is a security posture that does not require babysitting. One that adapts to what it sees, enforces based on context, and keeps running whether a shift is staffed or not.
That is what operational resilience actually looks like in practice. Design gets you to the starting line. Execution — continuous, transparent, inline — is what keeps you safe after the network goes live.
ENISA’s playbook is the right call to the industry. Secure by design, from day one, is the goal. For the infrastructure already running, the path to the same outcome is continuous security that works with what exists — not a redesign that will never happen.
Francesco Trama is the founder of PacketViper.