Skip to main content


Cybersecurity & Resilience of Control Systems

With significant expertise across U.S. and U.K. critical national infrastructure, government and commercial enterprises, we can develop a proportionate cybersecurity risk-reduction strategy for your business.

Lead Contact


No organization is immune from cyberattack and its impacts on business processes. In 2021, U.S. President Joe Biden issued an executive order to combat increasingly sophisticated malicious cyber campaigns that threaten the public and private sectors. And in 2023, the U.K. National Cyber Security Centre issued an alert warning of an emerging threat from state-aligned groups. To mitigate these threats, organisations need to assess their process management systems’ infrastructure to better safeguard against risks and maintain productivity.

Cybersecurity & Resilience of Control SystemsMr.B-king/Shutterstock

Thornton Tomasetti has significant expertise across U.S. and U.K. critical national infrastructure and government and commercial enterprise, as well as in structural engineering, blast assessments, hostile vehicle mitigation (HVM) and physical and technical security. Our threat, vulnerability and risk assessment (TVRA) processes consider the whole integrated security posture of your organisation and will engage management, engineers and operators to understand its policies, physical systems, infrastructure and personnel security to produce a TVRA or risk-treatment plan tailored to your business needs.

Simplified schematic showing pathways to attack systemsSimplified schematic showing pathways to attack systems.Thornton Tomasetti


We'll perform business-focused cybersecurity risk assessments and audits, benchmarking against standards and best practice. Our risk-reduction strategies and solutions are proportional to your business risk, with a range of options that meet your unique requirements. Our reports are easy to understand and can be presented to boards, insurers or regulators as a demonstration of due diligence, a cost-benefit analysis or a risk-treatment plan.

Cybersecurity & Resilience of Control SystemsGorodenkoff / Shutterstock

Our services include:

  • Operational Technology Cyber Threat Vulnerability and Risk Assessment. This is an expert risk assessment OT(TVRA) formulated through a common understanding of context and a review of operational requirements. It will identify and highlight strategic, geopolitical and technical cyber threats and vulnerabilities and is fundamental to informing the security strategy requirements that should be incorporated within the design to mitigate identified threat scenarios.
  • Operational Technology Cybersecurity Strategy. Supporting the establishment of a safe and secure industrial process, articulating high-level security principles, identifying benchmark security standards and defining the steps necessary to establish an IACS Cybersecurity Program. This strategy also considers mitigation options for the security risks identified in the cybersecurity TVRA. Where a cybersecurity mitigation is not available, it will draw upon compensatory mitigations from other security domains, such as physical, technical, personnel (insider) and operational security. This strategy also considers the establishment and maintenance of a cybersecurity management system.
  • Design Review. Provides project life-cycle cybersecurity design guardianship on behalf of the client to ensure that the developing design continues to meet the security design intent and strategy.
  • Development of Security Policies, Procedures and Incident Response Plans. These deliverables will be critical to regulatory approval of plant security and the establishment of a cybersecurity management system, necessary for the operation of a safe and secure industrial control system and process. These deliverables will support maintenance, availability and integrity of production systems once operational.
  • Support for Certification to the International Standard. Should you opt for or be required to certify the documented as-built production system, we can support you in the process of application and certification for ISA/IEC 62443-3-2: Security for Industrial Automation and Control Systems.