1. Co-develop and implement an Industrial Control System (ICS) cybersecurity program that focuses on identified risks -- not just regulatory compliance.
  2. Build a cross-functional cybersecurity team to develop and manage the cybersecurity program.
  3. Create and maintain an OT-environment asset inventory.
  4. Develop security policies and standards specific to ICS devices and IT systems connected to the OT environment.
  5. Understand and validate all connection points between the IT and OT environments.
  6. Use predictive threat modeling driven by the OT-environment asset inventory to identify and assess threats and vulnerabilities.
  7. Apply controls or countermeasures to complicate an attacker's ability to achieve their objectives, detect their activity and effectively respond to discovered attacks.
  8. Perform production-system and network security reviews of the OT environment, including penetration tests.
  9. Consider ICS security requirements in the vendor-management process.
  10. Develop and implement training and awareness programs that link safety and availability with good cybersecurity practices.


Source: "Insights in IT Risks" Technical Briefing, Ernst & Young, Jan. 2012