- Co-develop and implement an Industrial Control System (ICS) cybersecurity program that focuses on identified risks -- not just regulatory compliance.
- Build a cross-functional cybersecurity team to develop and manage the cybersecurity program.
- Create and maintain an OT-environment asset inventory.
- Develop security policies and standards specific to ICS devices and IT systems connected to the OT environment.
- Understand and validate all connection points between the IT and OT environments.
- Use predictive threat modeling driven by the OT-environment asset inventory to identify and assess threats and vulnerabilities.
- Apply controls or countermeasures to complicate an attacker's ability to achieve their objectives, detect their activity and effectively respond to discovered attacks.
- Perform production-system and network security reviews of the OT environment, including penetration tests.
- Consider ICS security requirements in the vendor-management process.
- Develop and implement training and awareness programs that link safety and availability with good cybersecurity practices.
Source: "Insights in IT Risks" Technical Briefing, Ernst & Young, Jan. 2012
