Security is a function of people, process, and tools—with people being the first and most critical element. In the area of industrial systems, there is an evolving and critical question regarding ownership and responsibilities.
IT: 44%, OT: 14%, ICS security leadership (evenly shared between IT and OT): 35%, Another team: 7%
According to the 2019 ICS Security Report Survey from Dimensional Research, we can see that of the organizations that have both IT and OT teams, IT seems to be taking the lead on ICS security responsibility.
So, before you consider the first phase, you must first initiate a conversation regarding who owns what: capital budget, operations budget, who specifies the practices, who makes it happen. These are all key areas to investigate.