Most asset owner ICS Security Programs are still, to put in kindly, in a less than mature stage for a variety of reasons. There is a long list of technical and security controls that are clearly good security practice, and an organization can only absorb so much security in a year even if resources are unlimited. So determining what you do next is extremely important.
We recommend a very basic efficient risk reduction approach. Ask yourself, where will we get the most risk reduction for the next dollar or hour spent on improving ICS security? Create a prioritized list of actions based on the answers. Determine how much you can do well in the next 12-18 months and measure your progress.
2015 Energy Industry Cybersecurity Report
Strategic Cybersecurity: A Toolkit for Prioritizing, Coordinating, and Transforming Your Cybersecurity Program