Organizations should analyze the (initial/detailed) risk assessment and the impacts to organizational operations (that is, mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the nation, and prioritize selection of mitigation controls. Organizations should focus on mitigating risk with the greatest potential impact. Security control implementation is consistent with the organization's enterprise architecture and information security architecture.

The controls to mitigate a specific risk may vary among types of systems. For example, user authentication controls might be different for ICS than for corporate payroll systems and e-commerce systems. The ICS information security manager should document and communicate the selected controls, along with the procedures for using the controls. Some risks may be identified that can be mitigated by quick-fix solutions: low-cost, high-value practices that can significantly reduce risk.

Examples of these solutions are restricting internet access and eliminating email access on operator control stations or consoles. Organizations should identify, evaluate, and implement suitable quick-fix/high-impact solutions as soon as possible to reduce security risks and achieve rapid benefits. The Department of Energy (DOE) has the 21 Steps to Improve Cybersecurity of SCADA Networks document that could be used as a starting point to outline specific actions to increase the security of SCADA systems and other ICS.

For the remainder of the chapter we will look at a practical approach to the ICS security program development process. At this point, topics like senior management buy-in and the assembling of an ICS security team are considered to be covered.