How do you design cybersecurity for SCADA/ICS systems?

ICS cybersecurity design per IEC 62443 and NIST: network segmentation (Purdue model levels 0-5, DMZ between IT/OT), defense in depth (firewalls, IDS/IPS, VPN for remote access), access control (role-based, multi-factor authentication), patch management strategy (test before deployment, compensating controls), security monitoring (log collection, SIEM integration), and incident response procedures. Specific measures: disable unused protocols, change default passwords, restrict USB access, encrypt communications, and conduct vulnerability assessments. Balance security with operational needs. Document security architecture and maintain through MOC process.