ICS now totally utilitizes general computing equipment (server, workstatiom, OS, DB, communication) rather than developing own C&I. Therefore, OEM has to test the integration of machineries with these commodities sourced from the market.
The industry has already defined the standard architecture how should the different types of components be zoned in the different network segments.
Certain cybersecurity practitioners have misused the term architecture review. To be specific, it is the design review how is the design system deviated from the standard architecture, what are the ingress/egress points to the system, what is the worst scenario consequence and the anticipated likelihood to derive the optimal controls.
We should not change the approved design by the OEM because they have validated the functionality and usability of the ICS to deliver the outcome. Catching security patches, new software version, adding extra firewall in between or even changing network layer protocol for perceived security could break the ICS. It will then be just like “The operation was successful, but the patient died.”
System isolation, physical control (proximity access, removable media insertion) together with administrative control(segregation of duties, discrepancy action) and management control (authorization) back by laws & regulation are the best measures. We should not always look for technical controls as well as 100% business model.