Secure by design of ICS (Industrial Control System) is just part of the ICS life cycle. If design is insecure, retrofit sometimes is not possible and need to rebuild from scratch again.
Next is the ongoing sustainability of the cybersecurity because the ICS is only secure at that particular point in time of commissioning. Addressing new vulnerabilities and continuous strengthening are required to keep staying cyber secure.
Of course, identify the business outcomes and acceptable risks then translate into ICS cybersecurity requirements in the procurement specification is the very first step.