This document discusses where to start with industrial control system (ICS) security. It begins by explaining why ICS security is important given past attacks targeting these systems. It then outlines a strategic and tactical approach to ICS security that involves developing a security program, conducting assessments, and creating an improvement plan. Specific tactical steps are also discussed, such as implementing firewalls, patch management, asset management, and threat detection. The document emphasizes taking a holistic, risk-based approach that addresses people, processes, and technologies.