It all boils down to managing risk as well as deterring threats which are credible regardless of risk. You have to understand what your risks are, understand their impacts, then design and manage methods to eliminate or mitigate them. Risks can be mathematically estimated which is helpful for prioritization.
In practical terms, some risk mitigation methods are hard to implement, others are expensive to implement, and other methods implemented are too clunky and make things unnecessarily difficult.
The risk management methods that are transparent are the unsung heroes because no one really knows they’re there until there’s a problem. I like to think of it like the people who build, operate, and maintain power generation facilities. Those facilities run nearly everyday no matter what except for maintenance and catastrophic failures. Unless you work in the industry, I suspect there’s hardly a thought. Convenient and effective security controls are like the MacOS of the ICS world: it just works!
The controls that result from great risk management work like that, too.
I enjoy thinking about those problems and working to engineer solutions.