IT Rules for Cybersecurity of control systems

How far should we go in adopting IT type rules for the management of cybersecurity on control systems. Will treating a control system as just another set of PCC's (from the IT perspective) cause more problems?

This was originally posted in "The Process Automation Usability Project" by the Gary Law. See the responses he got there and contribute with your own here.