Re: One word:
A long time ago I worked for a company that installed hardware into (NHS) hospitals and so on.
We started with a PC supplied by us that worked as a basic server with a serial link to a PC sitting in the private network that we fitted. Reasonably safe until the PC supplied by us got hammered by whatever was lurking around the system and for supplier "reasons" applying security updates to any of the kit including the external PC were not permitted.
Later we switched to deploying an edge firewall with all of our PCs operating within the private network and no serial link. The firewall doesn't have to be expensive, or even with lots of features, all it needed to do was to only allow an incoming communication on the port(s) that we permitted and nothing else, there were no communications permitted outbound at all. We sold it as "protecting the NHS network" from whatever was in the private network however our main priority was the other way round of course...
It was almost an amusing day that I turned up on site with the local IT staff running around reimaging systems all around the department and they weren't happy when I told them that they were under no circumstances to be allowed near the systems that we supplied. Luckily for me even though I got there after they started they couldn't access the (locked in cabinets) PCs that we supplied so they didn't trash our systems. They weren't happy about not being able to reimage our PCs but eventually had to back down.
It was a somewhat less amusing day when I found that an engineer had introduced an auto-run virus to our systems because he'd used an infected USB storage stick. It was at that point I found that despite the morons at Microsoft introducing a policy and settings to "not auto-run" that the stupid OS "auto-ran" regardless. This "functionality" was only fixed by a later OS update/patch which, of course, the original vendor refused to be permitted to be installed as it might impact operation - although only if their code was crap. I had three visits to that site for this one reason before I got very grumpy with the situation and things changed...