Why do people make this so complicated
Leave the network as is, change the router at the edge and enact a policy of no device gets internet access without explicit consent.
The X-Rays and scans can be flung around internally all they like, other changes may be needed later to help but in one go you've stopped random outside access to a vast chunk of the equipment.
Device techs and what not could be given VPN or similar if they need to connect to the devices.
I know it's not a full plan but it is a lot simpler than half of what I've seen in the comments here, at the end of the day no one is going to go carving up the network or reworking everything.