So this is my first hands-on run-in with this kind of thing.
We have an enterprise wide LAN within our organization, that we keep (I think) pretty secure. We run some pretty good software solutions at the desktop level for anti-virus and anti-spyware, and have a pretty good firewall in place. We're not Fort Knox I suppose, but the wind does not whistle through our network.
We are in the process of setting up a new facility, and nearly all of the super huge and heavy industrial machinery is controlled by a PLC, which interfaces with a computer, that basically makes all of the decisions for the machinery. These computers are on a different subnet than the rest of the LAN there, and there is a router between the two networks. However, its basically an open router - it just passes stuff along - doesn't care whether it is valid traffic, or a worm or virus. The complication here is that these computers, because they are so important, we absolutely do not want to put anything on there that will interfere in any way with its communication with the PLC and the machinery - including anti-virus software or a software firewall, etc. And that is the bind. These machines are so important that they cannot be down. So we can't put anti-virus software on them, or apply windows updates, and other things that you'd normally do to protect a computer. And because we can't do that, that makes them super vulnerable to viruses and stuff.
So, the answer seems to be putting a hardware firewall in place on the network, between our main LAN and our little critical LAN. This would let all of the PLCs and computers and machinery talk on the inside of the secure LAN, but would stop anything on the main LAN from getting in. I've setup firewalls before, but I've just never been part of a network large/complicated enough to have more than the one main firewall.
Next: One to One NATw and IPS!