Air-gapped network is the only choice for industrial scenario.
What is an air-gapped network
Through physically isolated from unsecured networks, such as the public network or unsecured local area networks, makes computers or network has no network interfaces connected to other networks with a physical or conceptual air gap to minimize threat surface.
Basic principal
Air gapped network need network devices, security devices, dev servers, centrally managed update servers
Dedicated VLAN isolations for the different group(e.g. Windows, Linux, development, testing)
Host-DLP system if necessary
MAC security mechanism if necessary
Watermark if necessary
Wired network connection only
Controlled testing network
Physically blocked USB ports, RJ45 ports, and other unused I/O ports
MAC address filtered wall jack
Password policy, security awareness screensaver
Controlled and dedicated removable USB media, USB devices administrative guide
Centralized update OS patch server and Anti-virus server
On-premise hosting and Network Security Assessment
What it looks like