Keep your eyes out for the words "NERC-CIP"
In the US, there are a bunch of cyber security regulates for power plants (and other infrastructure) that is labelled as "critical" (either becuase it is so large, or part of a blackout restoration chain or a few other reasons)
This is part of my new job description at the Utility that I work for - Its an intresting new world.
a) Up until recently, it was the same as the EPA/CAA/CSAPR rules - the corporate office people read the law and pushed a bunch of requirements onto the plant people and told them to adhere to these and deal with it (you know how that goes...). They are coming around to getting more plant people involved and making things (montly/weekly patching) more workable.
b) NERC does audits on -CIP sites and has the ability to fine them for violations. We got fined last year... I'm not sure how large the fines are.
c) from what I've seen so far, even if there is some variance from one auditor to another, the NERC-CIP standards and people are doing their best to do it right (access log reviews, physical controls, monitoring/logging, firewall control, rules review, backups, change management... Its onerous for a power plant (and only as good as the people running the system) but well on the right track.
(...and please trust that I am not a big fan of much that the us.gov does in the way of regulation...the larger a thing is, the slower it changes.)
Please dont think that I'm trying to paint this NERC-CIP thing as the answer to our worries- its not, but know that some .gov and some large utility people/vendors/IT have this on their minds.
I did read a pdf (a year or 2 ago) describing how easy it was to dDOS a SLC500 (so easy I wanted to try it myself). and for a factory, this could be an expensive proposition- I also think that if you had good backups (we all have good backups incl. offsite....right?!?) and a few techs that know when to press "download" and when to press "upload" - then at least a factory has the ability to recover itself- that would be first on my mind if I had a factory to run (NERC-CIP requires a documented and tested recovery plan...)
My impression in that most of the 'entrenched' controls guys have fought against corporate interference from day one (becuase they are territorial like that) and that has limited the 'visibility' (connectivity?) of many controls networks. This isnt a good answer, but it helps.
I dont know how to convince a small manufacturer that he/she needs to put a $xk firewall on their network. $xk is a lot of production time...
-John
