I can't think of any reason you would ever permanently connect your PLC network to a broadband (Internet) connection except to connect a VPN: the VPN would allow you remote access to your PLC.
But to answer your question, any good quality firewall would insulate your PLC from the Internet - the VPN is your 'hole' through the firewall to allow you and only you from the WAN through the firewall back into the LAN.
I frequently connect a firewall during development so I can have Internet access (get prior projects, read literature, download updates, ...), then shutdown the ports on the firewall when I'm done. Or only leave the VPN on when I'm done. Like I said in the earlier post, I'm partial to the Zyxel Zywall 2+ since they have every feature I've ever needed, are cost effective and have proven to be reliable in my panels. But as far as firewall brands go, I'm sure 10 engineers would give you 10 different answers.
I also use the firewall to insulate my control traffic from my HMI traffic. For example, I put all the PLC's on the 'LAN', all the HMI's on the 'DMZ' and the Internet on the 'WAN' ports. Then I know that the providing Internet access to the HMI (WAN to DMZ) can in no way affect the traffic on the PLC (LAN).