Why do you believe this? Connections between industrial control networks and corporate internet-facing business networks are ubiquitous [0]. They happen because somebody needed a link for convenience and forgot to tell management, or somebody put a wifi router on the IC network just to get their job done. This stuff happens because people act like people, policy be damned.

So yeah, this is really, really bad.

[0] This is well-established infosec fact. It's not controversial. Latest case I know of was at JPL a few weeks ago.

https://duckduckgo.com/?q=jpl+infosec

Agreed. Some orgs are better than others at practicing good security hygiene.

The better ones have awareness of their network and have systems monitoring their networks, etc. There are afterall the equivalents of Qualys in the IA world.

I’d expect sonicwall firewalls and xerox printers at least to have network connectivity.

A buck shot approach of mailing malicious USB devices would likely be devastating.

Depends on the org. For some companies, you could drop a few USB devices in the parking lot and they'd be toast. Others fill the USB ports on their computers with epoxy.

> Others fill the USB ports on their computers with epoxy.

How do you plug in a mouse or keyboard?

You plug those in and epoxy them so they can never be removed.

Maybe. But it would have to be smart. These systems are regulated by tight SOPs which don’t allow for the plugging in random USB devices.

Internal networks, yes. Airgapped, probably not.