Re: Production control systems were built before the internet
"Your point raises another question. If it is worth isolating assets, what is the best way to deal with a previous implementation that you do not feel does the job properly?"
This is an interesting question because it once again raises an issue that is more one of Corporate culture and the people involved than it is a purely technical issue, so once again how this is handled is up for grabs as it were and I can only relate how it would be handled in environments with which I am familiar.
Firstly the concern would be documented and the risk and consequences of the current configuration assessed. Then a desired end-state would be generated and the same risk and consequence level assessed, and the Company would have to decide whether they (a) wished to remediate the problem (and bear the applicable costs) or (b) accept the risk and consequence (presumably elevated risk and consequence) of doing nothing. This is often a decision based on whether the cost of doing it is sufficient to justify the benefit
If option (b) is chosen, you now have perhaps more accurate documentation of the level of risk and consequences which the Company has decided to accept and the matter is effectively closed until next time it is reviewed.
If option (a) is chosen then a remediation project is commenced to "fix" the problem and the Company again has to decide whether or not to accept the risk associated with continuing interim operations while the remediation is executed. Eventually the project is complete and the new risk and consequence analysis is signed off by the Company.
The more interesting question is how does someone raise this issue to be sure that it gets dealt with at all and not just ignored? This is again a matter of Corporate culture and depends on whether the Company has in place procedures to continuously review and audit the already approved risk and consequence documentation that has been accepted by the Company, and whether or not this process operates without consequence for previous reviewers who may have made a different choice at that time.
The world and technology is continuously changing and what may have been unfeasible a few years ago may very will have a better and more feasible solution today. The Company should be recognizing this fact by encouraging a continuous review process, and that new methods and technologies might just exist to make things better, and that this in no way detracts from what someone thought was adequate in the past -- you cannot assume that those decision makers were making bad decisions, merely that something better exists and that is the direction which ought to be pursued.