@AGHRMatt posted:Bottom line -- isolate your control systems from the Internet and the company's main network. There are ways.
Agree. Or at least put extra controls around critical infrastructure. Like a bastion, or data diodes to prevent exfil of sensitive info.
I read that Windows 11 is going to require a TPM 2.0 module for ALL computers, not just business class workstations because Microsoft believes that BIOS/EFI hacks are the next big risk for consumers. I think they're correct.