So I have to be lean on details for this answer because NDAs.
But in some of my manufacturing centers, we're deploying internal firewalls to protect the greater industrial controls network from the manufacturing hardware systems that are routinely serviced by vendors. Some of our vendors have been less than stringent on their sterile security procedures, and that has led to viruses and malware spreading like wildfire on systems that are by design single purpose, and usually naked. Meaning no firewalls, and little to no antivirus.
We already have the full blown infrastructure build out from the ancient Purdue model. Shoring that up has been our mission.
So on every system that can host an accessible operating system, we've been deploying internal firewalls, that block all traffic from the source device with the exception of a returns from single remote access or monitoring tool. Dumb schmuck maintenance guy comes out and does his firmware update, and the infected USB drive he uses for the purpose (he's also used to carry porn from his home pc to his office or whatever) no longer infects any system on our industrial systems save the vendor system...
Ideally we want to move to full trustless architecture.