An analogy I like use during conversations with customers is what I call the ICS security bubble strategy:
The idea is that in order to defend systems that are either too old to be updated with the latest security controls or systems that cannot handle security controls because of limited device resources, it helps to visualize the security strategy for such devices to placing them in a soap or glass bubble. The systems and devices in the bubble trust each other and are allowed to communicate unrestricted among each other. In order to be placed inside the bubble, systems must be verified to be free of malicious ...