The question draws on a separate book, as it seems to me. But since there are no details, the general principles are something like this:
1. An isolated locale, if used. Lack of radio channels (any, wifi, 433, etc.). If you really can’t, consider the situation that there is no channel, or the data on the channel is fake, incl. with malicious intent.
2. If it is directly necessary for the hardware to pull something from the Internet - for example, an additional linux gateway that allows only what is needed. Variations with direct access from tyrnet to iron should be discarded immediately.
3. Encrypt data over the network. Don't use weak ciphers.
4. Don't use simple passwords (yes, 2018).
5. Correctly configure services, carefully expose access to files.
6. I don’t write about the iron part. But the issue of surge protection, port burnout, functional redundancy, etc., also applies to security.
7. Backups and redundancy should not be an empty phrase for you.
8. [....]
Well, I think the direction of thought is clear.