I think one of the most difficult things to do on the security side is to determine the true need for, then subsequent effectiveness of controls. Part of the problem is that there are hundreds of forms that a control can take and hundreds of ways to implement them. Layering controls is essential but it has to be done in a methodical manner.
To protect from worms on a system you have a lot of options. None of them are 100% effective. But many of them are 80% to 90% effective.
I am not an advocate of complete physical separation. The reason is simple. The organization that separates the system usually assumes that the solution is 100% effective. The reality is that someone some time is going to connect into them.
An organization I was in contact with several years ago did a great job separating their network. They had loads of documentation, did scans and had clear policies and standards associated with their requirements. When blaster broke out their business systems were pretty much unaffected. A week into the outbreak a contractor hired to maintain their DCS got his mac address approved through the proper channels and plugged into one of the isolated networks to monitor settings. Twelve hours later (and much lost production) they managed to get it cleaned up.
In this scenario the problem was that the separation actually made it more difficult to keep AV and patches up to date.
A quick clarification here for the non SCADA security folks. The "isolated" networks approach is still heavily advocated in some areas of the DCS world and many vendors default approach is "just don't connect it to anything". Like IT and IS in the early '90s they think they can be safe if they just don't connect. Many haven't realized that it isn't possible to totally isolate anymore. That said isolation is a control, just not a very realistic one.
Goto Part 2 here