A malicious person does not need much. A patched RJ45 connection in the wall can suffice for that person, whether it is in the canteen or in a production hall. In addition, your own employees can also mean evil, so the inside of the side of the wall must be defended just as well.
There are many production companies that depend on the applications of their suppliers and still run on old Windows machines. Many servers can be hacked within a few minutes...
Tips: Regularly scan your internal network and make sure you have the necessary updates. Also segment your network. If you have a supplier that continues to run on an old version, really think about another supplier, even if this takes time. Getting hacked is guaranteed to cost you more time and worry.
Vulnerability scans now go much further and also look at ports, configuration errors, backdoors and other vulnerabilities. If you do not have the time or manpower in-house, opt for a managed solution so that both sides of your wall are safely monitored and as safe as possible.