The factory network might have been designed under the assumption that there were no such unsafe devices around, somebody might have poked a hole on the firewall for something completelly different that exposed these tools, somebody might have taken one of these home or to a company office for some reason and brought it back infected, somebody with a notebook connected to the Internet via Mobile came to the factory, an attacker physically parked next to the factory and started hacking, the good old “drop a USB disk with a virus in the parking lot”, and so on and so on…
You’re really supposed to design networked software under the assumption that at some point it will be exposed to an unsafe network.
The factory network might have been designed under the assumption that there were no such unsafe devices around, somebody might have poked a hole on the firewall for something completelly different that exposed these tools, somebody might have taken one of these home or to a company office for some reason and brought it back infected, somebody with a notebook connected to the Internet via Mobile came to the factory, an attacker physically parked next to the factory and started hacking, the good old “drop a USB disk with a virus in the parking lot”, and so on and so on…
You’re really supposed to design networked software under the assumption that at some point it will be exposed to an unsafe network.