Zero-trust network isolation for the operational side is probably the only real solution, but it's expensive since using the network side to update the industrial control systems on the operational side is no longer allowed. Here's a writeup on the Colonial Pipelines ransoware attack for comparison:

https://airgap.io/blog/zero-trust-network-isolation-for-indu...