"Production machines like that should be on a network that's deliberately several, preferably physical, steps removed from any automated update cycle. If they're connected to a thing like the Internet at all...."

Not my area, but I'd not be surprised if some extremely expensive bit of control software for running machinery didn't have a requirement to phone home every now and then for "updates" or just to be authorised to keep running, eg licence validation. Or do they still use hardware dongles and haven't caught up to newfangled cloudy things yet?

