"Zero Trust" Inside Plant, Intranet
Of course one cannot assume that a refinery(or similar sized plants) with thousands of employees is totally free of bad apples. Compartmentalize the plant with physical access locks, have plenty of cameras and most importantly, have a plant-internal intel+security service which will find out funny stuff.
Run your employees through government intel databases to weed out the obvious criminals. Liaise with government on threats against your plant.
Never assume an "intranet computer" is always friendly.
All of these security measures require seasoned IT and security experts, it requires documentation and maintenance of the various measures. It requires managers who know what they are doing. And it requires a budget, something the beancounters obviously hate.