Symantec recently reported on the resurgence of a group known as Dragonfly. This group has been in operation for many years but primarily in Europe, this is their first foray that we know of into the North American market. It is believed they are gathering intelligence on our systems which could give them the ability to cause large scale disruptions to operations.
With reports like this becoming more and more frequent, it brings to light the need to properly secure your infrastructure. According to the Department of Homeland Security, one of the best ways to do that, is with a Data Diode. Data Diodes, like their name implies are a physical air gap in communication allowing only 1 way data flow. Because this is a hardware solution, there is no way for a software breach to circumvent this solution.
Additionally to assist with your defence in depth approach, consider an OpShield, to do deep packet inspection on the traffic that already resided on your network, allowing the ability to white-list down to the command level.