Protect Plant Systems from network aware spyware/virus's

Depends on how robust you want the boundary to be.  You could go with something as simple as placing vlan acls in the mix to introducing a application layer firewall/proxy with content filtering.  Of course the simplest way to resolve the issue is to make the case for not implementing what the supervisor desires due to the risks you've noted above.  I've worked in a plant environment and I noticed that plant managers/supervisors had a lot of juice until you tell the owner that his idea could lead to the damage of a $500,000 piece of equipment or a few $1000 in processing errors and the headache of a POed customer.

"We have installed wireless in the plant area. This was done so we could collect job data on the plant floor. Now, the supervisor wants to utilize the wireless on the plant network also (some type of portable scales they want to collect data from)"

I don't understand the problem here. If the supervisor wants to use the plant floor wireless system to access a plant floor system (his scales), how does that compromise security?

According to this -

"The simple solution is to place all systems, office and plant, in the same network segment. However, to do so increases the risk that some network aware spyware/virus will infect the plant systems. In some cases this could be costly as it could alter a production cycle and product could be underprocessed.  How can I effecively combine these networks and provide virus/spyware protection?"

You already have come to the conclusion of a potential for compromise.

Like I said in my original post.  It all depends on how robust you want the solution to be and what degree of risk you are willing to live with.  Anything from simply using vlan ACLs to an actual boundary control, whether by firewall, proxy, content filtering or some combination thereof.

Sorry for my delay in responding. I had to think about and research possible solutions offered by atlas. After completing my research, it appears there is no way to accomplish what I need to do. Presently, both network segments (192.168.1.x and 192.168.3.x) exist on the same network infrastructure (cable/switches). Even though packets from both are traveling across the same cables/switches, one does not know the other exists. From what I read, a  VLAN would allow restructure the network. Certain ports would be assigned to 192.168.1.x and other ports would be assigned to 192.168.3.x. This would stop the two segments from "hearing" the others broadcast. While this would reduce chatter across the segments, it does not address my problems.

Problem 1: My wireless network is composed of Symbol AP5131's. They are on the 192.168.1.x network. Only devices in that segment will be able to communicate across the wireless network. This includes office systems such as time clocks. The scale and barcoding system is on segment 192.168.3.x. They will not be able to establish a session with the wireless access points. Is there a wireless access point that will support two segments? ie, 192.168.1.x and 192.168.2.x will be able to establish sessions.
Problem 2: I need to able to print to printers located on the 192.168.1.x segment from computers on the 192.168.3.x segment.
Problem 3: I need to be able to use vnc to open sessions from the 192.168.1.x segment on the 192.168.3.x segment.
Problem 4: I want to be able to transfer data from the 192.168.3.x segment to the 192.168.1.x segment.

I don't see anyway to accomplish these goals without either placing all devices on the same segment or using a router to join the two segments.  But the first and foremost goal is to protect the 192.168.3.x (plant) segment from potential virus/spyware risks posed by the 192.168.1.x (office) segment.

I am trying to find out how other plants have overcome the obstacle of gaining access to plant systems while protecting them at the same time.

Problem 1:  Most APs today support multiple SSID/VLAN capability.  This would give you the ability for two different segments to connect to the same AP.

Problem 2:  Establish your remote printing ports by IP rather than using a set up disk.  This will give you the ability to establish the print port with associated drivers.  PCs don't care about what segment your printers set on as long as they can send the data and receive a confirmation of receipt/print start.

Regarding Problem 3 and 4 as well as how to get your data around in Problem 1 and 2, you are correct, you will need a router or at least a layer 3 switch.  To do what you want to do you are trying to shuffle traffic from one broadcast domain to another.

Given the information you have provided and your desire for malware protection without deploying to the actual plant hosts, you will need to implement either an inline content filter or a proxy.  Either will be a challenge to configure but are doable.  As a point of note, it may be easier to utilize Microsofts ISA server (now Forefront).  Installing it as your router, your proxy and your content filter between the two segments.

Atlas,
On the Siemens website I found a device Scalence. This device sits between the office network and the plant network. You can then enable communications either one-way or two-way between the devices. I talked to their tech support and they expalined that this device was created for the very scenario I working on. I am sure the solution will not be inexpensive. However, not protecting the plant systems will be much more expensive. As I research this, I will update this question. Thanks for your expert help. I will award you the points. However, to keep others who might be researching the same situation, I am going to wait to close the question until I have a working solution.