I use the eWon, and MBConnect devices all the time, one or the other goes in to every machine we build. They are VPN gateways with secure login so we can remotely work on a machine instead of having to immediately travel to it to check the slightest thing.
None of our customers leave the internet side of the device plugged in. Unless we are on the phone with them, and they are by the machine, it is unplugged. As an additional level of security, the device has a keyswitch connected to it that must be turned on to allow it to connect to the internet, just in case it gets plugged in.
Most devices are managed through the respective manufacturers applications via the cloud, so we just have to download their application, and log in, and it handles getting the keys, and establishing the secure VPN tunnel. It is possible to manage your own infrastructure, but I don't know of anyone who is large enough, or chooses to do it.
I put the eWon app on my brand new work PC, now I have to check if I got pwned the first day got my new Lappy:( The remote access apps are one of the few things that does not get installed on the VM. Connecting to the VPN, through the VM can really be a pain!
The MBConnect devices are really cool, they can even verify the entire system, and reload anything that does not match what is stored inside itself. Besides providing a huge obstacle for anyone wanting to Stuxnet the system, they allow a customer to replace a PLC with a spare, reboot, and have everything come back to normal, and they allow for easier updating of a whole system by passing the program to the MBConnect device, and having it apply the update locally.
Nothing more scary than flashing a PLC remotely, and rebooting it. If it doesn't come back online, you might have to take your Lappy, and leave on an immediate road trip!