Well, much of the security is due to the fact that intruders have to actually plug into the network. Control physical access, and you control who can connect into the network (assuming no internet connection exists-- that's an entirely different ball of worms).
Persistent hackers, however, have been known to infiltrate a facility and find a RJ-45 port and plug in a wireless router so they can hack into the LAN form the parking lot.
For this reason, one should disconnect any unused LAN ports, and use basic security protocols such as assigned IP addresses and MAC verification. These can be spoofed, of course, but it will keep out the script-kiddies and non-serious hackers.