Nobody should directly have access to production, it should be controlled via CD flows which are gated on approvals from other team members or metrics.
I can see that being somewhat impractical in real life, but you’re not wrong.
In the ideal setup NotPetya would have been less of an issue for Mærsk should only have allowed whitelisted software to run on computers controlling critical infrastructure. It’s just a solution very few choose to deploy.
Either the malware modifies the finance software, and is executed as part of the finance software, but the checksum for the software is now different and can't run.
Or: The executable malware code is separate and only triggered by the finance software, which will fail to execute it, because the malware isn't a whitelisted application.
At any rate, the malware would never be able to escape beyond the finance software computers. This means that yes you could have some issues with invoicing, new orders and so on, but you most likely didn't have to shutdown ports, because the computers there aren't allowed to run the finance software.