I concur. Electric power industry is the same - and for the most part, we keep the operations systems very isolated from the internet and corporate network . I have a feeling that even with all the precautions used (and they are annoyingly cautious), there are weaknesses that can be exploited. External communications paths are one that I would consider, but I'm sure that's on someone's radar too. We have internal communications paths, but some of our comms rely on AT&T, Verizon, Sprint, etc. to get from point A to point B.
Our IT people work to find and contain the weaknesses before the bad guys find and exploit them.
An “inside job” —could— get past the defenses even if the production facilities are isolated from the internet.