This type of control can be done without using the public internet. All it takes is the use of a private network which as no internet connectivity. Infiltrating the latter would be far more difficult than getting in through the internet.
I think that if these critical systems were indeed connected to the internet in some way, a hack would have been found and some script kiddie would have brought down the entire US power grid just for kicks.
Semi-publicly connected, perhaps through dial up modems.
Also how many people have passwords to these systems on their laptop computers? Add the Spyware du Jour and we have....