Re: Which
Having attended a number of energy industry security conferences in the UK I can tell you that they use separate networks for the industrial control systems and corporate networks. Firms that design rigs even have multiple computers on an engineers's desk - one for email, web, etc and another for doing the actual design work where everything is encrypted and there is no transfer of data between the two.
Those attending security conferences tend to be companies that take security seriously - for every company at these conferences there are 10 more that haven't bothered to attend.
I worked in the oil industry for 4 years developing control systems, and we only had a single machine on our desks. Corporate network access for emails and development were done from the same machine (even getting a second monitor was almost impossible, let alone a second machine).
There was no thought to security at all on the product I worked with (and I doubt that has changed on the newer products). The only attempt at security was to insist the client put the control system on a separate network to the rest of the platform, however I know this was not done on a few projects.
In these systems, simply gaining access to the same network would give you complete control of the entire system. You would then be free to open any valves you wish, with no logic in the controller to prevent dangerous operations.
Posted Anonymously for obvious reasons.