Good question

>>>>

Begs the question then, how many facilities went around and made the supposedly isolated (and operation critical) network a part of the general network to "make it easier"

<<<<

I suspect that it is actually cost driven. Don't underestimate how penny pinching companies can be. Quite a lot of large industrial accidents can be traced back, one way or another, to a lack of willingness to spend a small amount of money to avert what was thought to be an unlikely disaster.

In my view companies are pretty bad at taking improbable though severe risks seriously. Look at TEPCO, owners of the plant at Fukushima. They chose to continue to operate their ancient old reactors against all advice, just for the sake of a few Yen profit. Look where that got them.

I'm not saying that companies using the Internet to connect industrial control networks together between sites should stop doing that. They could easily and cheaply make such networks much more robust by hiding them behind VPNs. That way any hacker would have to break through a VPN first before they can start attacking vulnerable SCADA systems. And if they were really paranoid they could rent private lines off their telecomms company. Both of those approaches are way cheaper than dealing with an oil refinery explosion...

I suspect that actually, quite a lot of companies already do that sort of thing one way or another. But there are bound to be some that haven't even begun to consider what sort of risk hacking represents to their systems.