Almost nobody is stupid enough to put SCADA boxes on the internet. What happens is the home office is on the internet for email, EDI for purchasing, web access, electronic payroll, etc Then the engineers want real time access to data to do their jobs, support the techs, etc. Then some guy in the plant figures out he can surt the web from the SCADA collector PC that feeds the engineers by install IE and typing in the proxy server. Now you have two possable compimises.
I deal with this at work where we have the internet (with proxy servers and public facing websites), an admin network, and a mission critical network. We really restrict what data can flow from one network to another. We have maybe 100-200 guys who are devoted full time to "electronic" security.
Even so, we had one compromise where an employee hooked a internet connection to a mission critical PC and it was hacked, and quickly detected. One issue is that you can't be too quick to contain something that looks suspicious on a critical network.