I worked at a water treatment facility for a few summers, and the SCADA system there was on a physically separated network. Actually, there were two SCADA networks, one for each of the plants, with the distribution system (the water towers and pumping stations randomly scattered throughout the service area) attached to one of those networks. I don't know how secure those remote links were, but I suspect they were the easiest ingress into the network.
A couple computers did bridge the two networks, but (IIRC) they were simple embedded systems doing read-only access (for compiling reports). I know when they did a pen-test, the pen-tester could compromise most of the corporate network (including service accounts), but they couldn't punch through to the SCADA systems.
I'm familiar with the systems you outline, and yes, those are more difficult to penetrate. However, those systems are significantly more expensive and more complex than the simpler ICS systems. Oldsmar Fl doesn't sound like a place that could afford such a system. Of course, can they afford not to have higher security systems is an open question?
The biggest cost of having physically separate networks (or at least network separated) is the HR cost of increased staffing and on-call requirements due to not being able to support the system remotely.
A couple computers did bridge the two networks, but (IIRC) they were simple embedded systems doing read-only access (for compiling reports). I know when they did a pen-test, the pen-tester could compromise most of the corporate network (including service accounts), but they couldn't punch through to the SCADA systems.