I think the issue there is data, even on critical infra. Modernization, reliability and the such require data analysis. There are definitely ‘strong’ ways of protecting the assets and mitigating attack vectors, but almost no way to eliminate them entirely. For example, event if you isolate the process computers you’ll typically have an interface node that presents the data up a level (hopefully to a DMZ). Obviously you can be compromised if that interface node is.
Some critical infra is air gapped though. Other systems implement SIS systems in parallel with general process systems to mitigate catastrophic failure further.
They can gather the data on the infrastructure network and then carry across an air gap on a USB or tape to do their analysis. I don't see the upside of allowing any connectivity to the internet given the danger other than some mechanism for sending an alert. I'm sure creative people can air gap that too (camera on the internet side and some image recognition for example).
That's massively inconvenient, although I'm sure necessary in some cases. Some businesses actually perform analysis in 'real time' so they can adjust the process accordingly, witch requires that data be accessible. This may actually be such a case as I'm sure they have to interface with customers (tank farms) to react to supply/demand on the branches. For all I know Colonial does have a private network for that purpose though. Usually PAT is really for chemical processes where you are looking for a particular yield and those analytical services are located closer to the process (in terms of networks).
There are devices called data diodes that provide unidirectional network topology, but not all time series data interfaces can work with them.
All in all, I agree that total air gap is obviously the best way to mitigate network attack vectors, but sometimes not practical. No controlling device should be at level 3 or 4 though (business or enterprise level).
