Because it is 2012, and every networked digital system in the world uses IP, and every business in the world has an Internet connection the same way every business in the world has a phone. Incidentally: there is nothing new under the sun: these same critical systems used to be exposed via the phone network.
I don't know what they're saying, but yes, I assure you, there is crazy stuff that is one or two pivot hosts away from an Internet attacker.
Critical infrastructure systems should be treated as on par with above-top-secret when it comes to network access. ie airgap to less secure networks, no-lone zones, no place to plug in external devices, serious change control, etc.
Or are they talking about the old "drop a usb stick in the parking lot and hope some idiot plugs it into their control panel computer" approach?
In which case I say crazy-glue the usb ports and devices like mouse/keyboard into the system.