It is understandable that administrative departments of power companies would need Internet access; billing departments, marketing, sales, etc.
The question is, what was the need to place the actual power station itself on the Internet?
Systems as critical as these should be completely physically separated from any other systems. It is well known that no system connected to the Internet is safe. Even the Iranians knew this as kept their nuclear systems off the Internet and away from hackers...and still were hit! Even if no publicly known vulnerabilities are present in the online systems, it has been demonstrated by the Wikileaks revealed CIA hacking toolkit then, beyond theory, many critical vulnerabilities are present in systems that the public is not even aware of.
My recommendation: take critical infrastructure off the Internet ASAP.
The initial attacks came through simple email phishing campaigns that got them into company networks, Symantec researchers found.