Because it’s difficult not to in some respect.

Keep in mind that pipeline issue wasn’t an attack on the pipeline itself, it was an attack on the billing and administrative systems of the pipeline company–it was more like a shop shutting down for a bit because all it’s cash registers and payment terminals are broken–they could find a way to operate, I guess, but it’s easier not to until it’s all fixed.

More directly, you have a monitoring problem. Anything like that is going to have a lot of devices reporting status and alarm situations back to some sort of central network monitoring center that monitors alarms and can do some things remotely. Even before COVID, but particularly with COVID, you need some way for people at home or otherwise in non-company locations to access, and thus you now have an internet connection.

And then you have the problems with parallel networks that probably shouldn’t be able to cross-communicate but can due to a design error somewhere. The Target hack, for example, was because the building’s AC monitoring system was hacked, and once the hackers got in there, they were able to find their way over to the billing systems. There’s also the famous report of a Casino where there was an aquarium thermometer that had internet access because an external company maintained the tank, that thermometer got compromised, from there the hackers found some other device or server that could be exploited, etc, until they got their way to financial information for casino high rollers.

This kind of stuff is easy to say “they shouldn’t do that,” but also often sufficiently complex that one engineer making a mistake can cause a problem.