Not sure if anyone has thought of it like this, but:
Air Gap is still only as secure as the people with access to it. NAT and firewalls provide a compromise between security and connectivity. But remember that at a power plant, the PBX system still connects to the outside world, and there is a phone in the control room. What stops a nefarious social hacker from calling up the control room and convincing the 3rd shift operator to stop producing power (claiming to be from the regional authority)? Caller-ID can be hacked. My personal belief is that all layers of the OSI/DOD model should assume that the adjacent lower level can and will be compromised at some point and measures should be put in place to encrypt or authenticate messages. Unfortunately for us, our critical infrastructure in this country still operates on outdated security-less network architectures like ArcNET. Even most of the PLCs in use at power plants utilize no security or have simple passwords like "supervisor" and "operator." The US gov's NERC has random inspections for CIP compliance, but I feel that they happen so infrequently, that nothing will be done in time to adequately protect us from certain dangers that loom.
Network Engineering Consultant