Air gapping is ideal, until you get that ONE manager somewhere up there that absolutely positively must be able to access the system from his home at 2am on a Saturday, because...who knows, but he does.
I fight this all the time with my water/wastewater customers. The typical excuse is "Our VPN has a password, and there's a warning when you log into the system".
Still, I have to wonder about a system where taking down the central computer kills everything. Ok, yeah, it failed safe. I dropped out the computers to a water treatment plant the other week for a few hours. There was no shutdowns, no emergencies, no change at all in the water quality, because the low down controls did their job without the head end computer running. This is more common than you'd think, and with some darn large systems.
The head-end computer should at most be a data collection, and centralized command machine that maybe applies some sanity checking. The local stuff should be able to do its job without it.
I'm guessing this is an Arinc system? I've seen their attempts at SCADA, and heard what they cost. I'm in the wrong industry segment...