Even if a system isn't internet-facing, I view it as (indirectly) connected to the internet if it's available through the LAN, VPN connections, whatever. Really critical systems shouldn't be IP-exposed to anything that is, however indirectly, connected to the internet.
If you don't want to haul your ass to a dedicated control interface, you could have a machine that can access the control network and is reachable from other machines on the network - but without exposing the control interface directly. Let this machine be available through - AND ONLY THROUGH - (a secure version of) remote desktop. Yes, a dedicated hacker can still access the control network this way, but at least you won't be able to scan the control network directly once a machine has been compromised.