Any IP packet that is valid on the Internet would be invalid and dropped on the critical infrastructure network. The only packets that could pass between the Internet and the critical infrastructure network would be those that are intentionally bridged by rewriting the CRC-32. This should not be done at the IP level, but only by application level bridges.
It would prevent inadvertent connections between the Internet and the critical infrastructure network.
The usual problem are systems that are intentionally connected to both networks, and after compromise happily serve as points to enter the inner network.
‘Arm Waving’ Response to Hackers Makes Oil Industry Easy Prey
Everyone from the facility managers to the private equity owners assumed that the plant’s computer network was “air-gapped” -- a term referring to computers that aren’t connected to the internet or another unsecured network. But when Mission Secure installed monitoring devices to check, they discovered that a worker on the night shift was connecting his Roku device to the internet to watch episodes of “CSI: Miami.”