Critical infrastructure is not the devices being hit by ransomware attacks. They are encrypting corporate networks, which do need to be able to run Outlook and use a web browser.
Ironically enough, sometimes it might be other laws that necessitate those systems to be running in order to continue operations. Critical infrastructure is often fairly regulated for other reasons (depending on what it is), and those systems might be used to meet some other compliance/regulatory requirements.
I have found myself working on these kinds of systems professionally, although we were able to air-gap them.
I guess you could say that inability to comply with those other regulations is also a “too bad, you should have thought of it” scenario, but those are not always laws we’d want them to break. (Safety, etc)
And at some level, critical infrastructure is no more of an expert at preventing cybercrime than a shopkeeper is at preventing shoplifting. I do think we need the government to stand up a bit here and help to prevent this crime in the first place.
I assune you have to be pretty incompetent to be damaged by randsomware. It cant hurt you if you have backups, and i dont understand how you could run a major company without backups.
Taking down a system to reflash it with backups can take significant time that translates often in big companies to 10x-100x the ransom cost.
That's also why there are tensions between big companies / victims and law enforcement agencies because they have divergent interests: keeping the business running vs prosecuting and blocking criminals
Did you give data protection job a go? They're heavily recruiting people who can really make a difference. But it looks often easier than it is ;-)
If your billing and tracking system breaks tough, that's the cost of picking poor software and not training employees.