Maybe I'm being simplistic here and I realize the problems it would create but unplug those critical infrastructure systems from the Internet. Yes, you'll have to have techs available 24/7 but presumably that would be a private LAN without an Internet connection.
Banks and the like are a problem as they need an Internet connection. But if a system can be disconnected from the Internet, it should be. Emails and attachments are headache I'm not sure can ever be solved except not allowing any email system to ever be attached/connected to a control system.