Re: "nothing specific to cybersecurity was inherently built within them"
"Systems built 20 years ago did not need cybersecurity because there was no such thing."
Oomph! That's a bit wide of the mark. Ignoring the silly and irritating term "cybersecurity", which wasn't in vogue at the time, there was awareness among professionals that IT security was essential and a priority. Netscape Communications had implemented HTTPS in 1994. Computer security and the need for it had become a hot topic a decade before when, in 1984, Schifreen and Gold were arrested for the Prestel hack.
Security was rather basic in most cases and consisted of security through obscurity, being the best that could be done at the time. "Don't publish the phone numbers for your modems." was a standard approach along with "Lock up your data in a central data centre." Industrial control systems at the time were a mixed bag. Pneumatic logic (pretty much unhackable even today) was as likely to be found as electronic logic and was both reliable and cheaper than the electronic systems of the time. Later electronic systems were rarely used remotely and if they were remote tended to be on unidirectional links.
It's safer to say that twenty years ago that internet connectivity for industrial control equipment wasn't a requirement. What has caused problems is the failure of those building industrial control systems to realise how quickly hackers work to develop exploits. Control systems are installed with an expectation that they will have a twenty five year operating life. That assumption ignores the more usual IT technical refresh cycle of five years and the rapid evolution of new exploits.
Biting the hand that feeds IT
