1. Use a second physically completely separate Internet for infrastructure only?
It's called a WAN Link, They have been around for quite some time and are a lot cheaper than internet circuits in the same tier class for corporate/industrial.
T1s are cheap (usually under $600/month) and can be deployed anywhere (%90) there is copper phone service. (not as cheap as 'consumer' internet, but you wouldn't be using that anyway for something like this now would you??...) And other connections are usually available in most urban/industrial areas (DS3, Metro-Ethernet over copper/fiber, dark fiber leasing, etc...) and are usually covered with SLAs,
And all the major telcos already have all of the above on a "separate" internet infrastructure and even separate them out by customer so they can't even talk to each other (unless they installed a link between and only when they request it) You can even get WAN links between providers that are P2P (T1 from ATT in one location and a T1 from VZ in another and they will be a direct link as far as your router on each end is concerned.)
This is the proper way to link internal systems that you can not link yourself. And if your really paranoid you can even do VPN encryption over that just in case someone actually takes the time to dig up copper/fiber and splice into after some how knowing which in 1,000 pairs of copper/fiber is actually yours in the middle of a street.
Respectfully, $600/month is way, way too expensive for most industrial applications. I work in energy, and we use a tunnel to our VPN provided by cellular companies to link our hosting services to customer sites. It's closer to the realm of $40/month depending on the bandwidth of the connection. All of these options, and encryption, are plausible ways to sufficiently separate ones self from the public internet. I won't comment too much on my experiences with unsecured connections except to say that it is much worse than the summary says it is. These are the discovered devices only..