There are only two things that surprise me about this:
First, we found out about it. It’s refreshing to see a municipal government coming clean (excuse the pun) about their water plant being hacked,
Second, the attacker’s motivation appears to have been to injure people. Normally these days we would expect ransomware, but this criminal was intent on harming residents.
This article provides a good summary and some interesting tidbits: https://www.itworldcanada.com/article/cyberattack-on-florida-water-treatment-plant-raises-alarms-in-canada/442088
In summary,
1) Windows 7 (or any other outdated, unsupported operating system) is not an appropriate operating system for anything, nevermind industrial control systems.
2) TeamViewer is not an appropriate product for remote access to sensitive systems with life safety implications.
3) Industrial control systems (or a PC that monitors/controls them) should not be connected to a corporate network or Internet. If remote access is required, appropriate network zoning and layered security controls are required. In other words, work with your security professional to design and implement the connection.
