Paranoid, but with good reason.
I do connect DCS systems to remote locations. Specifically for remote operation of units (gas turbines) in off hours at unmanned sites, and/or for one manned sites to be able to do loop checks for maintenance. Many companies do this.
For one manned sites to do better maintenance, i use a physical disconnect that has to be turned on/off when needed. This turns on access to a firewall and dedicated wireless gateway. The site can then use a dedicated maintenance laptop to access the DCS LAN. Of course, the laptop must use an encrypted method of access such as TeamViewer or an encrypted VNC. In addition to the encytion, you can even program some firewalls and routers to only allow traffic from a specific MAC address. So, only the dedicated laptop can pass traffic and nothing else. For routers, this is called the "access control list". Routers and firewalls can also be programmed to only pass certain "ports and services". If you don't want to allow an particular access method such as RDP, you can block that.
For unmanned site access, we set up a dedicated VPN tunnel that is encrypted, then the remote access software is also an encrypted method as mentioned before.
The software used is determined by the OS you are trying to access. Older systems like a GE 7FA with MkV controls using old Cimplicity 4.xx running on Windows NT can't handle TeamViewer, so an encrypted VNC needs to be used. Also, Windows XP can run TeamViewer, but Windows XP embedded can't. Odd stuff like an older Siemens TXP system running on SCO Unix can't even be remoted to.
Whats your DCS and its interface software(HMI) and the OS its running on. I might be able to give you some tips on how to securely remotely access it. Also, do you have a historian such as OSIsoft PI? If so you already have a leg into the DCS that may go offsite back to corporate headquarters or some other centralized location. Challenge IT on how that is acceptable but another remote connection is not. That would presumably be a remote connection that could be exploited.
Of course, there is no fool proof method, but you can always make a case based on the benefits and how risk averse you want to be. It sounds like your IT department just doesn't want to do the legwork. Like i said before many companies have been doing this for many years. The methods of remotely connecting have been getting better and more secure over the years. You wouldn't believe how much of the power industry is unmanned, remotely operated.
Dedicated VPN tunnels, properly established and maintained firewalls and routers, encrypted access software, updated and maintained AV software on the DCS and remote access point, and if for onsite use a physical disconnect for when the connection is not in use.