So as yet another sign that SCADA is out of the closet, it made Hoff's 2008 [In]Security Predictions.
Be-Afraid-A of a SCADA compromise...the lunatics are running the asylum! Remember that leaked DHS "turn your generator into a roman candle" video that circulated a couple of months ago? Get ready to see the real thing on prime time news at 11. We've got decades of legacy controls just waiting for the wrong guy to flip the right switch. We just saw an "insider" of a major water utility do naughty things, imagine if someone really motivated popped some goofy pills and started playing Tetris with the power grid...imagine what all those little SCADA doodads are hooked to...
Call me cynical, but was has changed to make things worse in the last five years that would increase the liklihood of a "SCADA Compromise" (WTF that means). While things are probably different (meaning better, more rational) inside in large asset owners, in public forums the IT vs. Control System debate is as unealthy as it was back in 2003. Many control systems folks are still intent on making broad generalizations based their own bad experience with "IT".
What we're seeing here is a clash of technological focus and philosophies. IT departments don't do risk analysis the way Control Engineers do. Often things are replaced only because they're going to be out of date real soon now. Many throw software and servers at the wall until something useful sticks. I've heard estimates that up to 1/3 of all IT projects are regarded as failures. Few seem to see anything wrong with this. They take the risk anyway, knowing that the payoff can be very lucrative. Conversely, the control engineer tends to run a risk analysis on everything before making a move. They're very conservative and often don't change anything unless there are no parts for it any more and they've run out of spares. Their bosses are penny pinchers. They won't spend money to invest in anything that isn't broken.
And the fundamental difference between the IT department and the industrial control system engineer is that the engineers usually work at the application level. There is very little knowledge of the OS under the hood.
It pretty easy to come of with counterexamples for these. For every Areva admin that has no clue about Windows 2000 and TPKT/COTP, I'll bet there is an Oracle DBA that is equally clueless about Solaris 2.8 and TCP/IP.
But the more interesting question of about high visibility critical infrastructure compromise scenarios is why they aren't happening vs. how they could happen.