Basically, what this boils down to is the old classic statement in computer security that "You can have a secure system, an easy to use system, and a fast system. Pick one." In order for companies and governments to more easily manage their critical infrastructure assets, they connected the SCADA network to their main internal corporate/government network. Then people got even lazier and connected those same networks to the internet. And the same people never changed the default passwords on the devices as set by the manufacturer. End result? The Perfect Storm is set. Now, in general, companies and governments have rolled back through and changed passwords. But they are STILL connected to the internet! The internet is more dangerous than any place on land will ever be. Why? Because you can hit any target from anywhere on the planet in under a second. You can't track the ship movement. You can't see the missile incoming. You can't see or hear the helicopter full of bad guys. You just suddenly go dark. Look around you. Read the news, and pay attention. Internet security people operate in the same fashion as the US Transportation Security Agency does. They allow you to attack and get in the first time, then they create a rule to eliminate that specific threat, and wait for the next successful attack to come.
THERE ARE MANY THINGS THAT CAN BE DONE TO SECURE THE SYSTEMS, AND A FEW OF THEM THAT ARE ACTUALLY BEING DONE.
HERE ARE SOME EXAMPLES OF THINGS TO DO TO SECURE A SCADA NETWORK:
Make it its own network. While this might not be completely practical, at least make it use VPN tunnels between remote sites and the home office, AND have a separate network at the home office that is JUST the SCADA! Not virtual machines, not v-lan segmented, a SEPARATE NETWORK.
Limit access to that SCADA network's machines. Do you give every bank teller and janitor the keys to the bank vault? Do you give every secretary, and every employee the keys to the CEO's desk and files? Then why give them all access to your organization's crown jewels?
Run intelligent firewalls and filters on your network. Let's realize that a SCADA system has a limited command set, and sends limited data that is highly structured. You KNOW that these two machines are the control machines. Every single device on the network should log, report, and drop every single control packet that is NOT coming from one of those two machines. Further, if you also know that machine A goes through switch B and C to get to D, you should not accept a contol packet "from A" that came in on switch F.
Intelligent filtering part 2: You know that each end point device has a limited command set, and responds at a given data rate. Flag/report/log anything that deviates.
Pay very close attention to every single thing that connects to or disconnects from a SCADA network. These types of networks never change. If you build a pipeline, how often do you add more pipes? or pumps? It's built then it rarely, if ever, changes! Anything put on the network should be pre-certified and pre-added to the firewalls. If it is disconnected at any point in time, black-list it from all switches, and consider it completely untrusted until it is re-certified by headquarters.
Monitor the control machines on the network very closely. Only put data on it via CD, and only with two machine integrity. Built the CD on one machine, scan it with a second, then put it on the SCADA network.