There is only one small problem with this scenario...
[snipped for space]
Dreamer it was a hypothetical. However, I can tell you that most SCADA systems are in fact outside accessible. I contracted for a water agency once, setting up systems in a remote part of California for growing populations. My role was to install a new domain controller for the remote plant subsystems. To do so, I needed to add clients to the DC. Most of the clients were controller interfaces for the SCADA equipment. The equipment was given no RG access, but, getting VPN credentials to the concentrator was all that it takes to have unfettered network access to said devices.
When someone says, "Those systems aren't on the internet", what they are really telling you is that the device has a strictly internal interface that is still reachable by network resources behind the firewall or RG. Once a connection is established behind the firewall via some errant, malicious code, or some admin slipping their credentials out to some 3rd party in some manner, then it is totally open and fair game.
There is a reason businesses and agencies say to keep your password safe and secure, and why admins bust their butts to make sure all users truly belong to the correct OU.
However, 99% of hacking is social engineering or phishing. They will spend years on a resource to finally gain internal knowledge and credentials into a system. Patience is all that is needed.
Unless you are an operator at a nuclear power plant, or one of its technology professionals, I sincerely doubt you can substantiate your statement. In order for the system to be monitored by head engineers and the like, remotely, I am sure some of its interfaces, if even just a monitoring system, are available from the outside with multilevel authentication.
Saying that they "aren't on the internet" has no clout whatsoever. They
are on the internal network, which at some point is connected to an outbound RG.
EDIT: Just looked it up. The EMS (Energy Management System) is in fact network accessible. It is another SCADA configuration, which means it supports network view and control of station and substation devices.
It is,
in fact, on the network of its parent company or organization, which is in turn connected to the internet somewhere.
"As proprietary systems became uneconomical, EMS suppliers began to deliver solutions based on industry standard hardware platforms such as those from
Digital Equipment (later
Compaq),
HP,
IBM and
Sun. The common operating system then was either DEC
OpenVMS or UNIX. By 2004, various EMS suppliers including
Areva,
ABB and
OSI had begun to offer Windows based solutions. By 2006 customers had a choice of
UNIX,
LINUX or
Windows-based systems. Some suppliers including NARI, PSI-CNI and Siemens continue to offer UNIX-based solutions. It is now common for suppliers to integrate UNIX-based solutions on either the SUN
Solaris or IBM platform. Newer EMS systems based on
blade servers occupy a fraction of the space previously required. For instance, a blade rack of 16 servers occupy much the same space as that previously occupied by a single
MicroVAX server."
Source - Wiki