I used to write security tools for a global entity that ran a secure isolated network spanning 400+ countries. One of the tools I wrote wandered round the network looking for illegal routes connecting our "isolated" network to the internet. We used to see the odd packet on sensors that didn't look legitimate in origin hence the effort to quantizise the problem.
The first time I ran the scanning tool on the network, we thought it was broken when it identified 3000+ unauthorised routes, so we took a random sample and tested them for false positives manually and all were valid and breaching our security to the internet at large. A grab bag of undeclared routers, misconfigured cisco's, modems stuck in so some manager could work remote etc. And this in a company where connection of unapproved equipment was supposed to represent immediate dismissal. We spent the next year trying to get the 100 worst offenders taken out, and it was shockingly difficult to achieve because of local politics in each branch.
Chances of a scada remote connected solution being done properly? not very much, I doubt they even want to spend the resource to find out how exposed they are, let alone resolve it.
I've seen some remote connected business automation servers too, and they make me shudder with how insecure and lackadasical they are. Most of the efforts seem to be involved in getting the server to stay up for more than a couple of days at a time, let alone resist a remote attack.