"Attackers need an initial point of compromise..."
Why, oh why are these devices openly visible on the public internet?
At the very least they should be accessible only from specific static IP addresses via a proxy with secret access credentials. At best, they should be strictly air gapped.
SCADA kit has lifetimes in whole decades and has until now not been designed primarily to protect against malicious access, but the prospect of 'secure' SCADA with regular online 'security updates' doesn't bear thinking about given the potential implications of bricking via a bad update.