SCADA In the Cloud? You Cannot be Serious
I'm absolutely gobsmacked that they've pushed SCADA Off Premises. Some of the valves etc are very old and have literally zero security features. If you can connect to the valve through an RS232 port you can do anything you want to. Hopefully no one has felt the need to attach an insecure comms device to these. Even if the comms is secure the idea of someone hacking into the control system is quite terrifying.
These systems are usually on a private network air-gapped from the internet for a reason! With an IT spend of 8 million and over 1 million of that being on SAP licences I wounder just how much they spend on security and how experienced their in house team is.