Backdoors have a reason
Pretty much any SCADA kit or such needs at least some sort of backdoor to allow service people to gain access for various reasons including the most common:
The dude who knew all the passwords died/was fired/ is on holiday and we need to access the kit to change something. Service personnel are called in to save the day.
The trick though is to limit that access to requiring physical presence (eg. holding a service button) and not something that can be hacked from afar.
Of course SCADA kit should always be on a private network (VPN at least).