but are those computers networked?
Seriously. The systems with access to SCADA may not themselves have access to the internet. But to state that power plants live in some kind of internet-free zone is silly.
Blaster compromised US power distribution in 2003, not because it was a SCADA attack but because it took out systems at power plants as collateral damage. I suspect there would have been issues even if the SCADA controllers themselves remained entirely untouched by the attack, simply because IT staff at compromised sites were running like hell to fix the Windows boxes.
http://seclists.org/bugtraq/2003/Sep/0053.html
And blaster was really more of a prank than anything else; it used a publically posted PoC as its payload, looked for new hosts to infect, and crashed systems. Yes, it was a large pain to deal with, but it wasn't installing other code or formatting harddrives on restart or silently phoning home. It was incredibly noisy and easy to see. But it was also very fast!
Power generation infrastructure has been neglected for decades in the US and lots of Europe.
Does anyone here think that the facilities are staffed to afford the eyeballs to do monitoring of logs on SCADA systems?
There was a great Defcon talk on SCADA attacks last year and the presenter admitted "it's noisy as hell. But no one reads the logs, so it doesn't matter." He was considering working with fyodor (nmap) to add the SCADA attack to the nmap toolkit and to make it much quieter.
Once you're inside a network, if you know what you're doing, whether an internal host talks to the internet or not is not a problem. As long as they talk to switch ports, you can talk to them. If you can get the guy who answers phones to read your email and click on a link, or visit your website, the odds that you can get access to a windows box that talks to internal switches just went through the ceiling.
The real concern is not worms or script kiddies. It's people with folks on salary with training and practice doing attack/defense in teams. State actors and large organizations could undoubtedly do this; the real problem is in coming up with a defense against it in a heavily privatized and decentralized system.
We mostly dislike the geographic firewalls in China, Australia, Burma, etc.
We may ultimately find that what we need are business sector firewalls mandated by governments that can require all actors in a given sector to be running behind a common and commonly secured set of connections. Not just hardware platforms, but actually insist these folks drop their current addresses and buy leased lines to dedicated data centers with budget for ingress and egress monitoring and response.
My guess is we won't get to a state like that until someone seriously, ahem, degrades performance on SCADA infrastructure. The politics of doing it may be completely untenable even then.