You will find that in order to operate bits of critical national infrastructure like water, sewerage, leccy, gas, etc you need to do comply with some reqs. So in fact, the CEO and MD are liable for at least something as they are in breach of their regulatory regime. Similarly, even in the USA the government has quite enough leverage to make such companies do things.
In any case, this just goes to confirm something I have been saying for ages - SCADA security is sh*t. The scariest bit is that the same companies and people who write scada now write smart metering software. So a system with the same lousy level of security as the one on that pump (or worse) will be in every house in a few years in control of leccy, gas and water.