Secure SCADA Comm Isn’t I.T. it’s Eng
Folks with all due respect, I politely suggest you backtrack to "what is the anatomy of the problem?" While as IT folks we're all naturally analyzing / working with the SCADA Master Control "frontend" (a/k/a HMI) and the Internet issues, SCADA systems' functionality occurs via legacy "endpoint" SCADA control devices. There are issues here from 40-50 yrs ago: SCADA’s control protocols (and vendors’ and proprietary / custom-built sftwre and even hrdwre dvcs) were designed under "closed-trust". Most control devices require no authentication from any device issuing a command proving it is allowed to do so.
Therefore, while the Internet's important, with securing SCADA Comm you've got to put that in the back of your mind, because really the key issue is that legacy physical architecture(s): PLCs and RTUs that can be hacked/jacked-into like hot knives into warm butter, esp. since these devices are remote and isolated. Yet, despite their locations, some of these can cause a lot of damage, and some are even critical. And that ain't changing, until the agri, power, trans, water, chem, and other industries decide to replace all this critical SCADA endpoint/device infrastructure. That’s billions we’re talking here …dollars, euros, yuan, etcetera. Who’s going to pay for it? Furthermore (for now, specif. RE: the elec. power indus.) until recently there hasn’t existed any approved public or private SCADA cybersecurity guidelines or standards (SOURCE: Dr. Göran N. Ericsson of the Svenska Kraftnät (Swedish National Grid), "Toward a Framework for Managing Information Security for an Electric Power Utility—CIGRÉ Experiences." IEEE Transactions On Power Delivery 22.3 (2007): 1466; although 08/2010 the U.S. NIST did publish NIST IR-7628.) But while that's great, risk mgt., e.g., mitigation, is not enough – so look to “YASIR: A Low-Latency, High-Integrity Security Retrofit for Legacy SCADA Systems” - http://www.ists.dartmouth.edu/library/451.pdf