Re: Access Denied
"Thing is there is ABSOLUTELY no reason for any SCADA-style system EVER being visible on the Internet. It should be behind firewall and VPN like access, and with some 2FA system as well."
Take it a step further.
There may be some cases where internet access is needed. In others, however, a directly wired system would be better.
Connect your substations directly to your control room rather than via the internet. Certainly a direct connection can also be intercepted but at least it raises the ante for your attackers; they can't do it from half a continent away.
And as for Dave's suggestion that a building supervisor could turn on the aircon from home for a manager who needs to go into work, why not let such a manager have access to the local control panel instead?
LT;DR Just because you can it it via the internet it doesn't mean you have to.