Focus is on nuclear power plants, which have _very_ tight security regulations (e.g., no external connetivity whatsoever). In fact, everything in nuclear has some degree of SIS/L (Safety Instrumented System/Level)
The world’s most important facilities—think massive hydroelectric dams and nuclear power plants—are vulnerable to devastating cyberattacks. And it may be just a matter of time before someone gets hurt.And why? Hrdcoded encryption keys that cannot be revoked or even changed, use of default passwords, no antivirus, firewalls or IDS, use of sketchy Java interfaces, no monitoring whatsoever, etc.
Overall, the question is not even the low level controls such as password management or firewalls, or the lack of a network & cybersec architecture -- it's the lack of a comprehensive cyber security governance programme.
This means device, architectures, processes & policies, vendors and 3rd parties, etc. Once it is setup, which can take as little as 3 months, it can take only some 8h per week to keep it going and claim good-enough security.