I can't overstate how bad the security around most SCADA systems is.
A very common situation is the SCADA system is fantastically critical to what makes the company go; a factory, a refinery, a pipeline, a utility, etc. As we all know most IT departments have long ago lost the plot of why they exist, but in SCADA operations centers they often have kicked IT out. They run their own servers, they buy their own desktops for operators, everything. They might go back to their cubical and IT runs those computers, but often IT has little to absolutely nothing to do with SCADA including even provisioning networking as even this can be a bunch of weird.
This is a good thing in that there is no chance of the SCADA system going down and they have to get in line with the ticket system. The SCADA people will have their own experts who often deliberately live near the servers just so they can rush over in 12 minutes to solve any urgent problems.
But, it is also a bad thing because they aren't usually IT people. They are often some guy who programmed PLCs, then got into networking, and then was moved to the SCADA operations center. These guys often have a pile of knowledge covering a vast range of tech. A large distributed asset like a utility or pipeline could easily be 100+ years old and the equipment can pretty much cover the entire 10 decades of change. They may have paper tapes recording data in one place, modbus in another, MQTT in another, a bunch of proprietary communications protocols in another, acoustic modems, their own 1000km of fiber optics, satellite coms, some LTE, and on and on. In the server room there could be just about every OS in the last 40 years from VAX to a shiny new linux. The level of institutional knowledge one of these people typically has is insane. But what they often have no knowledge of is security. In this environment the very concept of regular upgrades scares the shit out of them. Often the software they use is super custom one off or low customer base software. Upgrades have a long habit of blowing things up. So, leaving a copy of windows NT 15 years behind is fine. Solaris 12 years since last upgrade is good. Nobody even blinks at a redhat install which hasn't seen an update in a few years. Why would you even think of upgrading the software on a PLC which controls something critical (as in blows up) if you don't have to.
Often they will have a few weird ass layers of VPNs and other crusty old security which they say is "bulletproof".
My theory is the reason these systems don't get hacked more is simply because most hackers don't know modbus, serial over UDP, are doing phone phreaking, or any of that. How many hackers know solaris? VAX?
Most of the industrial systems I have witnessed were the ultimate in security through obscurity; extreme obscurity. So this CODESYS thing is something that I laugh at. I don't know what product MS is trying to sell, but I can without hesitation say that the people in these larger industrial software companies aren't using CODESYS correctly anyway, and probably left a trail of SQL injection attacks (and other BS easy stuff) a mile long.
Like here is the level of stupid I can absolutely predict: If you look at the traffic going from almost any bit of their system to another bit there is a low chance it is being encrypted. If it is being encrypted they are doing it wrong, so the encryption is easy to break. Plus, basic security hygiene like ignoring repeated messages are probably not being done along with most message authentication. So, if you were to just repeat a message telling something to open a valve, it would probably just open the valve. But if you found some unencrypted messages and one of them read float for pressure which normal ranged around 100 and you set it to 100 trillion or something, their software would either happily ingest this new information and act accordingly (probably an alarm or a shutdown) or more probably, something would overflow and the software would crash. Or set values to 0 which never seem to go there and watch where they didn't do any divide by zero checking.
I know of one system where one of the parts of a communication structure says how long a following array will be. So it will allocate that much space. It is happy to try to allocate all the RAM on planet earth.