Unfortunately some industrial automation vendors and end users still do have the security mindset of the average IoT device. We are getting better as an industry, but some are still really scary!
One of my co-workers about 5 months ago found a site where someone wrote the script to crawl around the web and look for PLCs and DCS systems and the like that were on the web with no restrictions. Some of them were probably honeypots set to trap people, but as little as 6 months ago, there were still thousands of system that were still connected to the internet!
We didn't dig around to see what they were, but I saw in a tech journal about 2 years ago a controls guy saying he installed the Allen Bradley Logix software on his home PC and found their municipal waste water treatment Logix 5000 PLC right there. He called the people who ran the facility and told them and they blew him off so he logged into the PLC and added tags names, I_Llogged_into_your_PLC, I_did_this_Remotely, Your_systems_Can_be_hacked, etc. He then called them back and said he was already in their system and described what he saw and the tags. The blew him off again but he noticed about 10 minutes later, the PLC was no longer visible on the internet!
It is scary how little some people take security in the controls world, but we are learning! Stuxnet scared a lot of controls people!