You can search the news for them, but if you're looking to verify the anecdote: I don't have time to do anything more than pile them on, but you should know that SCADA evaluations of factories and utilities have been a mainstay of IT security for the past 6-8 years; there are hundreds of consultants who have found ridiculous exposures to insanely sensitive sites.
Anecdote: "You can do what with an email to factory-control+wethinkthispasswordissecure@example.com? What possessed you to implement that? You didn't make e.g. a web service because the corporate policy kept restricting you from operating potentially lethal machinery from outside the firewall? That wasn't a strong enough hint?"
