I'm not a pipeline expert, but I've been doing computers sense the early 90s. You have a pipe. It has pumps and valves. You have a computer that controls it all. The computer gets hacked. UNPLUG THE DAM COMPUTER... and plug in another one. Then restart the pumps. If they are too incompetent to figure out a workaround then get the hell out of the way and let someone else try.
If there is one thing I've learned with computers its that the guy at the console is god. There is no such thing as taking over from a remote location. Anyone that tells you differently has been watching too many movies. Send real actual human beings out the the pumps, unplug the dam computer and just turn the pump on manually. Yeah, a person might have to watch the pressure and flow rates etc rather than the computer. So the hell what. Get the dam gas flowing again morons.
Yeah, that's not what I'm driving at. FWIW, it's all been Linux on my personal machines since 1999. (Xenix can suck my ass, I felt that pain too.)
Corporate America = MS Office and client/server apps that are Windows-only. Few corps have purely web-based apps that meet all their business needs. Active Directory is king of the Identity Providers. ISV (prepackaged, turnkey, vendor-controlled) systems that use a GUI are generally Windows- because *nix simply doesn't have a cohesive, stable desktop environment, and no vendor wants to recode everything every two years because a bunch of college kids decide to swap out the WM or throw out GTK2 compatibility when they make GTK3. Micro$oft is unavoidable.
When I pentest, I'm not always interested in getting root. I don't need it most of the time. Being able to find an open service where I can put a piece of malware and point target machines at to fetch is a typical goal. Because it's *nix, it will be a stable repository or C2 node. 99% of the time, there won't be an antimalware engine on that machine that will blow it away, and it's usually considered a trusted machine so there are favorable network ACLs giving its communications carte blanche access. A perfect foothold.
If I can traverse through the service to grab a copy of a keytab or ssh keyring I can use to pass the hash, awesome, that's bonus loot. If there's a DBMS with a vulnerability, it rarely matters what OS it's on; I attack the service, regardless of how secure the OS is. And realistically, unless you're watching SELinux logs 24x7 (who the hell has time for that), you're not going to even know I'm there.
Now take everything I said and recognize that within a corp infrastructure, 10% or more of the devices connected to the network are running a flavor of Unix, not counting the server farm. Fewer than half are updated on a regular basis, with a quarter that are never upgraded from the day they're put in place to they day they're obsoleted and ripped out, which is 8-10 years. They are monitored for uptime, but that's about it. Manufacturing and Healthcare are the worst- those systems are lightly protected, designed to fail open, require executive-level permission for even routine maintenance, and they sweat those assets sometimes for 15 years.
Over the last 3 years in the Incident Response arena, *nix machines have been a critical piece in the infection nearly 3/4 of the times I've been associated with the cleanup effort, and I think only once was root compromised.
Okay... let's put this in context now. They've hacked the database or bounced off the Unix box into the PLCs etc just like you say, but they don't have root. They've now been discovered because of the ransom. So without root getting rid of them should be far easier. The hackers don't control the routers or the OS. Unplug the dam network cable and remove the problem. Its all software. They don't physically control anything.
Yes I know I'm over simplifying. I don't have time to write a dissertation about systems I'm not an expert on. Or time to become an expert. All I'm saying is an expert... a person who deals with those systems every day should be able to resolve this in days maybe less. If the problem is that the individual boards all need to be checked then you bring in more people to help so it goes faster. ANY problem can be solved.
And that's the crux of my point. Those problems aren't being solved and everything is being drug out has a logical explanation... bureaucrats and politicians are in the way. They won't bring in those extra warm bodies. Etc. Why? Because they want this drug out. The hack becomes an excuse. Its possible the cabal is even behind "the hack". Hell it might have been an inside job. Yeah, I'm making leaps, but isn't it awfully convenient that the states effected are all red states in the SE that all lifted WuFlu restrictions and were expecting hundreds of thousands of travelers to show up on vacation who would need lots of gas?
These people set a virus lose on the world, lied about it, tried to bury treatments for it, used it as cover to hack an election, and you seriously think they are above sabotaging a gas pipeline and using a "hack" as an excuse?