There are still many legacy SCADA systems which run very old OS's that have just been attached to the Internet for ease of management.
I have not seen anything suggesting an agreed standard in this area... It appears that everyone has just used whatever platform they were comfortable with, which means older vulnerabilities are often still there, and unpatched.
This is not the type of site to ask for 'sploits, though, so that's about the level of detail I would go to.
There is a lovely piece of footage on YouTube, showing a generator destroyed through simple commands over TCP/IP. Fun bit from 1;20 onwards.