INL researcher and famed ICS hacker Jason Larsen gave a much-buzzed talk at S4x14 in January that's deserving of more attention.
Jason presented his famous "Triangles" talk, which introduces a novel data spoofing technique that provides realistic sensor jitter in a very tiny amount of code.
You can watch his talk here.
Sorry to run with the Triangle theme, but Jason's talk really illustrates the third point of control systems insecurity.
First, we had Stuxnet, which showed that PLCs have no process control integrity. That is, a PLC can modify process control data as represented to the HMI. Without using a tool like Langner's Control Integrity Checker, you can't really know whether the logic your PLC is running is the logic you're expecting (thus, you can't know if you've had this attack performed against you). The downsides to using the CIC are that a PLC rootkit could hide malicious ladder logic from the checker, and of course CIC has to be implemented for your PLC if your PLC is not made by Siemens.