Since the 2010's "Stuxnet" sabotage attempt, cyber-security of industrial control systems (ICS) or "SCADA" has become a buzzword in industry. The (cyber-) protection of the critical infrastructure became a focal point for governments. Vendors and manufacturers have pushed "Industrial Security" appliances onto the market, or claim that their products are now with "enhanced security". A cacophony of standards have emerged, and certification schemes are offered. But does this help? Given the increasing interconnectivity of ICS (SmartMeters, later the Internet-of-Things), shouldn't the direction be more towards standard IT than sticking to a dedicated ICS IT? Why is it that I can patch a computer centre over night, but not a control system within a year? This presentation will not give the answers but outline why control system cyber-security sucks and which hurdles we encountered to handle ICS cyber-security like that of our computer centres' A change of paradigm is needed, and this change must start with people and not with technology.