One thing I can tell you about the publicized cases of hacking, they often are the result of a combination of legacy systems that have not been audited for security and just plain sloppiness with security standards (I am going to leave out where people's own pc's are compromised). We hear about power control systems, water systems being hacked, for example, but many of these are ancient systems built well before the age of the internet, and they lack basic controls that can help stop getting cracked (some of them are ancient enough, that they might not even have the source code for the system, talk to people who did Y2K related work). The other problem is human factors, with Anthem and some other cases, reputedly they gained access to the systems by phishing, targeting employees of Anthem with 'official looking' emails, that allowed them to get credentials to log into the network; not to mention that Anthem, like a lot of companies with sensitive data, don't encrypt it or otherwise make it non human readable (worse, they often have information in readable form in log files and the like, instead of obfuscating the data being passed). Some industries haven't had the problems, for example, can anyone show me where hackers have management to get into the trading systems at financial institutions and do real damage, fake trading, compromising financial/clearing data? Outside of some denial of service attacks (which are another issue), one of the reasons is that both industry and securities industry regulation require strick adherence to data security and systems security, companies get audited on their security, and as a result the companies have very strict rules regarding security, everything from the employee desktop, to training on security for developers and the like, to constant testing of the systems.
The other big vulnerability, as Target found, was using a third party provider that they didn't fully vet for security, and ended up with systems with a trojan horse in the code that breached a ton of customers financial information, and again, a lot of this is because quite frankly there aren't that many regulations around these things, public company auditing standards still don't, as far as I know, require audits of computer security risk, the way they do with others.
The thing about, for example, an autonomous train control system (if it comes about), is that it will be a modern system and due to the criticality of it it is highly likely that they won't have the sloppiness you see with legacy systems, and hopefully someone like the FRA would require outside security audits of both the systems and also of the security rules and procedures of let's say CSX, and I suspect they will do it, if not for the liability. Sadly, when companies like Target or other retailers get hacked, or places like Anthem get hacked, the consequences to them don't match the pain they cause the customers, the cost of lawsuits and for example, providing credit monitoring/repair services to the victims, is small enough that they can shrug and say "it is the cost of doing business"; If on the other hand an autonomous train control system was hacked and a terrorist action ensues that kills a lot of people, there likely will be severe consequences, up to including potentially criminal prosecution of the executives of the company executives, they basically cannot claim they didn't know of the threat, not with all the issues with cyber warfare and hacking.
I suspect with autonomous train control, or self driving trucks, that if it happens or not may be more political than technical unfeasability or risk, there already are such systems in other contexts that are not used because of political reasons or other kinds of non technical issues from what I have been told.
