[bleke]

You can run whatever system (L4 with formal verification and written in super secure language...) as long as there no redundant checks you are already doomed from start. Stuxnet is nice example why critical system must have at least:

* Somebody periodically in person checking what happening and cross-checking results with operator

* Have alternative monitoring system, even amateur arduino system with rs-422/485 network and independent sensors, can become impenetrable wall for Stuxnet type worms.