> Hand him over or else we flick a switch here and the power grid in your city X goes down and there's nothing you can do about it.
The issue in your scenario is not who built the infrastructure, but who has remote access to it. Why would the manufacturer of (for instance) the PLCs controlling a substation have remote access to it? Wouldn't they be isolated in their own subnetwork, firewalled so that only a few hosts in the substation operator's network can reach it?
You do understand that this is managed infrastructure, right? Logging in and managing it remotely is literally part of the deal. It’s not even a secret.
The issue in your scenario is not who built the infrastructure, but who has remote access to it. Why would the manufacturer of (for instance) the PLCs controlling a substation have remote access to it? Wouldn't they be isolated in their own subnetwork, firewalled so that only a few hosts in the substation operator's network can reach it?