While security has become increasingly crucial to SCADA systems due to changing threat landscape and increasing connectivity with relatively more open systems, most legacy SCADA systems are susceptible to false command injection by compromised or intruding devices since message authentication is not in-built in their protocols. It is also practically infeasible to patch these systems with cryptographic defence due to resource constraints of the old-generation devices used. Hence, protection of legacy SCADA systems has to be purely add-on, without requiring protocolor device-level modifications. The state-of-the-art of non-intrusive defence strategies for legacy SCADA systems against false command injection is discussed, comparing the strengths and limitations of the bump-in-the-wire, data diode, protocol-compliant authentication and detect-and-respond approach while discussing their applicable scenarios, costs of deployment and security assurance. In particular, the design principles of the detect-and-respond approach, namely, false command detection and neutralization, are elaborated with reference to its implementation on two legacy SCADA protocols.