While the energy industry may fear the appearance of another Stuxnet on the systems they use to keep oil and gas flowing and the electric grid powered, an equally devastating attack could come from a much more mundane source: phishing.
Rather than worry about exotic cyber weapons like Stuxnet and its big brother, Flame, companies that have Supervisory Control and Data Acquisition (SCADA) systems -- computer systems that monitor and control industrial processes -- should make sure that their anti-phishing programs are in order, say security experts.
"The way malware is getting into these internal networks is by social engineering people via email," Rohyt Belani, CEO and co-founder of the anti-phishing training firm PhishMe, said in an interview.
"You send them something that's targeted, that contains a believable story, not high-volume spam, and people will act on it by clicking a link or opening a file attached to it," he said. "Then, boom, the attackers get that initial foothold they're looking for."
In a case study cited by Belani, he recalled a very narrow attack on a single employee working the night shift monitoring his company's SCADA systems.
The attacker researched the worker's background on the Internet and used the fact he had four children to craft a bogus email from the company's human resources department with a special health insurance offer for families with three or more kids.
The employee clicked a malicious link in the message and infected his company's network with malware. "Engineers are pretty vulnerable to phishing attacks," Tyler Klinger, a researcher with Critical Intelligence, said in an interview.
He recalled an experiment he conducted with several companies on engineers and others with access to SCADA systems in which 26 percent of the spear phishing attacks on them were successful.
Success means that the target clicked on a malicious link in the phishing mail. Klinger's experiment ended with those clicks. In real life, those clicks would just be the beginning of the story and would not necessarily end in success for the attacker.
"If it's a common Joe or script kiddie, a company's [Intrusion Detection Systems systems will probably catch the attack," Klinger said. "If they're using a Java zero-day or something like that, there would be no defense against it."
In addition, phishing attacks are aimed at a target's email, which are usually located on a company's IT network. Companies with SCADA systems typically segregate them from their IT networks with an "air gap."
That air gap is designed to insulate the SCADA systems from the kinds of infections perpetrated by spear phishing attacks. "Air gaps are a mess these days," Klinger said. "Stuxnet taught us that."
Sign up for CIO Asia eNewsletters.