"Once you're in an engineer's email, it's just a matter of cross-contamination," he added. "Eventually an engineer is going to have to access the Internet to update something on the SCADA and that's when you get cross-contamination."
Phishing attacks on SCADA systems are likely rare, said Raj Samani, vice president and CTO of McAfee's EMEA.
"I would anticipate that the majority of spear phishing attacks against employees would be focused against the IT network," Samani said in an interview. "The espionage attacks on IT systems would dwarf those against SCADA equipment."
Still, the attacks are happening. "These are very targeted attacks and not something widely publicized," said Dave Jevans chairman and CTO of Marble Security and chairman of the Anti-Phishing Work Group.
Jevans acknowledged, though, that most SCADA attacks involve surveillance of the systems and not infection of them. "They're looking for how it works, can a backdoor be maintained into the system so they can use it in the future," he said.
"Most of those SCADA systems have no real security," Jevans said. "They rely on not being directly connected to the Internet, but there's always some Internet connection somewhere."
Some companies even still have dial-in numbers for connection to their systems with a modem. "Their security on that system is, 'Don't tell anybody the phone number,'" he said.
Sign up for CIO Asia eNewsletters.