While Wilhoit's honeypots showed that a threat exists, they did not reflect a real-world target. Control systems are typically not as easy to access through the Internet, particularly in larger utilities.
Buried within a company's infrastructure, a control system would not be accessed without first penetrating a company's defensive perimeter and then finding the IP address of the hosting computer, said Eric Cosman, vice president of standards and practices for the International Society of Automation.
None of the attackers in Wilhoit's research showed a high level of sophistication, which wasn't surprising. That's because hackers typically use only the technology needed to succeed, nothing more.
"(Advanced attackers) are known to have many cards in their pockets, and they pull out the cheapest card first," Ginter said. "If they can win the game with a two of hearts, then that's the card they'll play."
Wilhoit's research is seen as one more step toward building public awareness of the threats to critical infrastructure. In addition, such reports are expected to have an impact on regulators.
"You're going to have public utilities commissions reading this report and asking the utilities questions," Ginter said. "In a sense, this is a good thing. The awareness level needs to go up."
Sign up for CIO Asia eNewsletters.