"We will see an increase in exploitation of the Internet accessible control system devices as the exploits get automated," said Dale Peterson, chief executive officer at Digital Bond, a company that specializes in ICS security research and assessment, via email.
However, the majority of Internet accessible control system devices are not part of what most people would consider critical infrastructure, he said. "They represent small municipal systems, building automation systems, etc. They are very important to the company that owns and runs them, but would not affect a large population or economy for the most part."
Attackers who could potentially be interested in targeting such systems include politically motivated hackers trying to make a statement, hacktivist groups with an interest in drawing attention to their cause, criminals interested in blackmailing companies or even hackers doing it fun or bragging rights.
A recently leaked FBI cyberalert document dated July 23 revealed that earlier this year hackers gained unauthorized access to the heating, ventilation and air conditioning (HVAC) system operating in the office building of a New Jersey air conditioning company by exploiting a backdoor vulnerability in the control box connected to it -- a Niagara control system made by Tridium. The targeted company installed similar systems for banks and other businesses.
The breach happened after information about the vulnerability in the Niagara ICS system was shared online in January by a hacker using the moniker "@ntisec" (antisec). Operation AntiSec was a series of hacking attacks targeting law enforcement agencies and government institutions orchestrated by hackers associated with LulzSec, Anonymous and other hacktivist groups.
"On 21 and 23 January 2012, an unknown subject posted comments on a known US website, titled '#US #SCADA #IDIOTS' and '#US #SCADA #IDIOTS part-II'," the FBI said in the leaked document.
"It's not a matter of whether attacks against ICS are feasible or not because they are," Ruben Santamarta, a security researcher with security consultancy firm IOActive, who found vulnerabilities in SCADA systems in the past, said via email. "Once the motivation is strong enough, we will face big incidents. The geopolitical and social situation does not help so certainly, it is not ridiculous to assume that 2013 will be an interesting year."
Targeted attacks are not the only concern; SCADA malware is too. Vitaly Kamluk, chief malware expert at antivirus vendor Kaspersky Lab, believes that there will definitely be more malware targeting SCADA systems in the future.
"The Stuxnet demonstration of how vulnerable ICS/SCADA are opened a completely new area for whitehat and blackhat researchers," he said via email. "This topic will be in the top list for 2013."
