However, some security researchers believe that creating such malware is still beyond the abilities of the average attackers.
"Creating malware that will be successful in attacking an ICS is not trivial and may require a lot of insight and planning," Thomas Kristensen, chief security officer at vulnerability intelligence and management firm Secunia, said via email. "This also significantly limits the amount of people or organisations who are able to pull off such an attack."
"We are not in doubt though, that we will see attacks against ICS," Kristensen stressed.
"Most of the deployed SCADA and DCS [distributed control system] applications and hardware were developed without a Security Development Lifecycle (SDL) -- think Microsoft in the late 90's -- so it is rife with common programming errors that lead to bugs, vulnerabilities, and exploits," Peterson said. "That said, the PLCs and other field devices are insecure by design and do not require a vulnerability to take a critical process down or alter it in a malicious way a la Stuxnet."
Peterson's company, Digital Bond, released several exploits for vulnerabilities found in many PLCs (programmable logic controllers) -- SCADA hardware components -- from multiple vendors as modules for the popular Metasploit penetration testing framework, an open-source tool that can be used by virtually anyone. This was done as part of a research project called Project Basecamp, whose goal was to show how fragile and insecure many existing PLCs are.
"The only restriction to finding large numbers of SCADA and DCS vulnerabilities is researchers getting access to the equipment," Peterson said. "More are trying and succeeding so there will be an increase of vulnerabilities that will be disclosed in whatever manner the researcher deems appropriate."
Santamarta agreed that it's easy for researchers to find vulnerabilities in SCADA software today.
There is even a market for SCADA vulnerability information. ReVuln, a Malta-based startup security firm founded by security researchers Luigi Auriemma and Donato Ferrante, sells information about software vulnerabilities to government agencies and other private buyers without reporting them to the affected vendors. Over 40% of the vulnerabilities in ReVuln's portfolio at the moment are SCADA ones.