Basic phishing attacks and easily available tools are all that is needed to compromise many industrial control systems, the head of cybersecurity for the U.S. Department of Energy’s Strategic Petroleum Reserve has warned.

Speaking at the ISC Security Congress In Atlanta this week, Chris Shipp said that sophisticated attacks such as Stuxnet are not necessary to penetrate and compromise may industrial control systems, as reported by Macworld.

This includes those used to operate power plants, chemical plants and hydroelectric dams, Network World reports.

Shipp said that he has seen more than one real-life situation where systems were compromised using basic phishing attacks, and tools which attackers could find through the online security resource Metasploit.

Phishing attacks: Systems remain connected

Shipp said that many industrial control systems remained connected to the internet via business networks - having been connected for patching, inventory and other business reasons.

This makes them vulnerable, he said, as the systems are not readily upgraded.

A demonstration showed off how a simple phishing attack followed by installation of a keylogger was sufficient to take control of a business workstation and thus gain access to vulnerable systems.

Many plants also use Windows-based networking systems, rather than proprietary ones, which means that attackers can more easily gain a foothold, in an environment they understand.

Shipp advises constant penetration testing and upgrading systems where possible.

Attackers with ‘deep pockets’

Shipp says that his findings are particularly alarming, given that attacks such as Stuxnet have demonstrated that groups with the resources to mount extremely expensive attacks are targeting such systems.

Stuxnet inspired much debate among security professionals, as reported by We Live Security here, both for its targeting of industrial control systems, and its sophistication, which seemed to indicate that it was made by a group with the resources of a nation-state.

ESET Senior Research Fellow David Harley cautioned, in the wake of the attacks, against expecting  “the next Stuxnet” to be similar. “Expect the unexpected,” he wrote.