There is an interesting story from the Christian Science Monitor regarding attacks on some US oil companies. According to the article, the attackers used the same techniques described at S4 2010 in the keynote speech on Advanced Persistent Threat (APT), given by Kris Harms of Mandiant. The attackers used multiple teams to gain access, maintain access and extract data from the companies. While the article doesn’t state exactly what was taken, it does mention that the attackers may have been interested in oil deposit data. There was no mention of penetration into the control network but with the APT hacker’s ability to gain access to a oil company’s enterprise network, improper separation between control and enterprise could allow these highly skilled attackers could gain access to a control network.
One thing about Kris’ speech that intrigued me was the fact the APT hackers monitored their install base. With enough power, water and sewage companies being infiltrated and monitored by these APT groups, serious damage could be inflicted when the time arose. While this is definitely a worse case scenario, the groups seem to have the skills to gain access to sensitive areas on a network and remain in those areas for a period of time. I cannot estimate their ability to interact with a control network but the fact that these groups use separate teams for different parts of the attack means they could find people with control expertise to perform unwelcome actions on a control system. Lucky for us the APT groups seem to be focusing on financial institutions and trade secrets.