Vital industry breached by spear phishing, network scanning and SQL injection.
Industrial control systems (ICS) in the US were breached every two out of three days in the last fiscal year, according to a report from the ICS Cyber Emergency Response Team (ICS-CERT).
245 incidents involving control systems were reported to the group between October 2013 and last September, of which a third aimed were aimed at the energy sector and a quarter at critical manufacturing.
Subsequent investigation by ISC-CERT also found that many of the initial points of intrusion could be attributed to basic methods like spear phishing, network scanning or SQL injection, in which hackers insert commands through a vulnerable database.
However almost two-fifths of incidents had an unknown intrusion point, often because of "a lack of detection and monitoring capabilities".
The security group, which is backed by the Department of Homeland Security (DHS), warned that the figures likely underestimate the scale of the cyber threat against industry, because "many more incidents" go unreported.
"ICS-CERT continues to encourage asset owners to report malicious activity impacting their environment even if assistance is not needed or requested," it said in the research.
"As you report, ICS-CERT can provide situational awareness information about similar or related incidents and share data regarding the threat actor’s techniques and tactics."
In addition to the breach data, the group also reported that it had received 159 reports of vulnerabilities in control system components, the most notable of which was the Heartbleed bug affecting the OpenSSL security layer.
The most common flaws in control systems involved authentication, buffer overflow in which data is overwritten to adjacent data cells, and denial-of-service attacks.