The sensors typically cost $1,000 or $2,000 and are deployed in the hundreds or thousands at a single oil, gas or water processor. The researchers said the flaws were found in devices supplied by three of the largest vendors in the field, but declined to identify them.
Penagos said most refineries that have the capability to monitor gas levels or temperature probably have the vulnerable devices in place. In some cases the sensors have a design flaw, while in other cases the customers installed them insecurely.
Either way, "the entire industrial process could be disabled or modified by disrupting the physical sensors," Apa said.
Since the 2010 disclosure of the U.S.-developed Stuxnet virus that attacked an Iranian nuclear facility, countries have intensified efforts to defend their own infrastructure while developing the capability to attack such equipment elsewhere.
In the United States, a February executive order by President Barack Obama directed the Department of Homeland Security to work with industry to develop security standards, but their adoption would be voluntary. The White House is now weighing possible incentives, while Congress mulls legislation that would be more forceful.
For now, DHS issues warnings of attacks and advisories on how to fix flaws of extra concern. The IOActive researchers said they had been working with DHS and equipment makers to develop fixes.
A DHS spokesman declined to comment on the research or the state of security in the energy industry.
The department's industrial control systems cybersecurity arm responded to more than 200 incidents in critical infrastructure in the first half of the current fiscal year, more than in all of the previous year. More than half of the latest incidents were in the energy sector, according to a recent DHS newsletter.
Apa and Penagos said they had spent months on their project and it would take a fair amount of specialized experience for someone to mount a destructive attack. But it might also take a long time for patches to be physically installed, they said.
Shawn Moyer, an Accuvant Labs researcher who has found similar problems with radio communications in industrial controls, said Apa and Penagos' work showed that utilities are still learning the best practices for security. He also noted that interception and alteration of data form just one part of a successful cyber attack.
"You have to know enough about the target to know to look for it," Moyer said.
Another cybersecurity company plans to demonstrate at Black Hat how hackers can remotely blow up a water tank using a combination of known vulnerabilities.
Eric Forner and Brian Meixell of the consulting firm Cimation said they would simulate an attack that causes a tank to be overfilled, causing a spill or blowout.
They said a modest copycat effort by malicious hackers could produce destruction at random, while targeting a specific facility would take more effort. For instance, hackers can use tools such as Shodan, a specialized search engine that lets anyone look for specific types of devices that are connected to the Internet, along with the names of their owners and their physical locations.
"For us it was an overnighter - it took 16 hours for two people," Forner said. "There are systemic problems in the industry with bad protocol implementation." (Reporting by Joseph Menn; Editing by Claudia Parsons)