In Q1 2025, malicious objects were blocked on 21,9% of ICS computers globally, according to a new report by Kaspersky ICS CERT (Industrial Control Systems Cyber Emergency Response Team).
Regionally, this share varied: from 10,7% in Northern Europe to 29,6% in Africa.
From Q4 2024 to Q1 2025, the share of ICS computers on which malicious objects were blocked increased in Russia (by 0,9 percentage points), Central Asia (by 0,7 pp), South Asia (by 0,3 pp), Western Europe (by 0,2 pp), Northern Europe (by 0,1 pp) and Southern Europe (by 0,1 pp).
The biometrics sector was targeted more than any other industry vertical (malicious objects were blocked on 28,1% of ICS computers), followed by building automation (25%), electric power facilities (22,8%), construction facilities (22,4%), engineering equipment (21,7%), oil & gas facilities (17,8%) and manufacturing (17,6%).
The OT cyberthreat landscape at the beginning of 2025 remained diverse, with threats spreading via the Internet continuing as the main source of cyber risks to OT computers (these threats were blocked on 10,11% of ICS computers), followed by email clients (2,81%) and removable media at (0,52%).
“As the Internet remains the primary source of threats to ICS computers, in the first quarter of 2025, the share of ICS computers attacked with malware spread via the Internet increased for the first time since the beginning of 2023,” says Evgeny Goncharov, head of Kaspersky ICS CERT.
“The main categories of threats from the Internet are denylisted Internet resources, malicious scripts and phishing pages. Malicious scripts and phishing pages is the leading category of malware used for initial infection of ICS computers – they act as droppers of next-stage malware, such as spyware, crypto miners and ransomware.
“The rise in Internet-based attacks on ICS highlights the critical need for advanced threat detection to counter sophisticated malware campaigns.”