In Q1 2025, malicious objects were blocked on 21.9% of ICS computers globally, according to a new report by Kaspersky ICS CERT (Industrial Control Systems Cyber Emergency Response Team). In India, malicious objects were blocked on 19.1% of ICS computers.
Main threat sources for ICS computers in India
The OT cyberthreat landscape at the beginning of 2025 remained diverse in India, with threats spreading via the internet continuing as the main source of cyber risks to OT computers (these threats were blocked on 9.79% of ICS computers), followed by email clients (1.47%) and removable media at (0.71%).
Threats by industries, globally
The biometrics sector was targeted more than any other industry vertical (malicious objects were blocked on 28.1% of ICS computers), followed by building automation (25%), electric power facilities (22,8%), construction facilities (22.4%), engineering equipment (21.7%), oil & gas facilities (17.8%), and manufacturing (17.6%).
Categories of malicious objects, globally
The most widespread categories of blocked malicious objects were malicious scripts and phishing pages, as well as denylisted Internet resources.
The share of ICS computers on which malicious objects from different categories were blocked, Q1 2025, globally
⦁ Africa (6.21%), Russia (5.6%), and Central Asia (5.5%) were the top three regions by percentage of ICS computers on which denylisted internet resources were blocked. Denylisted resources are malicious websites and services the access to which is blocked by Kaspersky cybersecurity solutions. These resources are used by threat actors to spread malware as well as phishing attacks and to host command and control infrastructure.
⦁ The top three regions by percentage of ICS computers on which malicious documents were blocked were Southern Europe (4.02%), Latin America (3.3%), and the Middle East (2.7%). Attackers mainly send malicious documents attached to phishing messages and use them in attacks aimed at initial infection of computers. Malicious documents typically contain exploits, malicious macros, and malware links.
⦁ The top three regions by percentage of ICS computers on which malicious scripts and phishing pages were blocked were Southern Europe (10.31%), Africa (10.14%), and the Middle East (9.58%). Attackers use scripts for a wide range of objectives: collecting information, tracking, redirecting the browser to a malicious site, and uploading various types of malware (spyware, silent crypto mining tools, ransomware) to the user’s system or browser.
⦁ The top three regions by percentage of ICS computers on which spyware was blocked were Africa (7.05%), Southern Europe (6.52%) and the Middle East (6.25%). The ultimate goal of most spyware attacks is to steal money, but spyware is also used in targeted attacks for cyberespionage. Spyware is also used to steal the information needed to deliver other types of malware, such as ransomware and silent miners, as well as to prepare for targeted attacks.
⦁ The top three regions by percentage of ICS computers on which ransomware was blocked were East Asia (0.32%), the Middle East (0.3%), and Africa (0.25%).
⦁ Central Asia (1.72%), Russia (1.04%), and Eastern Europe (0.85%) were the top three regions by percentage of ICS computers on which miners in the form of executable files for Windows were blocked. The share increased in all regions except Norther Europe. The top three regions in terms of growth for this indicator were South-East Asia, Africa, and Central Asia.
⦁ The top three regions by percentage of ICS computers on which worms were blocked were Africa (3.65%), Central Asia (2.79%), and the Middle East (1.99%).
⦁ The top three regions by percentage of ICS computers on which viruses were blocked were South-East Asia (8.68%), Africa (3.87%), and East Asia (2.85%).
“As the internet remains the primary source of threats to ICS computers, in the first quarter of 2025, the share of ICS computers attacked with malware spread via the internet increased for the first time since the beginning of 2023. The main categories of threats from the internet are denylisted internet resources, malicious scripts and phishing pages. Malicious scripts and phishing pages is the leading category of malware used for initial infection of ICS computers – they act as droppers of next-stage malware, such as spyware, crypto miners and ransomware. The rise in internet-based attacks on ICS highlights the critical need for advanced threat detection to counter sophisticated malware campaigns,” commented Evgeny Goncharov, Head of Kaspersky ICS CERT.
To keep OT computers protected from various threats, Kaspersky experts recommend:
⦁ Conducting regular security assessments of OT systems to identify and eliminate possible cyber security issues.
⦁ Establishing continuous vulnerability assessment and triage as a foundation for effective vulnerability management process. Dedicated solutions like Kaspersky Industrial CyberSecurity may become an efficient assistant and a source of unique actionable information, not fully available in public.
⦁ Performing timely updates for the key components of the enterprise’s OT network; applying security fixes and patches or implementing compensating measures as soon as it is technically possible is crucial for preventing a major incident that might cost millions due to the interruption of the production process.
⦁ Using EDR solutions such as Kaspersky Next EDR Expert for timely detection of sophisticated threats, investigation, and effective remediation of incidents.
⦁ Improving the response to new and advanced malicious techniques by building and strengthening teams’ skills in incident prevention, detection, and response. Dedicated OT security trainings for IT security staff and OT personnel is one of the key measures helping to achieve this.