New Report Highlights the Internet as the Primary Threat to Industrial Automation Systems

A recent report by Kaspersky ICS CERT, released on June 10, 2025, sheds light on the persistent and evolving cyberthreats targeting industrial automation systems (IAS) worldwide during the first quarter of 2025.

The comprehensive analysis, based on data from Kaspersky Security Network (KSN), reveals that 21.9% of Industrial Control System (ICS) computers globally encountered malicious objects, a figure that has remained steady from the previous quarter.

Global Cybersecurity Challenges

However, the report underscores a critical finding: the internet stands as the predominant source of threats to operational technology (OT) infrastructure across all regions.

This pervasive threat vector is attributed to ICS computers accessing malicious or compromised web resources, alongside content distributed via messengers, cloud storage, and content delivery networks (CDNs).

With Africa topping the charts at 29.6% of affected ICS computers and Northern Europe recording the lowest at 10.7%, the disparity in regional cybersecurity maturity is stark, highlighting systemic underinvestment in cybersecurity tools, expertise, and awareness in vulnerable areas.

Delving deeper, the report identifies specific regional challenges, with Africa, South-East Asia, and Central Asia facing heightened exposure to internet-based threats, recording rates of 12.76%, 12.32%, and 9.50% respectively for ICS computers affected by internet-sourced malware.

These threats encompass denylisted internet resources, malicious scripts, phishing pages, web miners, and spyware, often exploiting unpatched vulnerabilities or lax security policies that permit external service access on OT systems.

Malware Propagation

Email clients follow as the second most significant threat source, particularly in Southern Europe (6.76%), the Middle East (5.17%), and Latin America (4.55%), where phishing emails deliver malicious documents and scripts aimed at initial infection.

Removable media, while less prevalent, remains a notable concern in regions like Africa (2.44%) and South Asia (1.08%), often propagating outdated polymorphic worms, viruses, and modular cryptocurrency miners that exploit local network weaknesses through credential theft and brute-force attacks.

Network folders, though the least common source, facilitate self-propagating malware in regions such as East Asia (0.27%), indicating poor network segmentation and unprotected infrastructure.

The report categorizes malicious objects into initial infection vectors (e.g., denylisted resources and phishing pages), next-stage malware (e.g., spyware and ransomware), and self-propagating threats (e.g., worms and viruses).

Notably, spyware emerges as a critical issue in Africa (7.05%) and Southern Europe (6.52%), often paving the way for ransomware attacks, which are particularly rampant in East Asia (0.32%).

The rise in cryptocurrency miners, both web-based and Windows executables, is alarming, with global increases of 1.4 and 1.1 times respectively, driven by fileless execution techniques using PowerShell scripts and legitimate tools like XMRig masked as RiskTools.

Russia and Central Asia saw significant spikes in internet threats and miners, reflecting inadequate cybersecurity cultures and policy enforcement.

This detailed landscape underscores the urgent need for robust perimeter defenses, network isolation, and employee training to mitigate the internet’s role as the primary threat conduit.

Kaspersky’s findings serve as a clarion call for industries to prioritize cybersecurity investments to safeguard critical OT environments against an increasingly sophisticated threat ecosystem.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.