Overview of ICS Cyber Threat Trends in Q2 2025
Kaspersky’s latest report reveals encouraging signs as the percentage of industrial control system (ICS) computers facing blocked malicious objects dropped to 20.5% in Q2 2025, down 1.4 points from the previous quarter and 3 points from the prior year. Despite this positive trend, the report underscores persistent cyber risks fueled by sophisticated attack methods and regional differences.
Global and Regional Variations in Threat Exposure
Threat exposure varied significantly by region, with Northern Europe experiencing the lowest rate at 11.2%, while Africa saw the highest at 27.8%. Most areas reported declines from Q1, except for Australia, New Zealand, and Northern Europe, which saw slight increases. These disparities reflect differing levels of infrastructure maturity, patch adoption, and attacker targeting.
Industry-Specific Insights
While all surveyed industries recorded declines in blocked malicious objects, the biometrics sector remains the most vulnerable, highlighting the critical value attackers place on identity and authentication systems. Overall, Kaspersky blocked malware from over 10,400 distinct families during the quarter, emphasizing the broad scope of threats facing OT networks.
Primary Threat Sources and Infection Vectors
Internet-based threats dominate ICS cyber risks, including compromised websites, malicious downloads, and cloud service exploits. Notably, 5.91% of ICS systems were blocked from accessing deny-listed internet resources, driven by malicious files on popular sharing platforms. Email attacks, particularly phishing with malicious attachments and spyware, are on the rise globally—except in Russia—while threats from removable media and network folders continued to decline.
Malware Categories and Their Impact
Multi-stage attacks remain prevalent, with spyware, ransomware, and cryptominers forming the core threat landscape. Although incidence rates dropped slightly, the risks persist:
-
Spyware blocked on 3.84% of ICS computers
-
Ransomware detected on 0.14%
-
Executable cryptominers on 0.63%
-
Web miners fell sharply to 0.30%, the lowest since Q2 2022
Self-propagating malware like worms and viruses also decreased, with AutoCAD-targeting malware hitting a record low of 0.29%.
The Broader Cybersecurity Context
The overall reduction in infection rates is promising but belies the continued innovation and persistence of attackers. ICS and OT environments remain prime targets due to their critical role in infrastructure, manufacturing, and energy sectors. The increase in email-borne attacks highlights attackers’ shift toward social engineering tactics to circumvent technical defenses.
A stark example is the Shai-Hulud worm outbreak in September 2025, which spread rapidly through npm package ecosystems, illustrating how quickly wormable malware can disrupt industrial software supply chains.
Effective Mitigation Strategies for Industrial Systems
To defend against evolving threats, industrial organizations should adopt a layered approach including:
-
Phishing-resistant email protections: sandboxing, attachment scanning, and domain authentication protocols like DMARC, SPF, and DKIM
-
Strict network segmentation: isolating ICS assets from IT environments and limiting internet exposure
-
Removable media controls: scanning and restricting use to reduce worm and infostealer risks
-
Enhanced monitoring: behavioral detection, threat intelligence integration, and ICS-specific anomaly detection
-
Strong authentication: enforcing multifactor authentication (MFA) for all remote access interfaces
Conclusion: Vigilance Is Critical Amid Evolving Threats
Kaspersky’s Q2 2025 ICS CERT report highlights a key paradox: while overall ICS infection rates decline, attackers continuously adapt through phishing, malicious documents, and social engineering. For operators of critical infrastructure, maintaining vigilance and proactive defenses is vital to protecting the OT systems that underpin modern industry.