Industrial Automation Threats Decline Slightly in Q2 2025, but Risks Remain

The latest report from Kaspersky’s Industrial Control Systems Cyber Emergency Response Team (ICS CERT) reveals both encouraging and concerning trends in the cyber threat landscape for industrial automation systems in Q2 2025. 

Overall, 20.5% of ICS computers faced blocked malicious objects during the quarter, a 1.4 percentage point (pp) drop from Q1 2025 and a 3.0 pp decrease compared to Q2 2024.

While the decline indicates progress in reducing exposures, regional disparities and evolving attack techniques highlight ongoing risks for operational technology (OT) environments.

Global and Regional Trends

Globally, the percentage of ICS computers encountering blocked threats ranged from 11.2% in Northern Europe to 27.8% in Africa. 

Most regions experienced declines in infection attempts compared to the previous quarter, with the exceptions of Australia, New Zealand, and Northern Europe, where rates increased. This geographic variation underscores differences in infrastructure maturity, patch adoption, and attacker focus.

Industry-Specific Findings

Across all surveyed industries, the percentage of ICS computers with blocked malicious objects declined in Q2 2025. However, the biometrics sector led all industries in exposure rates, reflecting the high-value nature of identity and authentication systems. 

Despite overall declines, the breadth of malicious activity remains significant: Kaspersky blocked malware from 10,408 different families across OT networks during the quarter.

Threat Sources and Infection Vectors

Internet-based threats remain the most common vector for OT environments, including compromised websites, malicious downloads, and poisoned cloud services. 

In Q2 2025, 5.91% of ICS computers were blocked from accessing deny listed internet resources, an increase tied to malicious code hosted on popular file-sharing platforms. Malicious documents also rose slightly, detected on 1.97% of systems.

Email-borne threats continue to grow in prominence. Phishing messages carrying malicious attachments, spyware, and scripts accounted for an increasing share of ICS compromises, with rates rising in all regions except Russia. Meanwhile, threats originating from removable storage and network folders continued to decline, reaching their lowest global levels since Q2 2022.

Malware Categories

Multi-stage attacks remain the norm, with initial infection tools paving the way for spyware, ransomware, and cryptominers. Although percentages fell across all categories, the risks are notable:

• Spyware was blocked on 3.84% of ICS computers (down 0.36 pp).
• Ransomware appeared on 0.14% of systems (down 0.02 pp).
• Executable miners were detected on 0.63% of systems (down 0.15 pp).
• Web miners dropped sharply to 0.30%, their lowest rate since Q2 2022.

Self-propagating malware such as worms and viruses also declined, blocked on just over 1% of ICS systems. AutoCAD-targeting malware, often used to steal or corrupt industrial design files, dropped to 0.29%, the lowest figure recorded since Q2 2022.

The Bigger Picture

While the decline in overall infection rates suggests progress in defense, the diversity of threats—spanning thousands of malware families—demonstrates the persistence and adaptability of attackers. 

ICS and OT environments remain attractive because they underpin critical infrastructure, manufacturing, energy, and industrial operations worldwide. The rise in email-borne attacks also shows that attackers continue to shift toward social engineering and phishing to bypass other technical defenses.

Moreover, the Shai-Hulud worm incident in September 2025, affecting npm packages, highlights how quickly wormable malware can spread through ecosystems when authentication and publishing controls are weak. For industrial systems, where patching and downtime are difficult, the stakes are even higher.

Mitigation Strategies

Defenders in industrial organizations should consider several actions:

• Adopt phishing-resistant email protections such as sandboxing, advanced attachment scanning, and domain authentication (DMARC, SPF, DKIM).
• Limit internet exposure of ICS assets and enforce strict network segmentation between OT and IT environments.
• Deploy removable media controls and continuously scan for malware families associated with worms and infostealers.
• Strengthen monitoring and visibility using behavioral detection, threat intelligence feeds, and anomaly detection tuned for ICS environments.
• Adopt secure defaults for authentication including multifactor authentication (MFA) for remote management interfaces.

The Q2 2025 ICS CERT findings highlight a paradox: overall infection rates are down, yet attackers remain relentless in innovating through email, malicious documents, and social engineering. 

For critical infrastructure operators, this means vigilance cannot wane. Proactive defense strategies—focused on phishing resilience, internet isolation, and advanced monitoring—are essential to protecting the OT systems that power modern industry.