Full Report
The percentage of ICS computers on which various types of malware spread via the internet and email were blocked increased for the first time in two years.
Analysis Summary
# Industry News: ICS Threat Vectors Shift as Internet and Email Attacks Surge
## Summary
Kaspersky ICS CERT’s Q1 2025 report reveals a significant reversal in industrial security trends, marking the first increase in two years of malware blocked on Industrial Control Systems (ICS) originating from internet and email sources. This shift indicates a heightened risk to internal industrial networks as threat actors successfully bypass traditional perimeter defenses to target engineering workstations and PLC management systems.
## Key Details
- **Date:** May 15, 2025
- **Companies Involved:** Kaspersky ICS CERT (Primary Researcher)
- **Category:** Market Analysis / Threat Intelligence Report
## The Story
After a two-year period of relative stability or decline in commodity malware reaching industrial environments, the Q1 2025 data shows a resurgence in internet-delivered threats. While industrial systems are ideally "air-gapped" or strictly segmented, the report highlights that the percentage of ICS computers encountering malicious web content and email attachments is on the rise. This suggests that the "human element"—operators accessing web resources or checking email on systems connected to the OT (Operational Technology) network—remains the primary vulnerability. The malware detected includes a mix of multipurpose miners, password stealers, and initial access lanterns used to facilitate more destructive ransomware attacks.
## Business Impact
### For the Companies Involved
- **Kaspersky:** Reaffirms their position as a dominant leader in OT-specific threat intelligence, likely driving increased demand for their KICS (Kaspersky Industrial CyberSecurity) product suite.
### For Competitors
- **CrowdStrike, Dragos, and Nozomi Networks:** Will face increased pressure to demonstrate how their XDR and OT monitoring solutions specifically address "low-level" commodity malware before it escalates into targeted industrial espionage.
### For Customers
- **Industrial Operators:** Must face the reality that current segmentation strategies are failing. There is an immediate need to reinvest in "Secure Remote Access" and employee awareness training specifically for OT personnel.
### For the Market
- **Insurance Premiums:** This data may lead cyber insurance providers to hike premiums for manufacturing and utility sectors, citing the failure of existing controls to mitigate basic internet-borne risks.
## Technical Implications
The report highlights a sophisticated "pivot" by attackers: using common email-borne malware (droppers) to establish a foothold on IT-adjacent ICS computers. Technically, this emphasizes a lack of egress filtering on industrial workstations, allowing these systems to communicate with external Command & Control (C2) servers via standard ports (80/443).
## Strategic Analysis
- **Market Positioning:** This report shifts the narrative from "targeted nation-state attacks" back to "foundational hygiene." Vendors who focus on granular web filtering and email security for OT will gain a temporary market advantage.
- **Competitive Advantage:** Companies that integrate OT data into a unified SOC (Security Operations Center) will be better positioned to spot these trends early.
- **Challenges:** The ongoing convergence of IT and OT makes total isolation nearly impossible; the challenge lies in securing the "connected" industrial site without hindering operational efficiency.
## Industry Reactions
- **Analyst Opinions:** Analysts suggest this "rebound" in malware stats is a result of attackers realizing that OT environments often have weaker endpoint protection than their IT counterparts.
- **Expert Commentary:** "The 'Air Gap' is a myth that is finally being dispelled by hard data," notes one independent OT security researcher.
## Future Outlook
- **Predictions:** Expect a wave of "OT-specific" secure browser launches and enhanced email gateway integrations designed specifically for air-gapped-lite environments.
- **What to watch for:** Increased regulatory scrutiny (such as NIS2 in Europe or TSA mandates in the US) regarding how industrial firms manage internet access on the factory floor.
## For Security Professionals
Practitioners should immediately audit ICS workstations for unnecessary internet access and ensure that email clients are either removed or strictly sandboxed on any machine with a physical connection to the industrial control fabric. The rise in email-based threats suggests that "OT-friendly" phishing simulations are now a necessity, not an elective.