Summary:
In the first quarter of 2025, the threat landscape for industrial automation systems showed overall stability, but with some important shifts in regional threat levels and malware tactics. The percentage of industrial control system (ICS) computers where malicious objects were blocked remained stable at 21.9%, matching the figure from Q4 2024. Year-over-year, this is part of a slow downward trend, with Q1 2025 being the lowest Q1 value in four years.

Key Findings​

• Biometrics Sector: This was the only OT infrastructure type where threat detections actually increased this quarter.
• Regional Impact:
  • Northern Europe had the lowest infection rate (10.7%),
  • Africa had the highest (29.6%).
• Increased Email and Internet Threats: After declining in 2023, malware via the internet and email rose again. Malicious scripts, phishing pages, and malicious documents were more prevalent.
• Malware Categories:
  • Scripts and phishing pages continue to be the top infection method.
  • Spyware detections remained high and strongly correlated with phishing delivery.
  • Cryptominers saw a notable increase: web miner detections were up 1.4x from the previous quarter.
  • Ransomware and spyware detections slightly decreased.
• AutoCAD Malware: Remains minimal and continues to decline.
• Self-Propagating Malware (worms/viruses): Also showed a small decline this quarter.

Security Officer Comments:
Think of ICS networks as a factory brain, controlling everything from lights to machines. This report indicates hackers continue to poke at those brains on a daily basis, largely through internet connections and fake emails. Total attacks aren't on the rise, though some regions like Africa are being hit harder than others. Hackers are also using more subtle attacks, like hiding malware inside fake web sites or using software that looks legitimate but which steals data. Cryptominers (used to produce digital money) are becoming widespread again. And while all seems calm on the surface, attackers are always scanning for weaknesses, like old programs or internet-connected machinery that they shouldn't be. So, even small tweaks matter.

Suggested Corrections:

• Limit internet and email exposure in OT networks — block unneeded services like messengers and CDNs.
• Implement strict policies for removable media to avoid malware spread via USBs and portable drives.
• Harden industrial systems by segmenting networks and applying necessary security patches and updates.
• Block cloud services not required for operations to reduce abuse of trusted platforms for malware delivery.
• Enhance phishing defenses and user training to reduce risks from email-borne malware.
• Monitor for miners and spyware using endpoint detection tools tailored for ICS environments.
• Update denylist/blocking tools, but don’t rely solely on them — attackers now hide malware in trusted services.
• Regularly audit your systems to check for early signs of infection and lateral movement.

Overall, while ICS threat levels are not spiking, the use of smarter techniques by attackers, especially social engineering and use of common internet tools, means that vigilance, segmentation, and specialized industrial cybersecurity tools are more important than ever.

Link(s):
https://securelist.com/industrial-threat-report-q1-2025/116505/