Full Report
A segmentation of the attacked ICS computers into categories based on the malware blocked and the sources of its entry which helps to understand the ICS threat landscape better and identify the factors that affect it.
Analysis Summary
# Industry News: Kaspersky Analysis Reveals Shifting Vectors in ICS Threat Landscape
## Summary
Kaspersky’s ICS CERT has released a comprehensive segmentation of malware attacks on Industrial Control Systems (ICS) for Q2 2025, detailing the sources and categories of blocked threats. The report highlights a critical shift in how industrial environments are compromised, moving from broad internet-based attacks to more targeted, multi-vector internal incursions.
## Key Details
- **Date:** September 10, 2025
- **Companies Involved:** Kaspersky (ICS CERT)
- **Category:** Market Analysis / Threat Intelligence Report
## The Story
The latest report from Kaspersky ICS CERT provides a granular breakdown of the threats facing industrial computers globally. Rather than treating all "blocked attacks" as equal, the report segments threats based on their entry points—such as the internet, email clients, and removable media—and the specific malware types (e.g., miners, ransomware, spyware).
The Q2 2025 data suggests that while perimeter defenses remain vital, there is an increasing trend of "internal spillover," where malware enters the ICS network via employee devices and compromised supply chain software. The segmentation identifies that a significant percentage of ICS computers are now encountering threats traditionally associated with IT environments, signaling a further blurring of the line between IT and OT (Operational Technology).
## Business Impact
### For the Companies Involved
- **Kaspersky:** Reinforces its position as a dominant thought leader in the OT security space. This data-driven approach strengthens their value proposition for their specialized Industrial CyberSecurity (KICS) product line.
### For Competitors
- **Competitive Pressure:** Firms like Dragos, Nozomi Networks, and Claroty must match this level of granular telemetry to justify their premium positioning. The report highlights that "general" security is no longer sufficient for industrial clients.
### For Customers
- **Investment Reallocation:** Customers are likely to shift budgets from simple perimeter firewalls toward internal network segmentation and endpoint protection specifically tuned for industrial protocols.
- **Risk Management:** Provides CISOs with the empirical data needed to justify security spends to boards of directors by categorizing specific business risks (e.g., productivity loss from miners vs. data theft from spyware).
### For the Market
- **Growth in Managed Services:** The complexity of the findings suggests a growing need for Managed Detection and Response (MDR) services tailored specifically for ICS, as internal teams struggle to interpret these diverse threat vectors.
## Technical Implications
The report highlights a sophisticated diversification of malware. Notable is the rise in "dual-use" tools—legitimate administrative software repurposed for malicious movement within a factory floor. This necessitates a move toward behavioral analytics rather than relying solely on signature-based detection.
## Strategic Analysis
- **Market Positioning:** Kaspersky is pivoting from a service provider to a strategic intelligence partner, focusing on the "Total Cost of Ownership" of an attack.
- **Competitive Advantage:** Access to global telemetry across diverse industrial sectors (energy, manufacturing, oil & gas) provides a data moat that niche competitors find difficult to replicate.
- **Challenges:** Geopolitical tensions continue to challenge the adoption of Russian-linked security research in certain Western government sectors, despite the technical depth of the reporting.
## Industry Reactions
- **Analyst Opinions:** Market analysts view this segmentation as a necessary evolution in OT security, moving away from "fear-based" marketing to "evidence-based" risk modeling.
- **Market Response:** There is a noted increase in demand for "Air-Gap" validation services as customers realize their isolated networks are more porous than previously thought.
## Future Outlook
- **Predictions:** Expect a "Security by Design" mandate to gain traction in the industrial machinery market, where OEMs will be pressured to integrate the types of protections identified in this report directly into the hardware.
- **What to Watch for:** The integration of AI-driven threat hunting that can automatically correlate the disparate entry points (Email + USB + Web) identified in this report.
## For Security Professionals
Practitioners should use this report to audit their "Internal Entry Points." The data shows that blocking the internet is insufficient; security professionals must prioritize the sanitization of removable media (USB) and the hardening of engineering workstations, which the report identifies as high-risk bridges between IT and OT zones.