Full Report
In the second quarter of 2024, the percentage of ICS computers on which malicious objects were blocked decreased by 0.9 pp from the previous quarter to 23.5%. Compared to the second quarter of 2023, the percentage decreased by 3.3 pp.
Analysis Summary
# Industry News: ICS Threat Landscape Sees Incremental Decline in Attack Surface
## Summary
Kaspersky ICS CERT’s Q2 2024 report indicates a marginal decrease in the percentage of Industrial Control Systems (ICS) computers targeted by malicious objects, dropping to 23.5%. This represents a 0.9 percentage point decrease from Q1 2024 and a more significant 3.3 percentage point drop year-over-year, suggesting a shift in attacker behavior or improved baseline defenses.
## Key Details
- **Date:** September 26, 2024 (Reporting on Q2 2024 data)
- **Companies Involved:** Kaspersky (Primary Research), Global Industrial Enterprises
- **Category:** Market Analysis / Threat Intelligence
## The Story
The report provides a deep dive into the security posture of industrial automation systems globally. While the overall percentage of blocked malicious objects is trending downward (23.5% in Q2 2024), the data reveals a complex regional tapestry. Africa remains the region with the highest percentage of targeted ICS computers (30%), while Northern Europe remains the lowest (7.3%).
The primary vectors for these threats continue to be the internet (reaching 14.2% of ICS computers) and email clients (3.3%). Interestingly, while automated malware "noise" is decreasing, the sophistication of targeted attacks against critical infrastructure remains a persistent concern for operators in energy, manufacturing, and oil & gas sectors.
## Business Impact
### For the Companies Involved
- **Kaspersky:** Reaffirms its position as a dominant thought leader in the ICS/OT (Operational Technology) space, leveraging its global telemetry to provide benchmark data for industrial conglomerates.
### For Competitors
- **OT Security Providers (e.g., Dragos, Nozomi, Claroty):** The data suggests that "commodity" malware is being blocked more effectively, forcing competitors to shift their marketing and R&D focus toward "living-off-the-land" (LotL) attacks and insider threats rather than high-volume malware prevention.
### For Customers
- **Reduced "Noise":** Asset owners may see a decrease in low-level security alerts, allowing SOC teams to focus on more complex, persistent threats.
- **Investment Justification:** The downward trend provides a metric for CISOs to demonstrate that existing security controls (patching, network segmentation, and endpoint protection) are successfully reducing the attack surface.
### For the Market
- **Security Maturity:** The year-over-year decline suggests an increasing level of maturity in OT security deployments across the mid-market, as basic protections become more standardized.
## Technical Implications
The decline in blocked objects does not necessarily equate to a safer environment; rather, it indicates a refined threat landscape. Attackers are increasingly moving away from easily detectable malicious files toward script-based attacks and the exploitation of legitimate administrative tools. The persistence of internet-borne threats (14.2%) highlights that the "Air Gap" remains a myth for modern, interconnected industrial environments.
## Strategic Analysis
- **Market Positioning:** Kaspersky continues to utilize its ICS CERT branch to maintain relevance in Western markets despite ongoing geopolitical tensions, positioning itself as a technical essentialist for industrial telemetry.
- **Competitive Advantage:** Real-time visibility into global PLC and HMI environments allows for faster signature updates and proactive threat hunting.
- **Challenges:** The reliance on blocked-object statistics as a primary metric can be misleading; it may mask more dangerous, low-and-slow exfiltration attempts that do not use "malicious objects" in the traditional sense.
## Industry Reactions
- **Analyst Opinions:** Analysts generally view the 3.3% YoY decrease as a sign of successful digital transformation and "security by design" initiatives at the OEM level.
- **Expert Commentary:** OT security experts warn against complacency, noting that as commodity malware declines, the risk of state-sponsored "zero-day" exploits remains at an all-time high.
## Future Outlook
- **Predictions:** Expect a continued plateau or slight decline in commodity malware encounters as industrial networks become more segregated.
- **What to watch for:** A potential surge in attacks targeting the "Industrial AI" supply chain and the integration of edge computing devices in the late 2024 and 2025 reporting cycles.
## For Security Professionals
Practitioners should use this report to benchmark their own internal telemetry. If your internal "blocked object" rate is significantly higher than 23.5%, it may indicate poor web filtering or unsecured email policies within the OT environment. Focus should shift from "volume of blocks" to the "source of entry," with a specific emphasis on securing remote access points and hardening internet-facing ICS assets.