Full Report
The percentage of ICS computers on which denylisted internet resources were blocked increased in all regions. This growth is associated with the addition of direct links to malicious code hosted on popular public websites and file services.
Analysis Summary
# Industry News: Rising Cyber Threats to Industrial Control Systems via Public Web Infrastructure
## Summary
The Q2 2025 landscape for Industrial Control Systems (ICS) shows a global increase in the blocking of denylisted internet resources across all monitored regions. This trend is driven by threat actors weaponizing legitimate public websites and file-sharing services to host and distribute malicious code directly to OT (Operational Technology) environments.
## Key Details
- **Date:** September 11, 2025
- **Companies Involved:** Kaspersky ICS CERT (Primary Rapporteur), Global Industrial Enterprises
- **Category:** Market Analysis / Threat Intelligence Report
## The Story
The latest research from Kaspersky ICS CERT reveals a shifting tactical approach by cyber adversaries targeting industrial automation systems. While historical threats often relied on specialized delivery vectors or lateral movement, Q2 2025 data indicates an aggressive turn toward "living off the land" via the public web.
The percentage of ICS computers encountering blocked malicious resources rose universally. This growth is attributed to attackers embedding links to malicious code within popular public websites and cloud file services. By leveraging these high-reputation domains, attackers bypass traditional perimeter defenses and exploit the necessary web access required by modern, integrated industrial workstations for updates and reporting.
## Business Impact
### For the Companies Involved
- **Kaspersky:** Reaffirms their position as a dominant provider of OT-specific threat intelligence, potentially driving sales for their industrial security suite as global risk levels rise.
### For Competitors
- **Strategic Shift:** Competitors like Claroty, Dragos, and Nozomi Networks may need to enhance their web-filtering and "Content Disarm and Reconstruction" (CDR) capabilities to compete with the detection of threats hosted on trusted public infrastructure.
### For Customers
- **Increased Risk & Cost:** Industrial operators face a higher risk of downtime. Businesses must now invest in more granular web filtering and outbound traffic inspection, moving beyond simple IP denylisting.
### For the Market
- **Convergence Risks:** The data highlights the "price" of IT/OT convergence; as industrial systems gain more internet connectivity for efficiency, the attack surface expands into the common public web.
## Technical Implications
- **Abuse of Trusted Domains:** Attackers are using legitimate SaaS and CDN (Content Delivery Network) infrastructure to host payloads, making domain-based filtering less effective.
- **Protocol Shifts:** Increased reliance on HTTPS for malicious delivery necessitates SSL/TLS inspection within OT environments, a complex technical challenge for legacy industrial networks.
## Strategic Analysis
- **Market Positioning:** Security vendors are moving from "Passive Monitoring" toward "Active Prevention" and "Web Security for OT."
- **Competitive Advantage:** Firms capable of providing low-latency, deep-packet inspection and advanced URL filtering without disrupting sensitive industrial protocols will lead the market.
- **Challenges:** The primary obstacle is the inherent fragility of ICS environments; aggressive blocking of web resources can inadvertently disrupt critical industrial updates or cloud-based predictive maintenance services.
## Industry Reactions
- **Analyst Opinions:** Market analysts note that the era of the "air-gapped" system is effectively over for most sectors, as evidenced by the rise in web-based attack vectors.
- **Market Response:** There is a growing demand for Integrated SASE (Secure Access Service Edge) solutions tailored specifically for industrial sites.
## Future Outlook
- **Predictions:** Expect a continued rise in "Living Off Trusted Sites" (LOTS) attacks. Threat actors will likely start using AI to automate the creation of malicious links on dynamic public platforms.
- **What to watch for:** Regulatory bodies (like CISA or ENISA) may release new mandates regarding web access protocols for critical infrastructure in response to this trend.
## For Security Professionals
Practitioners should revisit their "External Communications" policies for ICS workstations. It is no longer sufficient to allow "trusted" public domains; zero-trust principles must be applied to outbound web traffic. Implementing robust endpoint protection that can identify malicious behavior, even when originating from a legitimate file service, is now a strategic necessity for the plant floor.