Full Report
This quarter, the percentage of ICS computers on which worms were blocked increased noticeably in the region.
Analysis Summary
# Industry News: Escalation of Worm Infections in Industrial Control Systems (Q4 2025)
## Summary
The Kaspersky ICS CERT report for Q4 2025 reveals a significant uptick in worm-based threats targeting Industrial Control Systems (ICS) computers in Russia. This trend indicates a shift toward self-propagating malware within critical infrastructure, highlighting vulnerabilities in internal network segmentation and removable media policies.
## Key Details
- **Date:** April 23, 2026 (Report Release); Q4 2025 (Data Period)
- **Companies Involved:** Kaspersky (Primary Researcher), various industrial entities in the Russian region.
- **Category:** Market Analysis / Threat Intelligence
## The Story
During the final quarter of 2025, Kaspersky ICS CERT observed a marked increase in the percentage of industrial computers encountering worms. While general malware trends often fluctuate, the specific rise in worms is concerning due to their ability to spread autonomously across isolated networks. These threats typically gain initial entry through infected USB drives or unsecured bridges between IT and OT (Operational Technology) environments. Once inside, they leverage legacy protocols—common in industrial settings—to move laterally, potentially disrupting manufacturing processes, energy distribution, and automated assembly lines.
## Business Impact
### For the Companies Involved
- **Kaspersky:** Reaffirms its position as a dominant leader in OT security intelligence, particularly in the Eastern European and Russian markets.
- **Industrial Operators:** Face increased operational risk and potential downtime, necessitating immediate audits of air-gapped systems and "sneakernet" hygiene.
### For Competitors
- **Global Cybersecurity Vendors:** Competitors specializing in OT (such as Dragos, Nozomi, or Claroty) must pivot their threat detection signatures to account for the specific worm variants identified in this regional spike.
### For Customers
- **End-Users (Industrial Firms):** Must brace for increased capital expenditure (CapEx) toward network monitoring tools and employee training to mitigate the risk of physical infection via hardware.
### For the Market
- **Insurance & Compliance:** The rise in worm propagation may lead to stricter "due diligence" requirements from cyber insurance providers for industrial firms, specifically regarding lateral movement protections.
## Technical Implications
The resurgence of worms suggests that older exploitation methods (like SMB vulnerabilities or AutoRun features) remain effective in OT environments where patching cycles are infrequent. The technical focus is shifting from "perimeter defense" to "lateral movement containment."
## Strategic Analysis
- **Market Positioning:** Kaspersky leverages this data to drive adoption of its KICS (Kaspersky Industrial CyberSecurity) suite, positioning it as an essential layer for "hard-to-patch" infrastructure.
- **Competitive Advantage:** Real-time visibility into Russian industrial sectors remains a unique data source for Kaspersky, providing a distinct longitudinal view of threat evolution.
- **Challenges:** Ongoing geopolitical tensions may limit the global adoption of these findings, despite their technical relevance to industrial operators worldwide.
## Industry Reactions
- **Analyst Opinions:** Analysts note that the "worm" trend often correlates with a rise in industrial espionage or "wiper" malware disguised as common infections.
- **Expert Commentary:** Security experts suggest that the increase may be linked to weakened supply chain security or the use of unauthorized personal devices in secure zones.
## Future Outlook
- **Predictions:** Expect a corresponding rise in "living-off-the-land" (LotL) techniques where worms use legitimate administrative tools to bypass traditional antivirus.
- **What to watch for:** Watch for whether this regional spike moves into Western European or Asian industrial hubs in the first half of 2026.
## For Security Professionals
Practitioners should prioritize the following:
1. **USB Lockdown:** Implement strict controls on removable media in industrial zones.
2. **Micro-segmentation:** Re-evaluate VLANs and firewall rules between different levels of the Purdue Model.
3. **Behavioral Monitoring:** Move beyond signature-based detection, as industrial worms are increasingly being customized to avoid standard blacklists.