Full Report
This quarter, South America leads both in the percentage of ICS computers on which malicious documents were blocked and in growth of this indicator. The review of key cybersecurity issues in the regions.
Analysis Summary
# Industry News: South America Emerges as Global Hotspot for ICS Document-Based Attacks
## Summary
In Q3 2025, South America recorded the highest percentage of Industrial Control Systems (ICS) computers targeted by malicious documents globally, showing significant growth in infection attempts. Meanwhile, North America (specifically Canada) demonstrates a contrasting yet evolving threat profile focused on sophisticated targeting of automation environments.
## Key Details
- **Date:** December 23, 2025
- **Companies Involved:** Kaspersky ICS CERT (Reporting entity), regional industrial sector participants.
- **Category:** Market Analysis / Threat Intelligence Report
## The Story
The Kaspersky ICS CERT report for Q3 2025 highlights a critical shift in the geography of industrial cyber threats. South America has taken a dubious lead, surpassing other regions in the volume and growth rate of malicious document blocks on ICS computers. These attacks typically involve weaponized PDFs, Excel, or Word documents designed to bypass traditional perimeter defenses and gain a foothold in sensitive automation networks.
In North America, particularly Canada, the report indicates that while the raw percentage of attacks may differ, the complexity of threats—often involving local network resources and multi-stage infection chains—remains a primary concern for operators of critical infrastructure.
## Business Impact
### For the Companies Involved (Industrial Operators)
- **Direct Implications:** Industrial firms in South America face rising operational risks and potential downtime due to targeted phishing and document-based malware. There is an urgent need for increased budget allocation toward ICS-specific endpoint protection.
### For Competitors (Security Vendors)
- **Competitive Landscape:** Vendors specializing in "Air-Gap" security and document disarm and reconstruction (CDR) technologies find a fertile market in South America. Traditional IT security providers must pivot to offer OT-centric (Operational Technology) solutions to remain competitive.
### For Customers (End Users/Utilities)
- **Impact on End Users:** Increased costs for critical services (power, water, manufacturing) as companies pass on the expenses of heightened cybersecurity measures and potential recovery from breach attempts.
### For the Market
- **Market Implications:** We are seeing a "regionalization" of threats. The market is shifting from general global protection strategies to highly localized defensive postures based on regional attack vectors (e.g., focusing on document-based threats in Latin America).
## Technical Implications
The surge in malicious documents indicates a preference for **Initial Access** via social engineering rather than direct exploitation of industrial protocols. Once these documents are opened on ICS-adjacent workstations, they often deploy spy-bots or loaders designed to bridge the gap between IT and OT networks.
## Strategic Analysis
- **Market Positioning:** Security firms that can integrate **Threat Intelligence (TI)** with **Automated Response** in the OT space will capture the largest market share in the Southern Hemisphere.
- **Competitive Advantage:** Early adopters of AI-driven document scanning and behavioral analysis within the ICS perimeter will have a significant advantage in mitigating these specific regional trends.
- **Challenges:** The primary obstacle remains the legacy nature of ICS hardware, which often lacks the processing power to run modern heavy security agents.
## Industry Reactions
- **Analyst Opinions:** Analysts view the South American surge as a sign that threat actors are testing "softer" industrial targets before moving to more heavily defended Western infrastructures.
- **Market Response:** There is an expected uptick in cybersecurity insurance premiums for industrial firms operating in Brazil, Argentina, and Chile due to the increased risk profile.
## Future Outlook
- **Predictions:** Expect a continued rise in "Industrial Phishing" where documents are specifically tailored to look like maintenance logs, safety reports, or equipment invoices.
- **Watch For:** Increased regulatory pressure from South American governments to mandate minimum cybersecurity standards for private industrial sectors.
## For Security Professionals
Practitioners should prioritize **User Awareness Training** specifically for OT personnel who handle administrative documents on ICS computers. Furthermore, implementing **Content Disarm and Reconstruction (CDR)** tools and strictly segmenting the IT/OT document exchange workflows should be considered high-priority mitigation tasks for the upcoming fiscal year.