Industrial Control Systems Face Rising Malware, USB Threats in Q4 2025

Executive Summary

Malicious objects were blocked on 33.3% of industrial control system (ICS) computers globally in the fourth quarter of 2025, according to telemetry from Kaspersky Industrial Control Systems Cyber Emergency Response Team (Kaspersky ICS CERT). The data, derived from Kaspersky security products deployed on these systems, indicates that internet-facing threats and malware delivered via removable media, primarily USB drives, remain the most significant infection vectors. The share of ICS computers on which threats were blocked from removable media grew to 4.1%, highlighting the persistent risk of cross-domain data transfer in operational technology (OT) environments.

Technical Analysis

The quarterly threat landscape report, based on data from Kaspersky Security Network, aggregates detections across a globally distributed set of ICS computers protected by the company's products. The 33.3% figure represents the percentage of these protected systems where malicious software or scripts were prevented from executing. While this is a slight decrease from 34% in Q3 2025, the rate remains persistently high, indicating a constant barrage of automated and targeted attacks.

The primary sources of infection were the internet (8.1% of systems) and removable media (4.1%). The internet category includes threats delivered via web browsers, email clients, and file downloads from online sources. The removable media vector, which saw an increase from the previous quarter, predominantly involves USB flash drives used to transfer files between isolated OT networks and corporate IT environments or contractor systems. This creates a bridge for malware, including worms and ransomware, to bypass air gaps.

Malware categories detected include spyware, ransomware, phishing pages, miners, and backdoors. The report does not specify the prevalence of new, previously unknown (zero-day) exploits versus the exploitation of known vulnerabilities. The consistent threat level suggests attackers continue to successfully leverage unpatched systems, weak network segmentation, and insufficient security policies for removable devices.

Tactics, Techniques & Procedures

Threat actors continue to rely on well-established TTPs to compromise industrial environments. The data indicates heavy use of Initial Access via the internet (T1190) and Removable Media (T1091). The prevalence of internet threats suggests ongoing phishing campaigns (T1566) and drive-by compromises targeting engineers and operators. The use of removable media points to the Lateral Movement technique T1091, where malware is written to USB drives to propagate across network segments. Once established, attackers deploy a range of payloads for Execution (TA0002) and Exfiltration (TA0010), including spyware and backdoors. The lack of a dominant, novel malware family suggests a focus on commodity malware and adaptable tools rather than sophisticated, single-purpose ICS attacks.

Threat Actor Context

The report does not attribute the activity to specific named threat actors or advanced persistent threat (APT) groups. The global nature and consistent volume of detections point to a broad mix of actors, including cybercriminal groups pursuing financial gain through ransomware and miners, as well as espionage-focused actors likely using more targeted backdoors. The significant role of removable media is a hallmark of threats targeting air-gapped or poorly segmented OT networks, a tactic historically used by groups like Triton (TEMP.Veles) and Industroyer2. However, Kaspersky's data reflects the aggregate blocking of all malware, meaning a large portion is likely attributable to widespread, non-targeted criminal activity.

Mitigations & Recommendations

Organizations should implement a defense-in-depth strategy tailored to OT constraints. Kaspersky ICS CERT recommends technical and policy measures to counter the identified vectors:

• Secure Removable Media: Implement strict policies for USB device usage. Deploy dedicated security solutions for scanning all files transferred to the OT environment via removable media. Consider application whitelisting to prevent unauthorized executables from removable drives.
• Segment and Protect Network Boundaries: Ensure robust network segmentation between corporate IT and OT networks (ICS cells). Deploy firewalls and intrusion detection systems at the OT perimeter to monitor and control traffic. Restrict internet access for ICS components to only strictly necessary, whitelisted destinations.
• Update and Patch Management: Establish a risk-based program for applying security updates to ICS components, prioritizing patches for critical vulnerabilities that are under active exploitation, following vendor guidance and testing in a non-production environment first.
• Security Awareness: Conduct regular training for engineers, operators, and contractors on OT security policies, specifically the risks of phishing and the proper handling of removable media.
• Endpoint Protection: Deploy specialized security solutions designed for ICS computers that provide threat detection and prevention without disrupting operational processes.