Global ICS Threats Fall to Lowest Level Since 2022 — But Africa Now Leads in Exposure

In 2025, the cyber reality of two facilities running similar industrial control systems (ICS) may vary depending on where they are located. A manufacturing plant in Northern Europe may run its production lines with almost no internet access, strict USB controls, and layered email filtering. An engineering firm in parts of Africa or East Asia may rely on shared networks, third-party remote access tools, and cloud-hosted project files to keep operations moving.

This difference in the day-to-day operations is visible in the latest threat data from Kaspersky. In Q3 2025, the percentage of ICS computers where malicious objects were blocked varied from 9.2% in Northern Europe to a concerning 27.4% in Africa. This disparity shows the differences globally in infrastructure maturity, adoption of ICS security practices, regular policies, and modern tools used to protect industrial systems.

A Global Average Decline, Despite Uneven Percentages in Regions

Although a percentage increase was experienced in five regions, East Asia stood out with the most significant growth. This surge was specifically attributed to the local spread of malicious scripts within the OT networks of engineering firms and ICS integrators, which further demonstrates the disparity in regional cyber practices and trends.

Despite regional percentages being uneven, the global average continued to fall. In Q3 2025, only 20.1% of ICS computers recorded blocked malicious activity — the lowest level seen since 2022. But this overall decline masks a more complex reality: in some regions, threat activity increased, while in others, threats were increasingly stopped before reaching ICS endpoints at all.

The Internet Remains the Main Threat Vector

That complexity becomes clearer when you look at where these threats originate. The most dominant source of threats to enterprise OT infrastructure was still the Internet, followed by the email clients and removable media. However, these three sources in Q3 2025 showed a global decline in detection rates. Internet-based threats dropped to 7.99%, the lowest level since mid-2022.

But that drop in internet-based threats doesn’t mean attackers suddenly went to sleep. What is happening is that more attacks are being stopped earlier than before. Security systems are improving in identifying bad websites and IP addresses and blocking them outright. Once a link or server is identified to be malicious, it's quickly added to the shared deny list, updating every other system across the threat-intelligence network to prevent an attack.

The most common internet-based threats blocked on ICS computers were malicious scripts, phishing pages, and denylisted internet resources. Regionally, the percentage ranged from 4.57% in Northern Europe to 10.31% in Africa — once again reflecting uneven exposure and defensive maturity.

This causes fewer threats to show up as obvious “blocked websites,” and more are discovered later in the chain, often as scripts or lightweight files that slip through because they’re hosted on short-lived or legitimate platforms. In a simpler way, attackers are changing how they deliver threats, and defenders are stopping more of them at the front door.

MORE INSIGHTS ON THIS TOPIC:

• Aisuru Botnet Sets New DDoS Records in Q3 2025
• Non-mobile IT threats evolve into industrial-scale attacks in Q3 2025
• Mobile devices face unseen war as banking trojans, ransomware, and adware surge in Q3 2025

Email Threats Varied By Region

So if security systems stopped Internet threats, what happened to the other sources, such as email and removable media? In Q3 2025, email-based threats remained mostly unchanged, at 3.01%. Though this is lower that internet threat globally, the scenario changes depending on location.

In parts of Southern Europe, email posed nearly the same level of risk as internet access. That’s largely because email remains central to industrial work — engineers share files, vendors send updates, and credentials still move around inboxes.

Most of these attacks arrived as infected documents, malicious scripts, or spyware. And despite years of warnings, phishing continues to work, especially in OT environments where staff awareness and attachment controls are uneven. Where security practices are weaker, email remains an easy way in.

Removable Media Threats Were Rare But Dangerous

As for removable media threats, it dropped to just 0.33%, the lowest level in years. This may look like a win on the surface.

But there’s a catch.

When USB-based infections do happen, they often bypass security controls entirely. Worms, viruses, and spyware introduced through removable media can spread quickly inside OT networks, revealing gaps in endpoint protection and USB policies. Fewer incidents mean failures are more costly when they occur.

However, threats spreading through network folders remained relatively rare but still relevant in certain regions. These threats mainly included viruses, AutoCAD-targeted malware, worms, and spyware. Detection rates ranged from just 0.006% in Northern Europe to 0.20% in East Asia.

While the numbers are small, this type of internal spread often points to poor network segmentation and legacy systems, conditions that allow even older malware to move freely once introduced.

What These Points To

Seen together, these numbers expose how attackers are adapting, and security maturity still varies widely by region. That’s why the gap remains so large; fewer visible infections signal more targeted attacks, deeper intrusions, and security gaps that differ sharply across regions.

In industrial cybersecurity, stopping threats at the door is progress. Making sure nothing moves freely inside is the real challenge.

How Companies Are Using AI To Fight Cyber Threats

Most organizations are being confronted with an unprecedented volume of cyber threat intelligence. Learn how they are fighting it.

TechloyPartner Content