In the final quarter of 2024, industrial control system (ICS) security metrics revealed a subtle but telling shift in the global threat landscape. The proportion of ICS computers on which malicious objects were blocked fell by 0.1 percentage points from the previous quarter, settling at 21.9%. Year-over-year, this represented a 2.8 percentage point decline compared to Q4 2023. October marked the peak month for blocked threats, while November recorded the lowest monthly figure in two years.
Regional disparities remained pronounced. Northern Europe registered the lowest percentage at 10.6%, while Africa led with 31%. Eight of the thirteen monitored regions experienced an uptick from Q3 levels. Among industrial sectors, biometrics topped the list for blocked malicious objects, while most industries saw declines, save for construction, which bucked the trend.
Kaspersky’s protective systems intercepted malware from 11,065 distinct families during the quarter, spanning a wide range of categories. The primary infection vectors continued to be the internet, email clients, and removable storage devices, though precise attribution was not always possible. Notably, the percentage of ICS computers blocking threats from all identified sources dropped to the lowest levels observed since the start of the reporting period.
Malicious objects used for initial infection—such as denylisted internet resources, malicious scripts, phishing pages, and infected documents—showed mixed behavior. Denylisted internet resources fell to 5.52%, down 1.32 percentage points, and malicious documents dropped to 1.71%, their lowest since early 2022. This decline was attributed in part to proactive measures by resource owners, hosting providers, ISPs, and law enforcement, as well as attackers’ strategic rotation of domains and IP addresses to evade detection. Such tactics can delay inclusion in denylists, temporarily reducing recorded blocking rates.
Conversely, malicious scripts and phishing pages rose to 7.11%, driven by widespread phishing campaigns in late summer and early autumn. These attacks deployed browser-executed scripts mimicking CAPTCHA prompts or error messages, coaxing users into downloading secondary payloads such as the Lumma stealer or Amadey Trojan. This surge underscored the linkage between initial infection vectors and subsequent malware deployment.
Spyware activity increased to 4.30%, a 0.39 percentage point rise from Q3, encompassing spy Trojans, backdoors, and keyloggers. Ransomware, though still relatively rare, climbed to 0.21%, its highest in two years, marking a 1.3-fold increase over the previous quarter. Miners presented a contrasting picture: executable miners for Windows dipped slightly to 0.70%, while web miners fell to 0.39%, the lowest recorded in the observation period.
Self-propagating malware—worms and viruses—continued to exploit removable media, network folders, infected backups, and vulnerabilities in outdated software to spread across ICS networks. Worms increased marginally to 1.37%, and viruses rose to 1.61%. While these figures remain modest, their persistence reflects the enduring risk posed by legacy attack methods in industrial environments.
AutoCAD malware, a niche threat often ranking lowest among categories, declined further to 0.38%. Though its prevalence is minimal, its targeting of design files highlights the intersection between industrial malware and engineering workflows.
For engineers, robotics developers, and aerospace system designers, these findings underscore the evolving nature of industrial cyber threats. Even as certain categories decline due to defensive measures, others adapt and proliferate through new tactics. The data from Q4 2024 illustrates the importance of layered defenses, timely threat intelligence, and continuous monitoring to safeguard complex, interconnected technical infrastructures.