Threat landscape for industrial automation systems. Q1 2026
Kaspersky's Q1 2026 ICS threat landscape report indicates a continued overall decline in malware blocked on industrial automation systems, reaching 19.6%. However, specific regions like Southern Europe and industries like biometric systems saw notable increases in threats, particularly from malicious scripts, phishing, and spyware. The report highlights the persistent risk to OT environments from common threat vectors like internet browsing and email.
Detection / Hunteropenrouter
What Happened
A recent report from Kaspersky analyzes the security threats targeting industrial computer systems during the first quarter of 2026. It found that while the overall percentage of computers with blocked threats decreased to its lowest point in three years, certain sectors like biometric systems and regions like Southern Europe experienced significant increases in attacks. The most common threats were malicious web scripts, phishing pages, and spyware, often delivered through internet browsing and email. Organizations operating industrial systems should review their security postures, focusing on email filtering and web protection, especially for exposed systems like biometric access controls.
Key Takeaways
- The percentage of ICS computers on which malicious objects were blocked reached 19.6% in Q1 2026, the lowest in three years.
- Biometric systems ranked highest among targeted industries (26.4%), largely due to internet exposure and extensive email use.
- Malicious scripts and phishing pages (JS/HTML) remained the top threat category at 6.56%.
- Southern Europe saw the fastest growth in internet and email threats, as well as spyware.
- AutoCAD malware saw a slight global increase, with significant growth in Africa, nearly doubling to 0.91%.
Affected Systems
- Industrial automation systems (ICS)
- Biometric systems
- Building automation systems
- Electric power infrastructure
- Manufacturing systems
- Oil and gas infrastructure
- Construction industry systems
- AutoCAD software
Vulnerabilities (CVEs)
None identified.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article is a statistical threat landscape report and does not contain specific detection rules or queries.
Detection Engineering Assessment
| Dimension | Rating | Rationale |
|---|---|---|
| EDR Visibility | Medium | EDR solutions would be the primary source for detecting the endpoint activities described (malware execution, spyware behavior), but the report itself is statistical and does not provide specific behavioral indicators. |
| Network Visibility | Medium | Network monitoring would capture the internet and email threat vectors highlighted in the report, but specific network IOCs are not provided. |
| Detection Difficulty | Moderate | Detecting general malware categories on ICS computers is typically supported by standard AV/EDR, but attributing them to specific OT processes and ensuring coverage on legacy systems can be challenging. |
Required Log Sources
- EDR telemetry
- Email gateway logs
- Web proxy logs
- DNS logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for increased volumes of malicious JS/HTML files being accessed or executed by ICS computers, particularly in biometric or building automation sectors. | Web proxy logs, EDR file execution events | Execution | Medium - JS/HTML execution is common; focus on known malicious patterns or unusual sources. |
| If you have email gateway visibility, consider monitoring for phishing campaigns targeting OT engineering staff, as email remains a top vector for biometric systems. | Email gateway logs, EDR process creation from email clients | Initial Access | Low - Phishing indicators are generally high-fidelity. |
Control Gaps
- Lack of network segmentation allowing internet-borne threats to reach ICS computers.
- Insufficient email filtering for OT-specific user accounts.
- Unrestricted internet access on biometric systems.
Key Behavioral Indicators
- AutoCAD files with embedded malicious macros or scripts
- JS/HTML files associated with phishing pages accessed from ICS networks
- Executable miners running on Windows ICS hosts
False Positive Assessment
Low - The article provides statistical data and trends rather than specific IOCs that could trigger false positives.
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting. Consider reviewing recent alerts on ICS computers for malicious scripts, phishing pages, and spyware, particularly in biometric and building automation systems.
Infrastructure Hardening
- Evaluate whether ICS computers, especially biometric systems, require unrestricted internet access; consider implementing allowlisting or web filtering.
- Consider enhancing email security controls for users interacting with ICS environments to reduce email-borne threats.
User Protection
- If applicable, ensure endpoint protection on ICS computers includes robust anti-phishing and anti-spyware capabilities.
- Consider restricting removable media usage on critical OT systems to mitigate that vector.
Security Awareness
- Consider incorporating ICS-specific phishing awareness training for engineering and OT staff, emphasizing the risks of malicious documents and scripts.