Threat landscape for industrial automation systems, Q1 2024

Global statistics

Statistics across all threats

In the first quarter of 2024, the percentage of ICS computers on which malicious objects were blocked decreased by 0.3 pp from the previous quarter to 24.4%.

Compared to the first quarter of 2023, the percentage decreased by 1.3 pp.

Percentage of ICS computers on which malicious objects were blocked, by quarter, 2022–2024

Selected industries

Building automation has historically led the surveyed industries in terms of the percentage of ICS computers on which malicious objects were blocked.

Percentage of ICS computers on which malicious objects were blocked in selected industries

In the first quarter of 2024, the percentage of ICS machines that blocked malicious objects decreased across all industries.

Diversity of detected malware

In the first quarter of 2024, Kaspersky’s protection solutions blocked malware from 10,865 different families belonging to various categories on industrial automation systems.

Percentage of ICS computers on which the activity of malicious objects in various categories was prevented

Compared to the previous quarter, in the first quarter of 2024, the most significant increase in the percentage of ICS computers on which malicious objects in various categories were blocked was detected for AutoCAD malware: by 1.16 times.

Main threat sources

The internet, email clients, and removable storage devices remain the primary sources of threats to computers in an organization’s operating technology infrastructure. Note that the sources of blocked threats cannot be reliably identified in all cases.

In the first quarter of 2024, the percentage of ICS computers on which threats from various sources were blocked decreased for every major source.

Percentage of ICS computers on which malicious objects from various sources were blocked

Regions

Regionally, the percentage of ICS computers that blocked malicious objects during the quarter ranged from 32.4% in Africa to 11.5% in Northern Europe.

Regions ranked by percentage of ICS computers where malicious objects were blocked, Q1 2024

The two regions with the highest percentage of attacked ICS computers, Africa and South-East Asia, saw their percentages increase from the previous quarter.

Malicious activity in numbers

Malicious objects used for initial infection

Malicious objects that are used for initial infection of computers include dangerous internet resources that are added to denylists, malicious scripts and phishing pages, and malicious documents.

By cybercriminals’ logic, these malicious objects can spread easily. As a result, they are blocked by security solutions more often than everything else. This is also reflected in our statistics.

Globally and in almost all regions, denylisted internet resources and malicious scripts and phishing pages occupy first place in the rankings of malware categories by percentage of ICS computers on which this malware is blocked.

The sources of most malicious objects used for initial infection are the internet and email. The leading regions by percentage of ICS computers on which threats from these sources were blocked are the following:

Internet threats

• Africa – 14.82%;
• South-East Asia – 14.01%.

Email threats

• Southern Europe – 6.85%;
• Latin America – 5.09%.

Denylisted internet resources

The leading regions by percentage of ICS computers on which denylisted internet resources were blocked were:

• Africa – 8.78%;
• Russia – 7.49%;
• South Asia – 7.48%.

Malicious scripts and phishing pages

The leading regions by percentage of ICS computers on which malicious scripts and phishing pages were blocked were:

• Latin America – 7.23%;
• Southern Europe – 6.96%;
• Middle East – 6.95%.

Malicious documents

The leading regions by percentage of ICS computers on which malicious documents were blocked were:

• Southern Europe – 3.24%;
• Latin America – 2.94%;
• Eastern Europe – 2.33%.

Next-stage malware

Malicious objects used for initial infection of computers deliver next-stage malware – spyware, ransomware, and miners – to victims’ computers.

Among the miners designed to run on Windows, some of the most common are those distributed by attackers in the form of NSIS installer files with legitimate software.

Spyware

As a rule, the higher the percentage of ICS computers on which initial infection malware is blocked, the higher the percentage of next-stage malware.

The three leading regions by percentage of ICS computers on which spyware was blocked were as follows:

• Africa – 6.65%;
• Middle East – 5.89%;
• Southern Europe – 5.45%.

Spyware ranks no higher than third place in the threat category rankings by percentage of ICS computers on which it was blocked in almost every region except for:

• East Asia: in this region, spyware is the number one malware category in terms of the percentage of ICS computers on which it was blocked, at 3.68%.
• Central Asia: in this region, in the relevant rankings, spyware sits at second place with 4.40%.

Covert crypto mining programs

Miners in the form of executable files for Windows

The leading regions by percentage of ICS computers on which miners in the form of executable files for Windows were blocked were:

• Central Asia – 1.78%;
• Russia – 1.38%;
• Eastern Europe – 1.06%.

Miners in the form of Windows executable files are seventh in the global rankings of threat categories by percentage of ICS computers on which they were blocked.

• They are fourth in the relevant rankings for Russia.
• They are in fifth place in Central Asia.

We should note that during Q1 2024, the percentage of ICS computers on which miners in the form of Windows executable files were blocked increased in all regions except for Russia and Central Asia.

Web miners running in browsers

The leading regions by percentage of ICS computers on which browser-based web miners were blocked were:

• Africa – 0.91%;
• Middle East – 0.84%;
• Australia and New Zealand – 0.78%.

In the regional rankings of threat categories by percentage of ICS computers on which they were blocked, web miners ended up in fifth place in the following regions:

• Australia and New Zealand – 0.78%;
• US and Canada – 0.45%;
• Northern Europe – 0.27%.

Globally, this threat ranked eighth.

In Q1 2024, the percentage of ICS computers on which browser-based web miners were blocked increased in all regions except for Russia and Central Asia.

Ransomware

The regions with the highest percentage of ICS computers on which ransomware was blocked were:

• Middle East – 0.28%;
• Africa – 0.27%;
• South Asia – 0.22%.

Self-propagating malware. Worms and viruses

Worms and virus-infected files were originally used for initial infection, but as botnet functionality evolved, they took on next-stage characteristics.

To spread across ICS networks, viruses and worms rely on removable media, network folders, infected files including backups, and network attacks on outdated software.

In three regions, the percentage of ICS computers on which threats were blocked when connecting removable media is higher than the percentage of ICS computers on which mail threats were blocked – although it was lower in all others:

• Africa – 5.6% (leads this ranking);
• South Asia – 2.46%;
• Central Asia – 1.51%.

Worms

The leading regions by percentage of ICS computers on which worms were blocked were:

• Africa – 5.29%;
• Central Asia – 2.88%;
• Middle East – 2.40%.

Globally, worms are in sixth place in the threat category ranking by percentage of ICS computers on which they were blocked. In similar regional rankings, worms are in fourth place in four regions:

• Africa – 5.29%;
• Central Asia – 2.88%;
• Middle East – 2.40%;
• South Asia – 1.95%.

Two of these regions led by percentage of ICS computers on which threats were blocked when connecting removable media:

• Africa – 5.60%;
• South Asia – 2.46%.

Viruses

The leading regions by percentage of ICS computers on which viruses were blocked were:

• Southeast Asia – 7.61%;
• Africa – 4.09%;
• East Asia – 2.89%.

In Southeast Asia, viruses are in first place (!) in the threat category rankings by percentage of ICS computers on which they were blocked.

Note that two of the three top regions are also leaders by percentage of ICS computers on which network folder threats were blocked.

• Southeast Asia – 0.43%;
• East Asia – 0.32%.

AutoCAD malware

AutoCAD malware can spread in a variety of ways, so it falls into a separate catogory.

The same regions that lead in the virus rankings are also the leaders by percentage of ICS computers on which AutoCAD malware was blocked:

• Southeast Asia – 2.81%;
• East Asia – 1.49%;
• Africa – 0.61%.

Normally, AutoCAD malware is a minor threat that usually comes last in the malware category rankings by percentage of ICS computers on which it is blocked. In Southeast Asia in Q1 2024, this category was fifth.

The full global and regional reports have been published on the Kaspersky ICS CERT website.