According to a new Kaspersky ICS CERT report, in Q1 2026 the percentage of industrial control systems (ICS) on which malicious objects were blocked reached 19.6% globally. Kaspersky security solutions blocked malware from 10,052 different malware families of various categories on industrial automation systems. Regionally, the share of ICS computers that were attacked ranged from 27.4% in Africa to 9.1% in Northern Europe. Compared to the previous quarter, attacks on the manufacturing sector in Q1 increased in multiple regions, including in Europe and Asia.
Regional split
In terms of overall numbers
across all industry sectors, five regions saw an increase in the share of
attacked ICS computers in Q1 2026 compared to the previous quarter. These were
Southern Europe, Russia, Northern Europe, Canada and Africa.
Changes in the percentage of ICS computers on
which malicious objects were blocked,
Q1 2026 compared to Q4 2025
In Southern Europe, the percentage of ICS computers on which malicious objects were blocked has been increasing for over two consecutive quarters. Though Northern Europe placed last in terms of the share of ICS devices attacked as usual, in Q1 2026 it experienced an increase in the number of targeted machines for the first time in a long period.
Industries
The percentage of ICS computers on which malicious objects were blocked in Q1 2026
In Q1, biometric systems traditionally placed first in terms of the share of ICS computers on which malicious objects were blocked, at 26.4%. These systems commonly have internet access, are used for email, and, in many cases, have minimal cybersecurity controls within the organizations that use these systems. Regionally, Southern Europe leads the ranking based on the percentage figures for biometric systems, at 35.15%. Africa follows at 29.58%, and Central Asia comes in third at 28.53%.
In the manufacturing industry, Southeast Asia ranks first among regions in terms of the percentage of ICS computers attacked (23.21%), followed by Africa (21.36%) and South Asia (20.13%).
In Western and Northern Europe, in East Asia, Central Asia and the South Caucasus, attacks on ICS devices in the manufacturing industry were significantly above the regional averages. Apart from that, compared to the previous quarter, attacks on manufacturing increased in Western, Eastern, Southern and Northern Europe, in South, East, and Central Asia, and in Australia and New Zealand.
In 2025, Kaspersky and VDC
Research estimated that in just the first three quarters of 2025
cyberattacks on manufacturing organizations via ransomware could have generated
over $18 billion globally in losses. Actual business losses could have been
even higher when factoring in supply-chain disruptions, reputational damage,
and recovery expenses.
The percentage of ICS computers on which malicious objects were blocked in Q1 2026
“Legacy operational technology systems remain deeply embedded in manufacturing environments, which makes them vulnerable. Supply chain complexity and branching of the trusted partner network expands the attack surface beyond the network perimeter. Attackers are realizing that targeting OT assets of an industrial enterprise is not rocket science, which is why factory shuttdowns bring massive financial losses,” commented Evgeny Goncharov, Head of Kaspersky ICS CERT.
Full information is available in the report on Kaspersky ICS CERT website.
To keep OT computers protected from various threats, Kaspersky experts recommend:
- Conducting regular security assessments of OT systems to identify and eliminate possible cyber security issues.
- Establishing continuous vulnerability assessment and triage as a foundation for effective vulnerability management process. Dedicated solutions like Kaspersky Industrial CyberSecurity may become an efficient assistant and a source of unique actionable information, not fully available in public.
- Performing timely updates for the key components of the enterprise’s OT network; applying security fixes and patches or implementing compensating measures as soon as it is technically possible is crucial for preventing a major incident that might cost millions due to the interruption of the production process.
- Using EDR solutions such as Kaspersky Next EDR Expert for timely detection of sophisticated threats, investigation, and effective remediation of incidents.
- Improving the response to new and advanced malicious techniques by building and strengthening teams’ skills in incident prevention, detection, and response. Dedicated OT security trainings for IT security staff and OT personnel is one of the key measures helping to achieve this.
- For building proactive cyber defense it is essential to keep track of the modern threat landscape developments and fixing errors the others made before they are exploited in your infrastructure. Kaspersky Threat Intelligence set of services is a unique source of incites of the evolution of threats and commonly exploited weaknesses we recommend for both strategical and tactical cybersecurity enhancements
About Kaspersky ICS CERT
Kaspersky ICS CERT is primarily focused on
identifying and addressing potential and existing threats to industrial
automation systems and the Industrial Internet of Things (IloT). The team has
successfully identified and helped eliminate hundreds of vulnerabilities in
widely used OT/IoT products and key components, enhancing the security and
resilience of these critical systems against sophisticated cyberattacks.
