Attacks on industrial control systems fall to a three-year low

The share of industrial control system computers hit by malware has fallen to its lowest level in three years, but the machines that run biometric access systems remain the most heavily targeted corner of the factory floor. That is the headline from Kaspersky ICS CERT's threat landscape report for the first quarter of 2026, which found malicious files were blocked on 19.6% of the industrial computers it protects, down by a factor of 1.4 from the same period in 2023.

Industrial control systems (ICS) are the computers that monitor and run physical processes in factories, utilities, and building infrastructure. A drop in attacks sounds like good news, but the report shows the risk is uneven and, in places, still climbing.

Who is getting hit

Regionally the numbers ranged from 9.1% of ICS computers in Northern Europe to 27.4% in Africa, and five regions, led by Southern Europe and Russia, saw attacks increase over the quarter. By sector, biometric systems topped the list at 26.4%, which Kaspersky attributes to their heavy internet and email use combined with often minimal security controls. Unusually, biometric systems were hit more through email than through the web. Manufacturing was the only sector where the attack rate rose, up 1.0 percentage point.

How the threats arrive

According to the original report, Kaspersky blocked malware from 10,052 different families on industrial machines during the quarter. Malicious scripts and phishing pages remained the most common threat category (6.56% of ICS computers), followed by spyware (3.73%). Ransomware, despite the attention it draws, was blocked on just 0.14% of systems, the lowest of any category. The internet was the leading infection route at 7.88% and the only source to grow, while email, removable media, and network folders all declined.

What it means for operators

The falling averages should not lull OT teams into complacency, because the sectors that keep the lights and water on, including electric power and construction in Southeast Asia, still see internet-borne threats blocked on more than one in eight machines. Defenders should prioritize tightening email and web controls on the internet-connected corners of their OT estates, especially biometric and building-automation systems, and keep patching known flaws in exposed industrial software, as recent CISA advisories on critical ICS bugs underscore. Politically motivated attacks on operational technology, such as the CyberAv3ngers campaign against Unitronics PLCs, show why even a shrinking attack surface still deserves attention.

This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.

Read the full analysis on IntelFusions