Industrial Automation Threat Landscape in Asia: Q4 2025

📊 Industrial Automation Threat Landscape in Asia: Q4 2025

Researchers from Kaspersky ICS CERT released a report analyzing threats targeting industrial control systems (ICS) across Asia in Q4 2025. The study is based on telemetry from security solutions and covers South, Southeast, East, and Central Asia, as well as the Caucasus. It highlights prevalent attack vectors, threat activity, and regional exposure patterns.

Key Findings

🔍 ICS environments across the region continued to experience sustained malicious activity, underscoring persistent exposure of industrial infrastructure.

🌐 Primary infection vectors remain the internet, email, removable media, and network shares. While the internet serves as the dominant initial access channel, network resources are frequently leveraged for internal propagation and lateral movement.

🦠 Observed threats are dominated by phishing, malicious scripts, and downloaders commonly used in early-stage intrusion chains.

📎 Multiple cases were identified involving malicious files masquerading as engineering documents (e.g., AutoCAD-related files), used as delivery mechanisms via web and email channels.

🔗 Web-based threats account for a significant share of detections, with ICS users frequently exposed to malicious content through online resources.

Regional Breakdown

🔻 South Asia Web-based threats and phishing remain dominant. Removable media and shared network folders are also widely used for secondary propagation of malicious activity within environments.

🔻 Southeast Asia Multiple concurrent threat categories were observed, including malicious scripts, downloaders, self-propagating threats, and web-based cryptominers. The region also ranks among the highest globally for blocked malicious web resources and attacks delivered via engineering-related files. 👉 Vietnam stands out, with up to 4.72% of ICS systems exposed to malicious web resources — among the highest rates in the region.

🔻 East Asia Spyware remains the most prevalent threat category in ICS environments, indicating frequent success of initial access vectors such as phishing, malicious attachments, and removable media. Continued activity is also observed via USB devices and shared network folders, suggesting weak OT perimeter controls.

🔻 Central Asia & South Caucasus Key risks are associated with removable media and software execution in ICS environments. USB-based propagation of worms, spyware, and Windows miners remains widespread. The region also ranks among the global leaders for ransomware activity delivered via internet, email, and removable media.

ICS environments across Asia continue to converge with external networks, significantly expanding the attack surface and increasing the number of viable entry points. Initial access continues to be driven by internet-based vectors, email phishing, and user-enabled execution paths, while internal spread is primarily facilitated through removable media and network shares. Regional variation indicates that threat exposure is strongly correlated with OT security maturity and overall digitalization level. Despite differences in intensity and composition, commodity intrusion techniques — phishing, malicious scripts, and downloader-based chains — remain consistently effective across the industrial threat landscape.