According to a new Kaspersky ICS CERT report, in Q1 2026 the percentage of industrial control systems (ICS) on which malicious objects were blocked reached 19.6% globally. Kaspersky security solutions blocked malware from 10,052 different malware families of various categories on industrial automation systems. Regionally, the share of ICS computers that were attacked ranged from 27.4% in Africa to 9.1% in Northern Europe. Compared to the previous quarter, attacks on the manufacturing sector in Q1 increased in multiple regions, including in Europe and Asia.
Regional split
In terms of overall numbers across all industry sectors, five regions saw an increase in the share of attacked ICS computers in Q1 2026 compared to the previous quarter. These were Southern Europe, Russia, Northern Europe, Canada and Africa.
The percentage of ICS computers on which malicious objects were blocked in Q1 2026
Industries
In Q1, biometric systems traditionally placed first in terms of the share of ICS computers on which malicious objects were blocked, at 26.4%. These systems commonly have internet access, are used for email, and, in many cases, have minimal cybersecurity controls within the organizations that use these systems. Regionally, Southern Europe leads the ranking based on the percentage figures for biometric systems, at 35.15%. Africa follows at 29.58%, and Central Asia comes in third at 28.53%.
In the manufacturing industry, Southeast Asia ranks first among regions in terms of the percentage of ICS computers attacked (23.21%), followed by Africa (21.36%) and South Asia (20.13%).
In 2025, Kaspersky and VDC Research estimated that in just the first three quarters of 2025 cyberattacks on manufacturing organizations via ransomware could have generated over $18 billion globally in losses. Actual business losses could have been even higher when factoring in supply-chain disruptions, reputational damage, and recovery expenses.
“Legacy operational technology systems remain deeply embedded in manufacturing environments, which makes them vulnerable. Supply chain complexity and branching of the trusted partner network expands the attack surface beyond the network perimeter. Attackers are realizing that targeting OT assets of an industrial enterprise is not rocket science, which is why factory shutt downs bring massive financial losses,” commented Evgeny Goncharov, Head of Kaspersky ICS CERT.
Full information is available in the report on Kaspersky ICS CERT website.
To keep OT computers protected from various threats, Kaspersky experts recommend:
- Conducting regular security assessments of OT systems to identify and eliminate possible cyber security issues.
- Establishing continuous vulnerability assessment and triage as a foundation for effective vulnerability management process. Dedicated solutions like Kaspersky Industrial CyberSecurity may become an efficient assistant and a source of unique actionable information, not fully available in public.
- Performing timely updates for the key components of the enterprise’s OT network; applying security fixes and patches or implementing compensating measures as soon as it is technically possible is crucial for preventing a major incident that might cost millions due to the interruption of the production process.
- Using EDR solutions such as Kaspersky Next EDR Expert for timely detection of sophisticated threats, investigation, and effective remediation of incidents.
- Improving the response to new and advanced malicious techniques by building and strengthening teams’ skills in incident prevention, detection, and response. Dedicated OT security trainings for IT security staff and OT personnel is one of the key measures helping to achieve this.
- For building proactive cyber defense it is essential to keep track of the modern threat landscape developments and fixing errors the others made before they are exploited in your infrastructure. Kaspersky Threat Intelligence set of services is a unique source of insights into the evolution of threats and commonly exploited weaknesses we recommend for both strategical and tactical cybersecurity enhancements