• Home
  • News
  • The Evolving Threat Landscape in Industrial Automation: A Deep Dive into Cybersecurity Risks and Solutions

The Evolving Threat Landscape in Industrial Automation: A Deep Dive into Cybersecurity Risks and Solutions

The Evolving Threat Landscape in Industrial Automation: A Deep Dive into Cybersecurity Risks and Solutions

Main Sources of Cybersecurity Threats in Industrial Automation Systems

The internet remains the primary entry point for cyber threats to industrial control systems (ICS). Malicious websites, compromised online resources, and cloud services are common vectors for attack. Additionally, cybercriminals often distribute malicious content through messaging platforms, which makes detection and prevention more challenging. Phishing emails targeting workers in ICS environments are another common source of attacks, with attackers attempting to steal sensitive information or gain unauthorized access.

In 2025, data showed a slight decrease in the number of ICS computers affected by threats from these sources, though regional differences remain. For instance, Africa saw the highest percentage of ICS computers blocked by denylisted internet resources, reaching nearly 5%. In comparison, Australia and New Zealand had the lowest percentage at 2.35%. Such regional disparities can often be attributed to local variations in threat actor activity and the adoption of cybersecurity practices.

Increasing Threats from Malicious Documents and Phishing Campaigns

One area that has seen a rise in threat activity is malicious documents. In Q3 2025, there was a 1.98% increase in the percentage of ICS computers on which malicious documents were blocked. This marks a positive trend, reversing the decline experienced at the end of 2024. The primary threat in this category comes from phishing campaigns that exploit old vulnerabilities in software. A notable case was the use of Microsoft Office's Equation Editor vulnerability (CVE-2017-11882) to deliver spyware in South America.

This rise in malicious document threats emphasizes the need for continual patching and updating of software systems to close known security gaps. Moreover, the growing use of localized phishing attacks—such as the recent Spanish-language phishing campaign—highlights the importance of global awareness and regional threat intelligence in cybersecurity strategies.

Malicious Scripts and Phishing Pages: A Growing Concern

In Q3 2025, malicious scripts and phishing pages became one of the most prevalent categories of threats to ICS, with a 6.79% increase in blocked instances. This category saw significant regional variation, with Africa, East Asia, and South America being the top regions for malicious script blocks. In East Asia, for example, the percentage of blocked malicious scripts increased by a dramatic 5.23 percentage points, largely driven by the spread of spyware via torrent client software.

These statistics highlight a growing trend of malware distribution through non-traditional platforms, such as file-sharing applications and torrents. This shift underscores the need for ICS operators to implement robust endpoint protection and network security measures, particularly for systems that rely on software applications not typically associated with critical infrastructure.

Next-Stage Malware: Spyware, Ransomware, and Miners

Once initial infection occurs, attackers often deploy next-stage malware, including spyware, ransomware, and cryptominers, to further compromise the victim's systems. In Q3 2025, spyware and ransomware were blocked on 4.04% and 0.17% of ICS computers, respectively, showing a slight increase over the previous quarter. These threats are particularly dangerous due to their ability to operate silently, often going undetected for extended periods.

On the other hand, miners—both executable and web-based—saw a decrease in blocked instances, with a marked drop to the lowest levels since Q3 2022. This trend could suggest that while miners remain a threat, their prevalence in industrial environments may be declining as attackers shift focus to more sophisticated and less detectable forms of malware.

The Resurgence of Self-Propagating Malware

Worms and viruses, once used primarily for initial infections, have evolved to function as next-stage malware with the ability to spread autonomously across networks. This self-propagating nature makes them particularly dangerous in ICS environments, where they can quickly spread via infected removable media, network shares, or even internal systems like document management platforms.

In Q3 2025, the percentage of ICS systems affected by worms and viruses saw a slight increase, reaching 1.26% and 1.40%, respectively. This indicates that while the frequency of worm and virus infections remains relatively low, they still pose a significant risk to networked industrial systems, especially those relying on outdated or vulnerable software.

Implications and Recommendations for Industrial Cybersecurity

The data from Q3 2025 clearly underscores the evolving nature of cybersecurity threats targeting industrial automation systems. As cybercriminals continue to develop more sophisticated techniques, organizations must remain vigilant and proactive in their security practices. Here are some key recommendations:

  1. Regular Patch Management: Ensuring that all systems—especially software prone to known vulnerabilities—are regularly updated is crucial in preventing initial infections.

  2. Employee Training: Given the rise in phishing attacks, educating employees about recognizing suspicious emails and malicious content is a critical defense measure.

  3. Advanced Threat Detection: Leveraging AI-driven threat detection systems can significantly improve an organization’s ability to identify and mitigate emerging threats in real time.

  4. Network Segmentation: Isolating critical systems from less-secure parts of the network can help contain infections and limit the spread of malware.

  5. Endpoint Protection: Investing in robust endpoint security measures, especially for devices running less-common software like torrent clients or messaging apps, can prevent malware from entering ICS environments.

Real-World Application: The Importance of Cybersecurity in Industrial Automation

The implementation of strong cybersecurity protocols is not just a precaution—it is a necessity. For example, an incident in East Asia where malicious spyware was distributed via popular torrent clients demonstrates how attackers are increasingly targeting less conventional platforms. By adopting comprehensive security frameworks, industrial automation organizations can mitigate these risks and safeguard critical infrastructure.

Solution Scenario: A manufacturing plant that integrates PLCs for automated production may adopt real-time monitoring tools, which track network traffic and detect any unusual patterns associated with malware activity. This proactive approach could prevent significant disruptions caused by attacks like ransomware or spyware, ensuring continued operation and protection of intellectual property.

Back to blog
Show All
Blog posts
Show All
Yokogawa Integrates ANYmal Inspection Robots into OpreX Automation Ecosystem
plcdcspro

Yokogawa Integrates ANYmal Inspection Robots into OpreX Automation Ecosystem

Yokogawa Electric Corporation recently finalized a strategic partnership with Swiss robotics pioneer ANYbotics. This collaboration links Yokogawa’s OpreX Robot Management Core with the ANYmal quadruped robotic platform. By combining specialized robotics with established industrial automation software, the duo aims to redefine safety in high-risk environments. This integration allows plant operators to manage autonomous inspection fleets within a single, unified digital layer.

ABB Launches SaaS Energy Management to Revolutionize Industrial Process Control
plcdcspro

ABB Launches SaaS Energy Management to Revolutionize Industrial Process Control

ABB has officially expanded its digital portfolio by introducing a Software-as-a-Service (SaaS) delivery model for its energy optimization suite. The release of ABB Ability™ OPTIMAX® 7.0 and Advanced Process Control (APC) 7.0 marks a significant shift in how heavy industry manages power. These tools provide operators with the agility needed to handle volatile energy markets while maintaining peak production performance.

Schneider Electric Unveils Software-Defined Automation to Transform Industrial Control Systems
plcdcspro

Schneider Electric Unveils Software-Defined Automation to Transform Industrial Control Systems

The industrial landscape is undergoing a fundamental shift toward open, flexible architectures. Schneider Electric recently introduced the EcoStruxure Foxboro Software Defined Automation (SDA). This platform represents the industry’s first software-defined distributed control system (DCS). It aims to break the chains of proprietary hardware, offering a new level of agility for modern factories.
Recommended Products List
5464-213 | Woodward NetCon SIO Card
5464-213 | Woodward NetCon SIO Card

Woodward
5464-337 | Woodward Module - Semi Iso RTD 100
5464-337 | Woodward Module - Semi Iso RTD 100

Woodward
5464-444 | Woodward PLC Processor Module
5464-444 | Woodward PLC Processor Module

Woodward
5464-468 | Woodward INPUT MODULE
5464-468 | Woodward INPUT MODULE

Woodward
5464-541 | Woodward NETCON 5000 FTIO CARD I/O MODULE
5464-541 | Woodward NETCON 5000 FTIO CARD I/O MODULE

Woodward
5464-751 | Woodward CONTROL MODULE
5464-751 | Woodward CONTROL MODULE

Woodward
5466-028 | Woodward Analog I/O Module
5466-028 | Woodward Analog I/O Module

Woodward
5466-315 | Woodward High Density Analog I/O Module
5466-315 | Woodward High Density Analog I/O Module

Woodward
5466-316 | Woodward MPU & I/O MODULE
5466-316 | Woodward MPU & I/O MODULE

Woodward
5501-372 | Woodward HIGH DENSITY ANALOG I/O TRIPLEX MODULE
5501-372 | Woodward HIGH DENSITY ANALOG I/O TRIPLEX MODULE

Woodward
5501-432 | Woodward 2CH Actuator Controller Model
5501-432 | Woodward 2CH Actuator Controller Model

Woodward
5503-215D | Woodward Atlas Controller
5503-215D | Woodward Atlas Controller

Woodward