“The percentage of ICS computers on which malicious objects were blocked continued to decrease, reaching 19.6% in Q1 2026.” That single figure — the lowest in three years and 1.4 times lower than Q2 2023 — frames a paradox: an apparently quieter global surface, and a jagged pattern of localized spikes that deserve close attention.
Global snapshot: a three‑year low and 10,052 malware families blocked
In Q1 2026, Kaspersky security solutions blocked malicious objects on 19.6% of industrial control system (ICS) computers, the lowest value recorded in the three‑year window covered by the report. Over the quarter Kaspersky recorded blocks across 10,052 different malware families targeting industrial automation systems. Those two facts together — a falling percentage of affected systems, and a very large set of distinct malware families encountered — set the frame for the quarter: broad, persistent diversity of malware activity against an overall declining rate of blocked incidents.
Regional contrasts: Northern Europe to Africa and notable regional increases
Regional percentages vary sharply. Northern Europe registered the lowest share of ICS computers on which malicious objects were blocked (9.1%), while Africa stood at the top end (27.4%). Five regions saw quarter‑on‑quarter increases; Southern Europe, Northern Europe and Russia were the most notable gainers. Southern Europe led growth in both internet and email threats and saw the fastest regional increases in spyware, malicious scripts and phishing pages. In Russia the percentage of ICS computers on which malicious objects were blocked exceeded the prior two quarters, reflecting rises in internet‑delivered threats and a small increase in email client–delivered threats — one of only three regions where email client figures did not fall.
Biometric systems and manufacturing: industry hotspots
Among selected industries, biometric systems remain the most impacted: 26.4% of ICS computers in that category had malicious objects blocked. Biometric systems are notable for having high internet connectivity and heavy email use for data exchange and approvals, and the report records that for biometric systems the percentage of email‑delivered threats exceeds that from the internet — a reversal of the usual pattern. Manufacturing was the only selected industry to register an absolute increase in the global average this quarter (up 1.0 percentage point), with increases recorded across ten regions, most markedly in Western Europe, Northern Europe and Russia.
Threat categories: malicious scripts lead; spyware and denylisted resources move
Malicious scripts and phishing pages (JS and HTML) remained the most frequently blocked category, with a global average of 6.56% of ICS computers affected in Q1 2026. Southern Europe recorded the largest single regional change for this category — 9.85% (+0.94 pp) — and biometric systems and building automation in Southern Europe recorded the highest industry figures for scripts and phishing pages (19.59% and 15.43%, respectively).
Spyware continued to rank second by percentage of attacked computers but declined overall to 3.73%; it nonetheless increased in five regions, notably Southern Europe (5.46%, +0.35 pp) and Russia (2.84%, +0.24 pp). The percentage of ICS computers on which denylisted internet resources were blocked rose to 3.54%, with the largest regional increase in Southeast Asia (4.58%, +0.65 pp). AutoCAD‑focused malware rose to 0.30% globally, with a very large quarter jump in Africa (almost doubling to 0.91%, +0.47 pp).
At the low end of the scale, ransomware blocks decreased for a second consecutive quarter to 0.14%; miners in executable form fell to 0.59%; web miners dropped to a period low of 0.22%; worms and viruses also declined to 1.33% and 1.31% respectively, though Southeast Asia, Africa and East Asia remain the top regions by virus detections.
Threat sources: the internet rises, email falls to a three‑year low
Threats delivered via the internet increased to 7.88% of ICS computers, even as the internet figure follows a longer three‑year downward trend. Southern Europe (8.59%, +0.59 pp), Southeast Asia (10.16%, +0.55 pp) and Northern Europe (4.47%, +0.51 pp) posted the largest increases. By contrast, threats delivered through email clients fell to 2.59% — a three‑year low — although Southern Europe (6.54%, +0.20 pp), East Asia (1.5%, +0.09 pp) and Russia (0.7%, +0.04 pp) saw modest upward moves. Removable media detections continued their decline to 0.26%, and network‑folder detections hit a period low of 0.029%, with East Asia still leading that metric by a wide margin (0.135%).
What this means for technologists, procurement leaders, and industrial operators
- Technologists and security teams: note that malicious scripts and phishing pages remain the top category (6.56%) and that internet‑delivered threats rose to 7.88%. The diversity of malware (10,052 families) underlines the need for broad detection coverage across script, web and email vectors.
- Procurement leaders and regulators: biometric systems show the highest industry exposure (26.4%) and unusual email‑dominant threat patterns; procurement decisions and regulatory guidance that assume internet‑first risk models may need reassessment for those environments.
- Industrial operators and maintenance managers: manufacturing showed the only sector‑wide increase this quarter (+1.0 pp), and sectors such as electric power and construction surfaced with high denylisted‑resource and removable‑media figures in certain regions; regional and industry‑specific monitoring remains essential.
The headline — a lower global percentage of ICS computers on which malicious objects were blocked — masks a more complicated reality: concentrated increases in specific regions and industries, measurable rises in some internet‑delivered categories, and a broad palette of malware families still probing industrial environments. The full report provides the granular regional and industry tables that these summary figures compress; for teams responsible for critical OT, the choice is not between complacency and panic, but between one‑size policies and targeted defensive adjustments. Read the full report here: https://securelist.com/industrial-threat-report-q1-2026/120643/




