Organisations need to build a resilient IIoT security posture to ensure secure critical national infrastructure, says Phil Litherland, Principal Consultant, Bridewell
The convergence of Information Technology (IT), Operational Technology (OT), facilitated by the Internet of Things (IoT), and more specifically the Industrial Internet of Things (IIoT), has revolutionised Critical National Infrastructure (CNI) industries across the globe.
From advanced manufacturing techniques to real-time healthcare monitoring, this integration is driving both operational efficiency and continuous innovation in sectors previously detached from the internet and manually controlled. While connecting critical systems can bring many benefits, from decreased costs, improved safety controls and more efficient alert processes, connecting any system brings with it cyber security challenges that must be carefully considered and risks that necessitate continuous management.
Over the past decade, the CNI sector including energy, transport, health and manufacturing have been subjected to a surge of weaponised attacks like ransomware, supply chain vulnerabilities and Advanced Persistent Threats (APTs) according to ENISA. Most recently, in April 2025, the FBI noted a 9% rise in ransomware complaints on US infrastructure. This highlights the urgent need for a unified cybersecurity strategy that bridges the gap between IT, OT, and IoT/IIoT to ensure resilience, visibility and proactive threat mitigation across critical infrastructure sectors.
Understanding IIoT attack surface
One of the greatest challenges of using IIoT devices in CNI is the growing attack surface, which organisations within critical sectors may struggle to keep up with. IIoT devices are exposing CNI infrastructure to more potential attack paths due to the vulnerabilities that they may possess, and each connected device represents a potential entry point for attacks.
Yet, IIoT is extremely beneficial to the sector as it has accelerated IT/OT convergence by enabling real-time data exchange and integration between traditionally separate systems with features like sensors and actuators that can help automate tasks and share intelligence across dispersed environments.
Incidents like the 2021 Colonial Pipeline ransomware attack served as a stark reminder of the consequential outcomes that can arise due to IT/OT interdependencies. In this instance, although the initial breach occurred via IT systems, the interconnected nature of IT and OT environments prompted a precautionary shutdown of OT operations, ultimately resulting in significant fuel supply disruptions along the U.S East Coast. It also prompted policy and regulatory responses that emphasised the need for stronger security across converged environments.
The risks of IIoT continue to be a significant concern for organisations operating within CNI. In fact, a recent study by Bridewell revealed that one in four (25%) of CNI sector professionals view connected devices as a primary entry point for IT-based attacks, while over one in five (21%) see them as the leading risk to OT infrastructure. Evidently, these findings highlight the urgent need for greater visibility, governance and security controls around IIoT deployments within CNI environments.
Meeting regulatory compliance in CNI
In efforts to tackle the issue at large, the European Commission has passed multiple regulations in recent years, including the Network and Information Security Directive 2 (NIS2), the EU Cyber Resilience Act (CRA) and the Critical Entities Resilience Directive (CERD) to help strengthen Europe’s ability to stay secure and improve its defences against cyber threats.
It’s clear through the EU CRA, NIS2 and IEC 62443 that regulatory pressures are mounting globally to drive secure-by-design mandates and lifecycle accountability in industrial environments. However, the CNI sector has historically struggled to implement new directives and regulations in a timely manner, often missing compliance deadlines despite their critical importance.
For instance, the NIS2 Directive was only transposed in October 2024, and it will most likely take some time before organisations within CNI meet the compliance standards of this revised directive. Given that regulatory requirements are here to stay and are only expected to become more stringent in the years ahead, it is imperative for organisations operating in these critical sectors to take the proactive steps needed to build a strong security posture that enhances both cyber maturity and resilience.
Building a resilient IIoT security posture
As IIoT devices continue to be used in CNI to accelerate IT/OT convergence to boost operational efficiency across critical sectors, organisations would benefit from assessing security risk ahead of device implementation as a preventative control, rather than relying on detecting issues once they’ve already been implemented. However, this of course is not always possible, so having oversight into the organisation’s deployed IIoT assets and maintaining a comprehensive device inventory and risk register is paramount.
While compliance-based regulation has historically been applied to the IT domain, for IIoT and OT, it will better serve organisations to concentrate on the outcome-focused regulations like NIS and Cyber Assessment Framework (CAF) that require a subjective view on risk, mitigation and resilience. For organisations in CNI, following these regulatory frameworks is essential to protecting critical assets and maintaining holistic visibility over assets and operational integrity. As a self-assessment tool, the CAF helps ensure that IoT deployments are effectively secured by managing risks, detecting cybersecurity events and enabling appropriate incident response.
Crucially, compliance should never be viewed as a mere checkbox exercise, it should be perceived as a foundation for building a resilient security posture. By aligning with regulatory standards, organisations can implement key measures such as secure device onboarding, encryption, access control and regular patching. These practices help mitigate the risks posed by increasingly sophisticated cyber threats targeting IoT environments.
Securing CNI in the age of IIoT requires a proactive mindset from organisations within the sector and first of all seeking an answer to the ‘connectivity conundrum’; i.e. just because you can connect, does it mean you should? By embracing a unified, risk-informed security approach, organisations can strengthen resilience, safeguard critical national infrastructure and ensure continuity in an increasingly interconnected and threat-prone landscape.
Phil has worked across both civil and defence nuclear, energy, utilities, and the pharmaceutical industry. Prior to joining Bridewell, he was Security Product Director at National Grid where he had ownership of the global OT cyber security strategy, which included developing security controls and capabilities to align with the NIST CSF, NERC-CIP, NIS-R/NCSC CAF and IEC27001/62443 frameworks.
There’s plenty of other editorial on our sister site, Electronic Specifier! Or you can always join in the conversation by commenting below or visiting our LinkedIn page.
