Managing the threats to IoT

Cyber threats against IoT remain high on the security agenda. The latest WEF Global Cybersecurity Outlook found that the convergence of connected technologies is one of the most important factors shaping risk strategies in the year ahead.

 

The risk is particularly acute for CNI sectors reliant on integrated IoT and IIoT systems. Although attention often focuses on sophisticated attacks against major national providers, many attackers instead target smaller, less well-defended operators, such as healthcare and regional water or energy suppliers.

 

Not only do these organisations lack the security budgets of larger operators, but they are most susceptible to disruption.

 

We have seen this play out repeatedly in areas like healthcare, where organisations are forced into constant trade-offs between keeping services running and investing in security. Attackers understand those pressures and are increasingly exploiting them as critical infrastructure becomes more connected.

 

Industry 4.0, IIoT, and data-driven risk

The changing risk profile for critical infrastructure has been shaped in part by the steady expansion of connectivity driven by Industry 4.0 and IIoT. Smaller operators in fields like utilities and healthcare are still under pressure to modernise, but this shift is typically happening faster than their security budgets or operational models can adapt.

 

The push towards digitisation is necessary. Organisations need data to optimise processes, support predictive maintenance, and make faster decisions. But every new IIoT device increases the volume of data moving in and out of environments that were never designed for constant interaction. Configuration updates, patches, backups, logs, firmware, and everyday documents now cross boundaries that were once firmly controlled.

 

Rather than forcing their way through hardened networks, attackers now follow the data. The smooth flow of files and data for operational continuity is often prioritised over deep inspection, especially where blocking them risks downtime. This is particularly likely in sectors where operational limits mean they cannot afford to overhaul their file and data security processes.

 

This means removable media, supplier laptops, remote access tools, and cloud services become frequent entry points. Even sophisticated attacks still tend to rely on file-based delivery somewhere in the chain to slip through security gaps.

 

Meanwhile, traditional OT security has focused heavily on asset and network visibility, but that no longer necessarily reflects how attacks unfold. You can know every device in your environment and still miss what is being introduced into it. As IIoT expands and IT and OT converge, data flows have become one of the least protected attack surfaces.

 

Why small-margin CNI sectors are more exposed

The persistent vulnerability of connected systems is not the result of neglect but is a basic structural issue. Healthcare providers, water utilities, and parts of the energy sector operate on strict budgets, with long funding cycles that make rapid change almost impossible.

 

Investment decisions are often planned years in advance, and once budgets are set, there is little room to react. If you’re a hospital choosing between investing in cybersecurity solutions or buying badly needed MIoT like MRI scanners and X-ray machines, the resources for frontline patient care are always going to take precedence.  

 

Adding to the problem, much of this infrastructure is ageing and deeply embedded. Most environments in these sectors are brownfield sites whose operations have to work around existing legacy infrastructure.

 

These outdated assets cause a variety of operational issues and frequently hamper cyber activities. Patching, for example, rarely happens weekly or even monthly due to technical limits – forget Patch Tuesday, it’s more likely to be Patch September.  

 

Many systems cannot be rebooted, cannot support modern security agents, and simply cannot go offline without risking disruption.

 

Attackers are actively exploiting this situation. In small-margin sectors, even short outages are costly, which makes extortion to avoid service disruption particularly effective.

 

Regulation shapes resilience

One of the clearest differences in IoT security we see across critical infrastructure is how regulation shapes security maturity.

 

In the energy sector, active oversight from Ofgem has helped push operators towards a more disciplined approach to cyber resilience. There is clearer accountability, more consistent investment, and a stronger focus on assurance.

 

The water sector tells a different story. With Ofwat effectively gone, long-standing security weaknesses are becoming more visible. It’s not necessarily a lack of awareness, but rather the absence of strong enforcement to force prioritisation. The agenda is also influenced by the fact that water companies typically have much less capital to work with than their counterparts in energy and other fields.

 

Regardless of these differences, regulation is most valuable when it drives investment in people, processes and governance rather than mandating specific technologies.

 

Improving OT and IIoT security

For critical infrastructure organisations under financial pressure, the challenge is not only understanding best practice but also finding security approaches that reduce risk without adding cost, complexity, or downtime. Trying to secure every device and network segment simultaneously is rarely realistic when there is little budget or operational flex to spare.

 

One of the key priorities should be reducing reliance on fragile, manual processes. Many sectors have compensated for legacy technology with workarounds and hard-won expertise, but as IIoT expands, that model does not scale. Orchestrating checks so they are applied consistently, with human oversight rather than constant intervention, helps limit error while respecting operational constraints. As well as reducing risk, this also improves efficiency, making limited budgets stretch further.

 

File security, meanwhile, is an often-overlooked area that should be present in any plans. Improving visibility of how data moves into and out of operational environments is a critical first step. If organisations do not understand their data flows, they cannot control one of the most common attack paths.

 

From there, files should be treated as untrusted by default, whether they come from suppliers, removable media, or internal IT systems. That includes patches, firmware, configuration files, and routine documents. Holding files before they reach critical systems, inspecting them consistently, and rescanning them as new threats emerge can significantly reduce risk without disrupting operations.

 

While large-scale CNI cyber threats are high on the security agenda in the year ahead, attackers will continue to favour small-margin CNI sectors because disruption is expensive and resilience is hard to fund.

 

Progress will always be incremental and there is no silver bullet. But by focusing on core operational processes like data and file flows rather than attempting a disruptive, big-bang transformation, organisations can close critical gaps, even under tight budgets.

 

---

 

Simon Giddings, Regional Manager at OPSWAT

 

Main image courtesy of iStockPhoto.com and AndreyPopov