Urgent Action Needed to Counter Cyber Threats to Critical Infrastructure: New Report Highlights Industrial IoT Risks

Global safety charity Lloyd’s Register Foundation has released a new report, “Operational Cyber Security for the Industrial Internet of Things: Challenges and Opportunities.” The study, authored by Robert Hannigan, executive chairman international at BlueVoyant, and Sadie Creese, Professor of Cyber Security at the University of Oxford, warns that the rapid expansion of the Internet of Things is exposing critical infrastructure to a growing cyber‑attack threat.

Industrial IoT (IIoT) is increasingly embedded in the backbone of energy, transport, built‑environment, physical infrastructure and manufacturing sectors. In these settings, safety is paramount, making it essential to understand how to build secure and resilient systems.

The report identifies the key emerging risks that outpace current operational cyber‑security capabilities. It calls on the IIoT community to adopt guiding principles that strengthen resilience against cyber‑attacks, especially as the cost of failure can become systemic.

Different stakeholders—operations managers, board members, regulators, procurement teams, and cyber‑security specialists—hold varying risk‑management perspectives. The report offers a concise overview designed to raise cyber‑awareness across all groups.

The core finding is clear: the pace of technological change is outstripping the development of adequate security measures. Current solutions often lack scalability, have not been rigorously tested, or simply do not exist. The report highlights an impending tipping point in the ability to recover from cyber incidents, stressing the need for a security mindset, robust regulation and insurance frameworks that foster preventative practices.

While regulation, cyber‑insurance requirements and organisational cyber‑security cultures can bridge operational gaps, new challenges must be addressed. Traditional systems already struggle with mapping complex human‑technical interactions and communicating across disparate risk frameworks. These issues will only intensify as IIoT adoption grows, creating critical capability gaps.

To help stakeholders navigate this landscape, the report recommends the following actions:

1. Always assess the potential harm when planning risk‑management strategies.
2. Evaluate how security controls may degrade as IoT device usage increases.
3. Implement continuous, near‑real‑time assessment techniques rather than periodic reviews.
4. Account for IoT usage in supply chains, treating supplier lapses as direct security risks.
5. Develop forensic readiness processes.
6. Incorporate future‑scenario analysis into risk assessments.
7. Invest in staff training on IoT standards and best practices.
8. Collaborate on a device‑interface protocol to share security monitoring data.

The report’s authors are Robert Hannigan, executive chairman international at BlueVoyant, former director of GCHQ, and Sadie Creese, Professor of Cyber Security, Department of Computer Science, University of Oxford.

About the authors

Robert Hannigan, executive chairman international at BlueVoyant, former director of GCHQ, emphasizes that “over the last few years we have seen a rise in deliberate attacks on critical infrastructure worldwide. As industrial IoT adoption continues to grow, clear action and guidance are essential.” The report frames the challenges and proposes solutions to safeguard against cyber incidents.

Sadie Creese, Professor of Cyber Security at the University of Oxford, adds, “Building resilient infrastructure that guarantees security across the expanding network of connected devices is urgent. We must conduct further research into risk‑control performance, liability models, and the practical implications for the IoT market, while fostering international cooperation to build trust in the IIoT supply chain.”