Emerging Cybersecurity Capability Gaps in the Industrial Internet of Things: Overview and Research Agenda

Internet of Things (IoT)-enabled devices are becoming integrated into a significant and increasing proportion of critical infrastructures, changing the cybersecurity-risk landscape. Risk is being introduced to industry sectors such as transport, energy, and manufacturing, with new attack surfaces exposed and potential for increased harm. Furthermore, risk and harm arising in the Industrial IoT (IIoT) could propagate across interconnected organisations and sectors, resulting in systemic risk. Aspects of this changing risk landscape are not addressed by current cybersecurity approaches, leaving cybersecurity-capability gaps. In this article, we show how current and emerging cybersecurity needs in the IIoT align with a key industry cybersecurity standard, the NIST Cyber Security Framework. The key capability gaps emerging in the IIoT are identified based on our findings from a series of workshops with over 100 expert participants. We present a comprehensive research agenda to enable researchers to prioritise research focus to address these gaps; this research agenda covers the full lifecycle of IIoT development (design, implementation, use and decommission). Furthermore, we conclude that there is a significant gap in understanding of the nature of systemic risk, which should be a key priority if we are to develop effective solutions for cybersecurity and safety in IIoT environments.