As the renewable natural gas (RNG) industry undergoes digital transformation, integrating Industrial Internet of Things (IIoT) technologies into biogas and RNG processing, upgrading, and purification equipment, while embracing IIoT’s potential, there are some essential considerations.

Click here to read about Ivys’s Remote Monitoring
and Cybersecurity features for the Biostream.

The Rise of IIoT in Renewable Gas Infrastructure

IIoT refers to the network of interconnected sensors, devices, and systems that collect and exchange data in industrial settings. In the Renewable gas sector, IIoT facilitates real-time observation of pipelines, compressors, and upgrading units, enables predictive maintenance, and provides remote management of key systems. Although these features improve safety, boost productivity, and minimize downtime, they also present new cyber risks.

Risks of Ignoring Cybersecurity
in IIoT-Enabled RNG Systems

The consequences of ignoring cybersecurity in RNG infrastructure are serious and complex

• Operational Disruption: Cyberattacks can disrupt gas processing operations, resulting in supply chain issues and financial losses.
• Safety Hazards: Manipulating control systems can lead to explosions, toxic leaks, or fires, putting workers and surrounding communities at risk.
• Environmental Damage: A breach in gas processing systems might lead to uncontrolled emissions or spills, breaching environmental laws.
• Reputational Harm: Companies experiencing cyber incidents may face public backlash, legal liabilities, and a decline in investor confidence.
• National Security Threats: Gas infrastructure is a strategic asset. Cyberattacks on these systems could serve as tools of geopolitical coercion.

Current International Cybersecurity Regulations

To address the risks posed by cyber threats and IIoT, international regulatory organizations have developed legislative frameworks aimed at safeguarding essential energy infrastructure, including RNG production.

Below is a summary of the key international standards, followed by country or regional frameworks, standards, and regulations.

ISO/IEC 27001

ISO/IEC 27001 is an internationally recognized standard for information security management systems (ISMS), offering a structured approach to manage and reduce cybersecurity risks. In the natural gas sector, where IIoT technologies are increasingly utilized

The standard emphasizes three key principles: confidentiality, integrity, and availability of information. For gas companies using IIoT, this involves securing data between connected devices, ensuring systems are always running, and stopping unauthorized access to essential infrastructure. ISO/IEC 27001 requires organizations to carry out thorough risk assessments, find weaknesses, and apply controls suitable for their specific operations.

In the gas industry, cyber threats can lead to serious safety and environmental issues. ISO/IEC 27001 helps establish a proactive approach to security. It requires companies to create security policies, response plans for incidents, and monitor their systems

continuously. This is particularly important for IIoT systems, which often allow remote access and involve real-time data, making them appealing targets for cyberattacks.

IEC 62443

IEC 62443 is a set of international standards created by the
International Society of Automation (ISA) and
International Electrotechnical Commission (IEC) to improve security in Industrial Automation and Control Systems (IACS), including IIoT environments. It offers a clear framework for managing cybersecurity throughout the entire life of industrial systems—from design and implementation to operation and maintenance. The standard is divided into four main areas: general, policies and procedures, system-level requirements, and component-level requirements. It highlights the importance of risk assessment, layered defense strategies, secure architecture, and controlled access. Commonly used in industries like energy, IEC 62443 helps organizations create strong, secure, and compliant industrial networks.

As of 2025, the United States is advancing several key standards and legislative measures to improve cybersecurity for the Industrial Internet of Things (IIoT), reflecting growing concerns about vulnerabilities in critical infrastructure.

Internet of Things Cybersecurity Improvement Act of 202

A key piece of legislation is the Internet of Things Cybersecurity Improvement Act of 2020, which requires that all IoT devices procured by federal agencies adhere to minimum security standards established by NIST (National Institute of Standards and Technology). These standards include secure development, identity management, patchability, and configuration management—principles that private sector IIoT manufacturers are increasingly adopting.

Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA)

Looking forward, the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) will fully take effect in 2025. It mandates that critical infrastructure entities, including those using IIoT systems, report substantial cyber incidents within 72 hours and

ransomware payments within 24 hours. The purpose of this legislation is to improve national situational awareness and the coordination of responses.

National Cybersecurity Strategy Implementation Plan

The National Cybersecurity Strategy Implementation Plan, updated in 2024, continues to influence IIoT security by promoting secure-by-design principles and fostering public-private partnerships. It encourages manufacturers to embed cybersecurity measures during the entire product lifecycle, particularly for devices used in energy infrastructure.

Cybersecurity Framework (CSF) 2.0

NIST is revising its Cybersecurity Framework (CSF) 2.0 to provide guidance specifically designed for IIoT environments, focusing on risk management, supply chain security, and resilience.

Collectively, these developing regulations and laws indicate a move towards proactive and enforceable cybersecurity measures in the IIoT sector, highlighting the importance of accountability, transparency, and resilience.

Canadian National Cyber Security Strategy

Canada is implementing the Canadian National Cyber Security Strategy, which emphasizes securing digital infrastructure and enhancing cyber resilience across industries. This strategy supports the adoption of international standards such as ISO/IEC 27001 and IEC 62443, which are increasingly being applied to IIoT environments to ensure secure device integration, network segmentation, and risk-based access control.

Five Eyes alliance

The Five Eyes Alliance comprises five countries—Canada, the United States, the United Kingdom, Australia, and New Zealand—that collaborate closely to share intelligence and safeguard national security. They exchange information regarding threats such as terrorism, cyberattacks, and foreign interference. In the realm of cybersecurity, this alliance enables the countries to detect and respond to online threats more rapidly by sharing data and strategies. It also assists them in establishing comparable rules and protocols to protect their shared national interests.

Critical Cyber Systems Protection Act (Bill C-26)

The Critical Cyber Systems Protection Act (Bill C-26), introduced in 2022, is advancing towards full enforcement. It requires operators of essential systems, including those utilizing IIoT, to establish cybersecurity programs, report incidents, and adhere to government directives.

Organizations managing critical IIoT systems must create and maintain a Cyber Security Program (CSP). This involves documenting their methods for protecting IIoT-connected assets, managing risks, and ensuring system resilience. IIoT operators are obligated to report cyber incidents that meet certain thresholds. This ensures faster national response and enhanced visibility into threats facing industrial systems. The Act allows the government to issue Cyber Security Directions (CSDs), compelling IIoT operators to take necessary actions within a specified timeframe to address vulnerabilities or threats. This legislation encourages a uniform approach to cybersecurity across different sectors. For IIoT, this entails aligning with best practices and potentially adopting frameworks like IEC 62443 or ISO/IEC 2700 to fulfill compliance requirements. Failure to comply with directives or neglecting to report incidents may lead to fines or regulatory penalties for IIoT operators.

Bill C-26 elevates Canada’s IIoT cybersecurity standards from merely best practices to legal obligations. It encourages proactive risk management, swift threat responses, and enhanced collaboration between industry and government.

Together, these standards and legislative efforts reflect Canada’s commitment to a proactive, risk-based approach to IIoT cybersecurity, aiming to protect both national infrastructure and public trust in an increasingly connected industrial landscape.

Beginning in 2025, the European Union will implement significant cybersecurity regulations that directly impact the Industrial Internet of Things (IIoT) within the energy sector.

Directive on the Resilience of Critical Entities and EU Preparedness Union Strategy

The European Union has implemented a comprehensive approach through its Directive on the Resilience of Critical Entities (EU/2022/2557) and the EU Preparedness Union Strategy (2025). These initiatives mandate stress testing for energy infrastructure, including gas systems, to evaluate their vulnerabilities to cyber threats. Furthermore, the EU promotes a principle of “preparedness by design,” which ensures that cybersecurity measures are integrated into every phase of infrastructure planning and operation.

Commission Delegated Regulation (EU) 2022/30

A key change is the Commission Delegated Regulation (EU) 2022/30, effective August 1,

2025, which updates the Radio Equipment Directive (2014/53/EU). It introduces mandatory cybersecurity requirements for connected devices, including IIoT.

Cyber Resilience Act (CRA)

The Cyber Resilience Act (CRA), enacted in 2024, establishes comprehensive cybersecurity regulations for all connected digital products. It mandates secure-by-design principles, ongoing vulnerability management, and well-defined responsibilities for manufacturers.

NIS2 Directive

The NIS2 Directive, effective for EU countries, October 2024, broadens energy operators’ cybersecurity responsibilities. It mandates risk management, incident reporting, and supply chain security.

Together, these laws establish a robust legal framework that encourages energy companies utilizing IIoT to prioritize cybersecurity from the outset. They also align with global standards such as IEC 62443, fostering consistent security practices throughout the EU.

Why is Cybersecurity and compliance crucial in Biogas Upgrading Systems

There are several compelling reasons to ensure that biogas upgrading equipment complies with international and regional regulations

Increased Vulnerability

IIoT links sensors, control systems, and data analysis platforms within extensive infrastructures. While this connectivity enhances efficiency, it simultaneously increases vulnerability to cyber threats. In contrast to conventional IT systems, OT systems (such as SCADA and DCS) frequently operate with outdated software that has minimal security measures. Cyberattacks targeting these systems can interfere with physical operations.

High value targets

Natural gas infrastructure is vital to national economies and energy security, making it an attractive target for cybercriminals and state-sponsored entities. Several high-profile incidents demonstrate the real risks posed by cyber threats in the gas sector, especially regarding IIoT and digital systems. For instance, the 2021 Colonial Pipeline ransomware attack shut down a 5,500-mile fuel pipeline. Attackers exploited IT network vulnerabilities linked to OT systems, causing extensive fuel shortages and prompting a federal emergency and changes to cyber defense.

Financing requirement

Financiers, investors, and sponsors are requiring Cyber Threat Assessments as part of their due diligence procedures for new companies and during mergers or acquisitions. Projects using equipment that does not meet the regulatory requirements and standards for cybersecurity face a high risk of being rejected for financing or devalued solely on that basis.

Financial, Environmental, and Reputational Consequences

A cyberattack on a biogas upgrading facility can disrupt production, harm equipment, and potentially trigger explosions or toxic leaks. For instance, a virus or ransomware attack might bring the facility to a standstill, leading to millions in lost revenue. Besides causing severe environmental harm, a toxic leak may result in a plummet in share prices, hefty fines, and possible imprisonment for corporate executives.

Personal liability

The new regulations are forcing corporate leaders to take notice, and they can no longer afford to ignore or downplay cybersecurity in their decision-making. They can become personally liable if their failure to comply causes significant loss or damage.

Mitigating Cybersecurity Risks at RNG Production Site

To mitigate these risks, gas companies must adopt a proactive and layered cybersecurity strategy, including the following :

• Regulatory Compliance: Ensure alignment with global standards and engage in collective threat intelligence sharing across the industry.
• Asset Visibility: Keep a current inventory of all IIoT devices and their corresponding network connections.
• Network Segmentation: Separate OT systems from IT networks to stop attackers from moving laterally.
• Patch Management: Frequently update both firmware and software to mitigate known vulnerabilities.
• Intrusion Detection: Implement monitoring solutions that identify unusual activity in real time.
• Incident Response Planning: Create and test response strategies to guarantee quick recovery from cyber incidents.

As IIoT continues to reshape the many industries, including renewable gas, cybersecurity must be treated not as an afterthought but as a foundational pillar of operational integrity. Regulatory frameworks from NIST, the EU, and ISO provide a roadmap, but it is up to industry leaders to implement these guidelines rigorously. The stakes are high: the safety of workers, the reliability of energy supply, and the resilience of national infrastructure all depend on securing the digital backbone of gas processing systems.

Read about how Ivys is incorporating cybersecurity into the Biostream.

Biostream – Deep Dive into Remote Monitoring and Cybersecurity