Secure IoT Connectivity for Smart Cities

Bring Zero Trust to urban IoT deployments

Rethinking IoT security

 

Modern cities rely on connected infrastructure - from lighting and traffic systems to water, waste and parking. But too often, the data behind these services travels over networks never designed for security or control.

That’s why it’s time to rethink IoT security models: Treat the network as untrusted, assign identity to every device, keep traffic private, and apply access policies at every connection.

 

 

Why this matters now

 

  • Scale increases exposure. Individually controlled smart street lights reached 32.9 million in 2024 and Europe holds roughly 35 percent of the installed base. Growth to 85 million by 2029 compounds risk if traffic stays on public paths (Berg Insight, 2025).

  • Water and wastewater are targeted. Since 2020 there have been dozens of documented incidents against utilities, including ransomware, tampering attempts, and forced manual operations (IWMI, 2025)

  • Real-world sabotage is no longer hypothetical. Authorities in Norway attributed a spring 2025 dam incident to pro-Russian actors. It altered water flow via remote access to controls (APnews.com, 2025).

  • Regulation tightens. NIS2 covers drinking water, wastewater, energy, transport, and parts of public administration. The EU Cyber Resilience Act is in force. Core obligations apply from 11 December 2027.

 

 

“IoT is infrastructure. Infrastructure needs real protection.” - Henning Solberg, CEO & CTO, IXT

 

 

Why IoT needs a new approach

 

Traditional security models have long worked on a simple assumption: what’s inside the firewall is safe, what’s outside is not. But as Marius Holmsen, security expert, explained in a recent conversation:

 

“We need to stop assuming anything is secure – whether it’s inside or outside. Every device, every connection must be validated.”

 

 

Why zero trust matters for IoT

 

IoT environments are uniquely exposed. Devices often sit in remote or public locations – think municipal pump stations, EV chargers or sensors in logistics hubs. Attackers only need to find one weak point. From there, they can move laterally through a system to reach the real target, whether that’s customer data or payment systems.

Marius gave the example of Target’s major breach in the US: attackers first gained access via a HVAC system vendor, then moved deeper into the company’s IT.

“That story is over 10 years old, but it’s just as relevant today. Many IoT setups still expose themselves in exactly the same way.”

 

 

What makes Zero Trust different

 

Instead of funnelling devices into one broad VPN tunnel – effectively a “cable straight into your network” – zero trust takes each connection and applies strict control:

 

  • Each device is identified and validated

  • Each request is checked against policy (time, location, application, patch status)

  • Access is granted only to the specific resource needed, nothing more

 

As Marius put it: “Zero trust means we don’t actually trust anyone – not by default. We verify everything, every time.”

 

This removes the traditional attack surface: there are no exposed endpoints, no open doors. Communication is initiated from inside-out, making it invisible to outside attackers.

 

 

Two things make zero trust urgent for IoT in 2025:

 

  • Rising threat levels – critical infrastructure (waste management, food transport, utilities) is increasingly targeted. Marius says: “A lot of these systems were set up years ago without security in mind – and they’re vulnerable to state-backed actors today.”

  • Regulation – the EU’s NIS2 directive will soon apply, forcing industries seen as critical infrastructure to meet stricter security standards

 

 

The road ahead

 

Zero trust isn’t just for IT networks anymore – it’s becoming essential for operational technology and IoT. The model gives organisations full visibility and control over who and what is accessing devices. It also allows for granular privileges, such as limiting a vendor’s access to one sensor, during a set time window, while recording the session.

 

For companies deploying thousands of IoT devices, the shift may sound daunting. But as Marius underlined, modern solutions make implementation possible without ripping out everything already in place.

 

“You don’t have to replace all your equipment. What’s important is securing each device and its connection. That’s where zero trust changes the game.” - Marius Holmsen,  CTO at Shift Security.

 

 

Top risks for city IoT traffic

  • Public exposure. Data often leaves the safety of local encryption once it reaches the core network. From there, payloads may travel across unknown infrastructure. Shared APNs and public IPs make devices discoverable — and exposed.

  • Rogue access and identity abuse. False base stations and SIM identity misuse are real threats. These techniques, seen from 2G through to 5G, still enable interception and manipulation — and they’re not going away.(CableLabs).

  • Compliance drift. Cross-border routing and logging outside the intended region create GDPR and NIS2 headaches. Keep data flows deterministic and provable.

  • Operational reality in water/waste. Remote stations, legacy controllers, and intermittent links raise the bar for secure onboarding and continuous verification (CISA, 2025).

 

 

What good looks like for smart cities 

 

Permanent roaming in brief

 

Smart cities need devices that stay connected, everywhere. But roaming isn’t always straightforward. Some countries restrict long-term inbound roaming or require a local footprint for compliance.

 

To reduce the risk of disconnection or regulatory issues, a multi-profile eSIM strategy makes sense. It allows you to localise connectivity where needed, while maintaining control and consistency at scale.

 

 

Zero Trust applied to mobile IoT

 

Citywide deployments need more than a secure perimeter. Zero Trust means verifying every connection, not just once - but continuously.

Apply least-privilege access, segment traffic between devices, and enforce identity at the SIM and device level to stop threats before they spread.

 

 

Connectivity architecture principles

 

Private first

Start with security at the foundation. Avoid exposing device traffic to the public internet. Use private APNs or route directly to your cloud environment to keep data flows contained and controlled.

 

Cloud-native integration

Smart city services increasingly run in the cloud, your connectivity should too. Route traffic directly to AWS, Azure or GCP, and enforce policies at the edge to maintain control without slowing things down.

 

Full observability

You can’t protect what you can’t see. Real-time visibility into SIM status, routing paths, and anomalies makes it easier to spot issues and respond quickly, before they become problems.

 

Commercial clarity

Managing fleets across districts shouldn’t be a billing nightmare. Pool data across devices and locations to simplify costs and improve predictability as deployments grow.

 

 

How IXT maps to the blueprint

 

Zero Trust SIM + SecureNet

Our SIMs are built for Zero Trust from the ground up. Devices connect out, not in, eliminating exposed services. Traffic stays private, with isolated data paths and no shared APNs. You can route directly to cloud endpoints or use a dual VPN setup when needed.

 

CMP for visibility

Our connectivity management platform gives you full control over your fleet. Monitor device status in real time, set up alerts, run diagnostics, and integrate via API, all from one place.

 

Global Data Pool

No more juggling regional plans. IXT gives you a single data pool that spans fleets and regions, making it easy to handle seasonal swings and diverse deployments across city districts.

 

 

"Regulators have caught up to what many of us have warned about for years: IoT isn’t experimental anymore. It's infrastructure. And infrastructure needs real protection." - Henning Solberg, CEO & CTO, IXT

 

 

Use-case focus: city operations

Street lights

  • Risk: Shared APNs and public IPs widen the attack surface.

  • Better approach: Private APN or direct cloud routing per lighting segment. SIM-bound identity and anomaly alerts for odd schedules or spikes.

 

Traffic and parking

  • Risk: Rogue base stations and weak OTA controls disrupt telemetry and control loops.

  • Better approach: Per-session verification, signed OTA, and micro-segments per function to limit blast radius.

 

 

Use-case focus: water and waste

 

Water treatment and distribution

  • Reality: Attempted tampering and ransomware have forced manual modes and emergency responses(source).

  • Better approach: Device-initiated outbound connections only. No exposed gateways. SIM-bound identity and policy checks on location, time, and app.

 

Pumping stations and waste collection

  • Reality: Remote, power-constrained assets with legacy controllers.

  • Better approach: eSIM with local profiles where needed, private networking, authenticated OTA with rollback, and CMP alerts on abnormal flow.

 

 

Smart city IoT deployment checklist

 

1. Plan

  • Pick two priority domains first: city operations and water/waste.
  • Map data flows and cloud endpoints. Note regions for logs and storage.
  • Choose identity: SIM-bound, device-bound, or both.
  • Decide routing: private APN or direct-to-cloud.
  • Confirm local-profile strategy for markets with roaming restrictions.

 

2. Build

  • Activate Zero Trust SIM profiles.
  • Enable SecureNet policies per segment.
  • Label assets in CMP. Set alerts and usage thresholds.
  • Integrate logs with your SIEM.
  • Enforce signed OTA with rollback.

 

3. Validate

  • Block inbound exposure. Device-initiated outbound only.
  • Test segmentation for lighting, traffic, water, and waste.
  • Verify routing stays within the intended region.
  • Trigger anomaly alerts with test events.
  • Export evidence pack with policies, logs, and asset lists.

 

4. Operate

  • Review alerts weekly and tune policies.
  • Rotate credentials and profiles on schedule.
  • Watch data-pool outliers by district and season.
  • Refresh the asset inventory and remove stale access.

 

 

 

Frequently asked questions

 

Does Zero Trust replace our VPN/APN setup

It shifts from broad tunnels to per-session, app-specific access. That removes exposed endpoints and reduces lateral movement.

 

 

How do we keep data in the right region

Use private APNs or direct cloud endpoints with policy-driven routing and logs. Avoid public paths where routes drift across borders.

 

 

What about permanent roaming rules

Use multi-profile eSIM and lawful local presence to avoid long-term roaming issues. This aligns with evolving guidance and market practices

 

 

TEST CTA for blog post (3)