Rethink IoT security with Zero Trust

Securing the future of connected IoT devices.

Blog_IoT security_Zero Trust

Rethinking IoT security

 

From smart cities and EV charging to automation and utilities, IoT is transforming critical industries. But as deployments grow, so does the attack surface.

 

By 2030, it is predicted that there will be over 40 billion connected devices in operation - many transmitting sensitive data over mobile networks with little to no protection. Actually, one in three data breaches now involves an IoT device according to Verizon. More than 50 percent of IoT devices have critical vulnerabilities that hackers can exploit right now (IBM).

 

In this environment, Zero Trust is no longer optional. It’s the new baseline for organisations that need to protect data, ensure uptime, and stay compliant with evolving regulations like NIS2 and the like. In this guide we explore what zero trust security means and how to protect your infrastructure, keep your data private, and your business resilient.

 

The connectivity crunch 

 

IoT is no longer just about connecting devices - it's about orchestrating decisions, actions and data flow in real time, often at the edge. Today’s deployments power infrastructure, enable automation, and interact with AI-driven systems. That makes connectivity more than a transport layer - it’s a potential point of compromise.

 

Yet many deployments still rely on open networks, unmanaged SIM fleets, or generic mobile connectivity models. This lack of control and visibility means threats go undetected, data routes are unpredictable, and compliance becomes harder to guarantee.

 

To meet the demands of this new reality, businesses must rethink connectivity as a security-critical layer - one that’s programmable, observable, and aligned with Zero Trust principles. This isn’t just about protecting data. It’s about safeguarding decisions, uptime, and trust - from the SIM to the cloud.

 

The new threat landscape for mobile IoT traffic

 

 

"We’re seeing a surge in targeted attacks on mobile-connected devices. Rogue base stations, OTA exploits, even SIM manipulation. You can’t rely on legacy defences or assume carriers are protecting every layer."  Henning Solberg, CTO and CEO of IXT

 

Rogue base stations (fake cell towers)

 

Cybercriminals can use low-cost hardware to impersonate mobile towers. These fake towers can intercept or manipulate data, push malicious firmware, or disrupt service by denying legitimate network access. For public infrastructure or industrial sensors, this can halt critical systems.

 

SIM swap and identity attacks

 

Traditionally associated with consumer devices, SIM swap fraud is now a threat to IoT. Attackers may socially engineer access to SIM credentials, or manipulate OTA systems to clone device identities. This grants access to private systems or hijacks data flows.

 

OTA hijacks & remote management exploits

 

The same systems that allow remote firmware updates or SIM configuration can be abused. If OTA channels are not authenticated and encrypted, attackers can inject malicious commands or firmware.

 

Data exposure and interception

 

Public mobile networks only encrypt data over the air. Once it hits the carrier’s core or crosses into the internet, it may traverse unknown nodes. Unencrypted IoT payloads can be harvested, altered, or rerouted.

 

Compliance breaches and data sovereignty risks

 

If sensitive data (e.g., utility usage, vehicle telemetry) is routed internationally or logged in the wrong jurisdiction, companies risk breaching GDPR, NIS2 or sector-specific data laws.

 

DDoS, jamming, and botnet recruitment

 

Insecure IoT devices are often recruited into botnets. Attackers exploit poor credential management or open services, turning thousands of devices into DDoS participants or network disruptors.

 

The real cost of insecure IoT Connectivity

 

  • Operational disruption: Downtime from attacks or failed devices can last days to weeks, costing millions in lost production, disrupted services, or logistics delays. 

  • Reputational damage: In sectors like smart city infrastructure, a breach can trigger public distrust, especially if safety systems are affected. 

  • Regulatory fines: GDPR violations can reach €20M or 4% of global turnover. NIS2 expands this to more sectors and adds stricter timelines for breach reporting. 

  • Incident response costs: Investigating, remediating, and patching IoT fleets post-attack is expensive and complex. Legacy SIMs often lack the remote management capabilities needed for rapid response. 

  • Revenue loss: Security concerns slow down product rollouts, deter customers, or increase insurance and compliance costs.

 

Why IoT needs a new approach

 

Traditional security models have long worked on a simple assumption: what’s inside the firewall is safe, what’s outside is not. But as Marius Holmsen, security expert, explained in a recent conversation:

 

We need to stop assuming anything is secure – whether it’s inside or outside. Every device, every connection must be validated.

 

 

Why zero trust matters for IoT

 

IoT environments are uniquely exposed. Devices often sit in remote or public locations – think municipal pump stations, EV chargers or sensors in logistics hubs. Attackers only need to find one weak point. From there, they can move laterally through a system to reach the real target, whether that’s customer data or payment systems. Marius gave the example of Target’s major breach in the US: attackers first gained access via a HVAC system vendor, then moved deeper into the company’s IT.

 

“That story is over 10 years old, but it’s just as relevant today. Many IoT setups still expose themselves in exactly the same way.”

 

What makes zero trust different

 

Instead of funnelling devices into one broad VPN tunnel – effectively a “cable straight into your network” – zero trust takes each connection and applies strict control:

 

  • Each device is identified and validated

  • Each request is checked against policy (time, location, application, patch status)

  • Access is granted only to the specific resource needed, nothing more 

 

As Marius put it:

 

Zero trust means we don’t actually trust anyone – not by default. We verify everything, every time.

 

 

This removes the traditional attack surface: there are no exposed endpoints, no open doors. Communication is initiated from inside-out, making it invisible to outside attackers.

 

Two things make zero trust urgent for IoT in 2025

 

1.Rising threat levels – critical infrastructure (waste management, food transport, utilities) is increasingly targeted. Marius says: “A lot of these systems were set up years ago without security in mind – and they’re vulnerable to statebacked actors today.”

 

2.Regulation – the EU’s NIS2 directive will soon apply, forcing industries seen as critical infrastructure to meet stricter security standards

 

The road ahead

 

Zero trust isn’t just for IT networks anymore – it’s becoming essential for operational technology and IoT. The model gives organisations full visibility and control over who and what is accessing devices. It also allows for granular privileges, such as limiting a vendor’s access to one sensor, during a set time window, while recording the session.

 

For companies deploying thousands of IoT devices, the shift may sound daunting. But as Marius underlined, modern solutions make implementation possible without ripping out everything already in place.

 

You don’t have to replace all your equipment. What’s important is securing each device and its connection. That’s where zero trust changes the game. Marius Holmsen, CTO at Shift Security.

 

 

Securing your IoT data before the breach

 

Why public infrastructure isn’t enough - and what to do instead.

 

The majority of IoT traffic today still runs over shared mobile networks and the public internet. Channels that were never built for security or control. For deployments handling sensitive data, this is more than a weakness. It’s a liability.

 

Public paths are opaque. You can’t see how your data is routed, who handles it, or where it might be intercepted. Shared APNs expose devices to probing and scanning. Public IPs make them discoverable and targetable. And when something goes wrong, forensic visibility is limited at best. The answer isn’t patching around the public pipe. It’s moving to connectivity that’s secure by design.

 

Private, isolated data paths, through dedicated APNs, VPN tunnels or direct cloud endpoints, give you full control over how, where and when data moves. When combined with zero-trust principles, this architecture validates every connection, limits exposure, and surfaces anomalies in real time. 

 

When it comes to IoT, public networks are public territory. Accessible to anyone, including threat actors. It’s time to treat every network connection as untrusted until proven otherwise. Henning Solberg, CEO & CTO, IXT

 

 

Zero Trust for every sensor 

 

Principles for IoT security

 

The shift from perimeter-based security to Zero Trust Network Architecture (ZTNA) has reached IoT.

 

Key principles applied to IoT include:

 

  • Least privilege access: Devices should only communicate with necessary endpoints.

  • Micro-segmentation: Limit exposure of each device’s traffic. Prevent east-west lateral movement.

  • Secure identity: Each device, SIM, or module must prove its identity before joining the network.

  • Context-aware controls: Apply policies based on location, behaviour, or time.

  • Continuous verification: Monitor activity continuously; don’t assume persistent access equals trust. 

 

With IoT, implementing Zero Trust means controlling the network edge where devices connect. Private mobile networks make this achievable at scale.

 

 

Building a secure IoT Connectivity architecture

For organisations deploying mobile-connected IoT devices, a future-proof and secure connectivity architecture should prioritise the following elements:

 

  • Isolated data paths Use private access points (APNs) or secure tunnels to route traffic away from public networks. This prevents exposure to shared infrastructure and reduces risk of interception or tampering.

  • Support for modern SIM technologies Adopt solutions that include eSIM or multi-profile SIMs to ensure local compliance and resilience against permanent roaming restrictions. These also enable remote provisioning and quicker deployment across regions. 

  • Cloud-native integration Direct integration with cloud environments like AWS, Azure or GCP allows IoT data to flow securely into your backend without relying on public internet paths. This reduces latency and improves data residency control.

  • Network-level policy enforcement Consider a connectivity model that supports Zero Trust principles at the network edge. That includes capabilities like micro-segmentation, traffic monitoring, IP filtering and anomaly detection as close to the source as possible.

  • Visibility and management tools A robust connectivity management platform should provide real-time visibility into SIM usage, device activity, and connection status. Integration via APIs can simplify operations across large-scale fleets.

  • Predictable, flexible commercial models Seek transparent pricing structures that scale with your usage. Options like pooled data, regional segmentation and contract flexibility allow for better forecasting and fewer billing surprises.

 

The most secure IoT connectivity setups are those that don’t rely on any single technology or trust assumption. Instead, they build layered controls from the SIM to the cloud, combining identity, isolation and visibility.

 

If you want to secure IoT at scale, you can’t treat connectivity as a commodity. It has to be a controlled, observable layer that actively supports your security model. Henning Solberg CEO & CTO, IXT

 

 

Best practice framework. 7 pillars of mobile IoT security

 

1. Private networking first: Avoid public APNs. Use dedicated APNs and private tunnels.

 

2. Strong identity: Use SIMbased authentication, secure provisioning, and strong device credentials.

 

3. End-to-End Encryption: Encrypt both control plane and data plane. Use TLS/IPsec.

 

4. Patch ability: Use OTA systems that authenticate sources and allow rollback.

 

5. Behaviour Monitoring: Alert on abnormal device patterns (data exfiltration, location change).

 

6. Resilience Planning: Design for SIM swap resistance and secure failover.

 

7. Compliance Alignment: Map architecture to GDPR, NIS2, ISO 27001, and other relevant frameworks.

 

New rules and rising pressure on IoT compliance

 

The regulatory landscape for IoT is no longer abstract or advisory—it's tangible, enforceable, and expanding fast. Security and compliance are becoming inseparable from deployment planning, particularly for organisations operating in critical infrastructure, public services or cross-border markets. Here are four key frameworks and changes shaping that shift:

 

  • GDPR Personal and usage data collected by IoT systems (e.g., citizen info, utility metrics) must be encrypted, kept within compliant jurisdictions, and protected from unauthorised access.

  • NIS2 Expands cybersecurity duties to operators of essential services in energy, transport, health, and digital infrastructure. Includes technical and organisational security, breach notification within 24 hours, and executive accountability.

  • Permanent Roaming Laws Operators in countries like Brazil, Turkey, India and China are now enforcing strict limits on roaming SIMs. Without local profiles (e.g., multi-IMSI), companies risk disconnection. 

  • Upcoming EU Cyber Resilience Act Will require IoT products to meet security-by-design standards. Could influence firmware update mechanisms, default password policies, and embedded security functions.

 

 

Regulators have caught up to what many of us have warned about for years: IoT isn’t experimental anymore. It's infrastructure. And infrastructure needs real protection. Henning Solberg, CEO & CTO, IXT

 

 

What's next: Emergin trends for 2026-2027

 

The next two years will bring major shifts in IoT security and connectivity infrastructure. For CTOs preparing to future-proof their strategy, here are five developments to watch:

 

1. iSIM goes mainstream

Integrated SIM (iSIM) technology will see broader adoption across low-power and space-constrained IoT devices. With security credentials embedded directly into the chipset, iSIM reduces hardware complexity and increases tamper resistance— especially important in remote or hostile deployments.

 

2. 5G RedCap Deployments expand

5G Reduced Capability (RedCap) will offer a new sweet spot between LTE-M/NBIoT and full 5G. It brings better data rates and latency with lower power consumption—opening the door for more critical mid-tier applications in industrial and medical IoT.

 

3. Security-by-design requirements will tighten

Under the EU’s Cyber Resilience Act and global counterparts, vendors will face stricter mandates for secure boot, OTA update integrity, and default credential policies. Expect greater scrutiny of IoT supply chains and connectivity vendors alike. www.ixt.io

 

4. AI at the network edge

AI-driven anomaly detection and policy enforcement will increasingly be run at the network edge, closer to devices. This will enable faster threat mitigation without relying solely on cloud analytics.

 

5. Consolidation of IoT connectivity platforms

With market pressure and rising regulatory demands, more enterprises will shift toward integrated connectivity platforms—bundling SIM provisioning, security, policy enforcement, and observability into unified environments.

 

 

Looking ahead, the line between connectivity and security will continue to blur. Tomorrow’s most resilient IoT operations will treat the network not just as a pipe, but as a programmable, policy-aware shield. Henning Solberg, CEO & CTO, IXT