TL;DR
Traditional IT security tools do not work for IoT devices. Endpoint agents cannot run on constrained hardware. Patch management fails when devices are deployed for 10-15 years in inaccessible locations. Firewalls do not see cellular-connected traffic. VPNs require client software that most IoT devices cannot support. And identity systems built for human users do not apply to headless machines. When the device cannot protect itself, the network it connects through becomes the security boundary. This is why IoT security is shifting to the connectivity layer: private networking, real-time traffic visibility, and Zero Trust policy enforcement applied at the network level rather than the device level.
The IT security gap hiding in plain sight
Your company has invested in firewalls, endpoint protection, patch management, identity management, and network segmentation. Your IT infrastructure is covered.
Now look at your IoT devices.
Sensors in substations. Controllers in factories. Cameras on building perimeters. Trackers on vehicles. Charging stations on public roads. They connect over cellular networks, operate without human interaction, and run for years in locations no one visits.
They are also the hardest assets on your network to secure. Not because the technology is lacking, but because the security model built for IT does not apply to them.
The scale of this exposure is growing fast. According to IoT Analytics, global connected IoT devices reached 21.1 billion by the end of 2025, growing 13% year-over-year (source: IoT Analytics, State of Enterprise IoT 2026, January 2026). One in three data breaches now involves an IoT device, according to the Verizon Data Breach Investigations Report. And Forescout's 2025 Riskiest Connected Devices report found a 15% year-over-year increase in average device risk, with routers representing over half of the most critically vulnerable devices (source: Forescout, Riskiest Connected Devices of 2025, April 2025).
These are not theoretical risks. They are structural problems with how IoT devices interact with security systems designed for a different kind of endpoint.
Here are six reasons why.
1. IoT devices do not run security software
The most basic IT security assumption is that every endpoint runs an agent. Antivirus, endpoint detection and response (EDR), device management. Your laptops run these tools. Your phones run them. Your servers run them.
Most IoT devices cannot. A temperature sensor on a constrained microcontroller has no operating system capable of running endpoint software. An industrial gateway running embedded Linux has limited memory and processing power. A SIM-enabled tracker has enough resources to send GPS coordinates and not much else.
This means the entire category of endpoint security, the foundation of IT protection, does not work for IoT. You cannot install an EDR agent on a water pressure sensor. The device lacks the processing capacity, the memory, and in many cases the operating system to support it.
When the endpoint cannot defend itself, the security must come from somewhere else. For cellular-connected IoT devices, that means the network layer. IXT SecureNet keeps IoT traffic isolated from the public internet through private APN, encrypted VPN tunnels, and direct cloud integration, applying security at the connectivity level rather than the device level.
Learn more about IXT SecureNet.
2. IoT devices do not get patched
IT teams have built rigorous patch management processes. Vulnerability disclosed on Monday, patch tested by Wednesday, rolled out by Friday. The cycle works because laptops and servers accept updates, have connectivity to update servers, and can be restarted without operational impact.
IoT devices break every part of this cycle. Many run firmware that requires manual updates, sometimes with physical access to the device. Some manufacturers stop releasing updates entirely after two or three years. Others release updates, but applying them to thousands of devices in remote locations is logistically impossible without shutting down the system they support.
The result: devices in the field running firmware with known vulnerabilities for years. Forescout's 2025 report found that routers now account for the majority of devices with the most critical vulnerabilities (source: Forescout, Riskiest Connected Devices of 2025, April 2025). The IoT Security Foundation reports that unpatched firmware is responsible for 60% of IoT security breaches.
When patching is not realistic, the alternative is isolating vulnerable devices from the broader network and controlling what they communicate with. Real-time visibility into device behavior becomes essential: if you can see a device connecting to an unexpected endpoint, you can respond before a vulnerability is exploited.
IXT CMP provides real-time visibility into connectivity status, data usage, and network events across your entire SIM fleet. Usage counters update in near real-time, not with the 24-48 hour delays typical of other platforms.
3. IoT devices cannot authenticate themselves the way users do
IT security relies heavily on identity. Users log in with credentials, complete multi-factor authentication, and operate within role-based access controls. Every action traces back to a person.
IoT devices have no users. A headless sensor is a device that operates autonomously without a screen, keyboard, or direct human interaction. It powers on, connects to the network, and starts transmitting data. The authentication happens at the SIM level (network registration) or not at all.
Traditional identity and access management (IAM) systems are designed for people. Adapting them for thousands of autonomous devices that communicate machine-to-machine requires a fundamentally different approach. The device identity needs to be tied to something persistent and verifiable. In cellular IoT, the SIM provides that identity anchor: the IMSI (International Mobile Subscriber Identity) and ICCID (Integrated Circuit Card Identifier) uniquely identify every device on the network.
Zero Trust Network Access takes this further by verifying every connection request against a policy before granting access to specific applications. Instead of trusting a device because it registered on the network, every communication is evaluated. No implicit trust. No broad network access.
Learn more about IXT Zero Trust.
4. Firewalls do not see IoT traffic properly
Perimeter firewalls work on a simple principle: define what goes in and out of the network, and block everything else. For IT traffic between known servers, applications, and user endpoints, this works.
IoT devices on cellular connections often bypass the corporate firewall entirely. A SIM-enabled device connects to a mobile network, not your office LAN. The traffic goes from the device to the carrier's core network and out to the internet or your cloud environment. Your firewall never sees it.
Even when IoT devices sit on the same network, most firewalls are not configured to inspect machine-to-machine traffic patterns. A compromised camera sending data to an unexpected IP address looks no different from normal traffic if no one is watching device-level behavior.
This is why the EU's NIS2 directive (enforceable since October 2024) specifically requires organizations in essential sectors to implement risk management measures across all network and information systems, including access control, incident detection, and network segmentation. IoT traffic that bypasses your firewall entirely creates a documented compliance gap under Article 21.
Private networking solves the firewall bypass problem by routing all IoT traffic through a dedicated, isolated pathway. IXT SecureNet provides a private APN with a dedicated Virtual Access Point exclusively for your traffic. Your IoT data never touches the public internet, and all connectivity events are logged in IXT CMP for compliance and diagnostics.
5. VPNs were not built for IoT
VPNs remain the default remote access solution for many organizations. They work for connecting users on laptops to corporate resources. But VPNs have three structural problems when applied to IoT.
First, they require client software. Most IoT devices cannot run a VPN client. The devices that can run one (industrial gateways, for example) consume processing resources and battery life on maintaining the tunnel.
Second, VPNs provide full network access once connected. A vendor laptop connecting via VPN to service one piece of equipment gets access to the entire network segment. As Henning Solberg, CTO and Co-founder at IXT, puts it: "VPNs were designed to connect users on laptops to corporate networks. They were never built for thousands of headless devices in energy grids, water treatment plants, and factory floors."
Third, VPNs scale poorly at IoT volumes. Managing certificates and tunnel configurations for 50 devices is manageable. For 5,000 devices across 12 countries, it becomes a full-time infrastructure problem.
IXT's Zero Trust Connectivity replaces VPN-based access with device-initiated connections that reach only the specific applications each device needs. No client software on the device. No exposed ports on the infrastructure side. No broad network access. Third-party contractors access equipment through browser-based Privileged Remote Access: time-limited, recorded, and restricted to specific resources.
6. IoT devices live for a decade in places no one visits
IT assets have a lifecycle measured in years. Laptops are replaced every three to four years. Servers get refreshed every five. Each replacement cycle brings updated hardware, new operating systems, and current security capabilities.
IoT devices are deployed for 10 to 15 years. A smart meter installed in 2020 is expected to run until 2035. A sensor embedded in industrial equipment stays in place for the life of the machine. These devices will outlive the security assumptions they were deployed under.
Worse, many are in locations where physical access is difficult or expensive. Under bridges. Inside sealed utility cabinets. On offshore platforms. On moving vehicles. Replacing or updating them requires planning, travel, and coordination that makes rapid response to security vulnerabilities impractical.
This is why the security architecture must be designed to evolve independently of the device. eUICC-enabled SIMs allow over-the-air profile switching without physical access. Network-level security policies can be updated centrally without touching the device firmware. And real-time monitoring lets you detect when a device's behavior changes, even if the device itself has no way of reporting a compromise.
IXT Global SIM supports eUICC for remote profile management, and SIMs are available across all form factors including MFF2 (eSIM) and iSIM-compatible formats for long-lifecycle embedded deployments.
Learn more about IXT Global SIM.
Where do you apply security when the device cannot protect itself?
If endpoint agents, patch management, traditional firewalls, identity systems, and VPNs all fall short for IoT, the question becomes: where does the security go?
The answer is the network layer. When a device cannot protect itself, the network it connects through becomes the security boundary.
This means three things in practice:
Private networking that keeps IoT traffic off the public internet. No shared infrastructure. No exposure to common attack vectors. The traffic isolation happens at the connectivity level, not the device level.
Real-time visibility into what every device is communicating with. Not usage data from yesterday. Live session information, network events, and anomaly detection that let you respond to threats as they happen.
Zero Trust policy enforcement at the connection level. Instead of trusting a device because it connected successfully, every communication is verified against a policy. Instead of giving broad network access, each device reaches only the specific resources it needs.
This is the logic behind Zero Trust for IoT. The security architecture works without client software, without device-level agents, and without assuming the device is smart enough to participate in its own protection. The SIM and the network do the work.
If your IoT devices are the hardest things to secure on your network, start by looking at how they connect. That is where the security conversation begins.
Want to see how network-level IoT security works in practice? Request a test SIM or book a meeting with the team.
About IXT
IXT is a full MVNO (Mobile Virtual Network Operator) purpose-built for IoT. The company provides secure, scalable IoT connectivity with global SIMs, private networking, and smart management tools for seamless device control. IXT operates across 600+ mobile networks in 190+ countries, serving European enterprises in industrial automation, security, tracking and logistics, and EV charging. Headquartered in Norway, IXT's connectivity management platform (CMP) provides real-time visibility into device status, data usage, and network events. Security options range from private APN and VPN tunnels to SASE-ready architecture and Zero Trust Network Access powered by Zscaler ZTNA.
Frequently Asked Questions
Why is IoT security different from IT security?
IoT security differs from IT security because IoT devices cannot protect themselves the way traditional IT endpoints do. Most IoT devices lack the processing power to run endpoint security agents, cannot be patched on regular cycles, do not authenticate through user credentials, and often bypass corporate firewalls by connecting over cellular networks. IT security is built around the assumption that every endpoint actively participates in its own defense. IoT devices operate headlessly, autonomously, and for long lifecycles in remote locations, which means security must be applied at the network layer rather than the device layer.
What are the biggest IoT security vulnerabilities?
The biggest IoT security vulnerabilities stem from the structural limitations of connected devices. These include unpatched firmware (responsible for 60% of IoT breaches according to the IoT Security Foundation), inability to run endpoint detection software, default credentials that are never changed, lack of encryption on device communications, and absence of network segmentation between IoT and IT systems. Forescout's 2025 report found a 15% year-over-year increase in average device risk, with routers and network infrastructure representing the most critically vulnerable device categories.
How do you secure IoT devices that cannot run security software?
When IoT devices cannot run security agents, the security boundary shifts to the network layer. This involves three approaches: private networking (routing IoT traffic through isolated, encrypted pathways rather than the public internet), real-time traffic monitoring (detecting anomalous device behavior at the connectivity level), and Zero Trust Network Access (verifying every connection request before granting access to specific applications). Together, these approaches protect the device from the outside in, rather than relying on the device to protect itself.
What is Zero Trust for IoT?
Zero Trust for IoT is a security architecture that applies Zero Trust principles to connected devices. Instead of trusting a device because it registered on the network, every communication is verified against a policy before access is granted. Each device reaches only the specific applications and resources it needs. No exposed ports. No broad network access. No implicit trust. For IoT, Zero Trust must work without client software on the device, making the SIM and the network the enforcement points rather than the endpoint itself.
Why do VPNs not work for IoT security?
VPNs fail for IoT security for three structural reasons. First, most IoT devices lack the processing power and operating system to run VPN client software. Second, VPNs grant full network access once a tunnel is established, meaning a single compromised connection provides lateral movement across the network. Third, VPN certificate and tunnel management does not scale to thousands of devices across multiple countries. Zero Trust Network Access replaces VPN-based access with device-initiated connections that are verified per session and restricted to specific applications.
Sources referenced in this article:
- IoT Analytics, "State of Enterprise IoT 2026" report, January 2026
- Verizon, Data Breach Investigations Report (DBIR)
- Forescout, "Riskiest Connected Devices of 2025" report, April 2025
- IoT Security Foundation
- EU NIS2 Directive (Directive 2022/2555), Article 21