Why manufacturers and industrial OEMs are moving Zero Trust to the SIM

Industrial firms face a double bind: attacks keep rising while EU regulation expects demonstrable control across devices, networks, and suppliers.

Manufacturing has been the number 1 attacked industry four years in a row, with extortion and data theft leading the impact profile (IBM, 2025). At the same time, downtime costs for leading manufacturers can reach $2.3M per hour in critical lines (Automotive), magnifying the business risk of any compromise (Siemens, 2024).

 

This whitepaper outlines a practical path: embed Zero Trust into connectivity so device traffic never touches the public internet, policy is enforced per device/session, and your security story aligns with NIS2 and IEC/ISA 62443

 

 

The threat is up. So is board responsibility. 

 

  • Threat landscape: Manufacturing remained the most-targeted sector in 2024/2025, driven by extortion, data theft, and legacy tech exposures in plants (IBM, 2025)).

  • Ransomware pressure: Ransomware features prominently in breaches and dominates system-intrusion patterns in the latest DBIR set (Verizon, 2025).

  • Regulatory expectations: NIS2 raises the bar for risk management, incident reporting, and supply-chain security; ENISA has issued technical implementation guidance mapping required controls and evidence (ENISA, 2025).

  • Business impact: Hourly downtime costs in automotive/factory environments frequently exceed $1–3M per hour, with large automotive plants averaging $2.3M/hour (ITIC, 2024).

 

Implication for decision-makers: Flat VPN/APN architectures expand the blast radius and complicate compliance narratives. You need isolation, least-privilege access, and verifiable controls at the connectivity layer.

 

 

"We’re seeing a surge in targeted attacks on mobile-connected devices. Rogue base stations, OTA exploits, even SIM manipulation. You can’t rely on legacy defences or assume carriers are protecting every layer." - Henning Solberg, CEO & CTO, IXT

 

 

Why change the connectivity model now

 

 

Traditional mobile IoT uses public internet paths, exposed IPs, shared tunnels (VPN/APN), and site-by-site rules. That creates:

 

  • Public exposure (scanable IPs/gateways) and lateral movement risk after initial compromise.

  • Inconsistent policy across markets, vendors, and plants.

  • Complex audits for NIS2/62443 because controls aren’t applied per asset/session.

 

Zero Trust at the SIM flips this: device-initiated access, no exposed IPs, per-session policy at the edge, and private routing directly to your cloud/DC, removing public internet exposure.

 

 

Why IoT needs a new approach

 

Traditional security models have long worked on a simple assumption: what’s inside the firewall is safe, what’s outside is not. But as Marius Holmsen, security expert, explained in a recent conversation:

 

“We need to stop assuming anything is secure – whether it’s inside or outside. Every device, every connection must be validated.”

 

 

Why zero trust matters for IoT

 

-with Marius Holmsen, Shift Security

 

IoT environments are uniquely exposed. Devices often sit in remote or public locations – think municipal pump stations, EV chargers or sensors in logistics hubs. Attackers only need to find one weak point. From there, they can move laterally through a system to reach the real target, whether that’s customer data or payment systems.

Marius gave the example of Target’s major breach in the US: attackers first gained access via a HVAC system vendor, then moved deeper into the company’s IT.

 

“That story is over 10 years old, but it’s just as relevant today. Many IoT setups still expose themselves in exactly the same way.”

 

 

What makes zero trust different

 

Instead of funnelling devices into one broad VPN tunnel – effectively a “cable straight into your network” – zero trust takes each connection and applies strict control:

 

  • Each device is identified and validated

  • Each request is checked against policy (time, location, application, patch status)

  • Access is granted only to the specific resource needed, nothing more

 

As Marius put it: “Zero trust means we don’t actually trust anyone – not by default. We verify everything, every time.”

 

This removes the traditional attack surface: there are no exposed endpoints, no open doors. Communication is initiated from inside-out, making it invisible to outside attackers.

 

 

Two things make zero trust urgent for IoT in 2025:

 

  • Rising threat levels – critical infrastructure (waste management, food transport, utilities) is increasingly targeted. Marius says: “A lot of these systems were set up years ago without security in mind – and they’re vulnerable to state-backed actors today.”

  • Regulation – the EU’s NIS2 directive will soon apply, forcing industries seen as critical infrastructure to meet stricter security standards

 

 

Watch the webinar about Zero Trust at the SIM on demand here to learn more. 

 

 

The IXT approach: built for industrial

 

IXT Global SIM - THE Secure SIM for IoT

 

Security isn’t bolted on. We embed Zero Trust and private networking into connectivity:

  • Zero Trust Connectivity: Per-session policy enforcement at the edge; applications and devices are not exposed to the internet; no VPN sprawl.

  • SecureNet (Private Networking): Private APN/DNN, dual VPN tunnels, and direct cloud connect (AWS/Azure/GCP) so IoT traffic stays off public networks.

  • CMP (Connectivity Management Platform): Real-time SIM status, usage, diagnostics, alerts, reporting, and API access for at-scale control.

  • Global SIM options: SIM/eSIM/iSIM, multi-network access per country, global data pooling for resilience and scale.

 

Outcome: Smaller attack surface, simpler operations, and a compliance-ready story for boards and auditors.

 

 

Industrial sub-segments

 

Machine & equipment OEMs

 

Reality: Devices ship globally; service teams need remote access; OEMs inherit security/accountability from customer environments.

Risk: Flat VPNs and exposed endpoints enable lateral movement and complicate 62443 zoning (source).

What to do: Ship with “segment-of-one” connectivity, device-initiated access, app-specific permissions; no exposed IPs; private routing to your cloud/portal.

 

 

Environmental & condition monitoring

 

Reality: Distributed sensors sending continuous telemetry (air quality, vibration, leak, occupancy).

Risk: Internet-reachable endpoints drive ransomware/extortion blast-radius; credentials reuse and known-vuln exploits persist (IBM, 2025).

What to do: Enforce Zero Trust at the SIM and SecureNet paths so telemetry never traverses the public internet, with CMP to detect anomalies per SIM.

 

 

Industrial sub-segments

 

Factory automation & systems engineering

 

Reality: Multi-site rollouts across countries with varied carriers and integrators.

Risk: Inconsistent policy and fragmented visibility undermine NIS2 obligations and supplier-risk narratives (source).

What to do: Standardise on a single global SIM + CMP, apply per-session Zero Trust policy, and route via direct cloud connects for deterministic paths.

 

 

Asset/maintenance platforms

 

Reality: Mixed fleets, roaming assets, cross-border SLAs; need uptime and clear audit trails.

Risk: Shared tunnels and static routes create wide blast radii; weak credential hygiene is common in field operations.

What to do: Use global data pool + SIM-level policy to unify fleets, reduce overages, and confine access per application/session.

 

 

Compliance alignment in plain language

 

  • NIS2: IXT’s model supports Article 21-style risk management by removing public exposure, enforcing least-privilege per session, and giving evidence via CMP reporting and policy logs. ENISA’s 2025 guidance provides mappings and examples of acceptable evidence you can use in audits (source).
  • IEC/ISA 62443: Zero Trust at the SIM helps implement zones & conduits and eliminates broad network access inherent in VPNs, a cleaner fit for IACS risk-based segmentation.

 

"Looking ahead, the line between connectivity and security will continue to blur. Tomorrow’s most resilient IoT operations will treat the network not just as a pipe, but as a programmable, policy-aware shield." - Henning Solberg, CEO & CTO, IXT

 

 

Business case (what boards care about)

 

  • Reduced downtime risk: Containing incidents to a single device/session helps avoid multi-line shutdowns whose costs can exceed $2.3M/hour in auto and $1–3M/hour in other verticals (Siemens, 2024).

  • Lower complexity: Eliminating VPN sprawl reduces certificate management, firewall change debt, and site-by-site rules, directly cutting operational risk and audit effort.

  • Regulatory confidence: A clear story for boards and regulators: no public internet, least privilege, evidence of control.

 

 

"When it comes to IoT, public networks are public territory. Accessible to anyone, including threat actors. It’s time to treat every network connection as untrusted until proven otherwise." - Henning Solberg, CEO & CTO, IXT

 

 

 

Quick start checklist for industrial leaders

 

  1. Identify internet exposure: Which devices/networks are reachable or rely on exposed gateways? (Target “no exposed IPs” as a policy.)

  2. Prioritise segments: Start with remote service endpoints and distributed sensors (most internet-adjacent).

  3. Adopt SIM-level Zero Trust: Enforce device-initiated connections and per-session policy at the edge

  4. Move to private routing: Use SecureNet to keep traffic off the public internet and peer directly to your cloud.

  5. Instrument control & evidence:  Turn on CMP diagnostics, alerting, and reporting for audit trails and supplier oversight.

 

 

What to expect with IXT

 

  • Faster time to “secure by default”: Activate SIMs, apply Zero Trust connectivity, and lock routes privately to your cloud/DC.

  • Scalable globally: One SIM footprint (SIM/eSIM/iSIM) across regions with multi-network resilience and global data pooling.

  • Clarity for tenders & audits: A connectivity architecture that maps cleanly to NIS2 expectations and IEC/ISA 62443 zoning.

 

 

TEST CTA for blog post (3)