Zero Trust for utilities: a better way than site-to-site VPNs

Below is a practical look at why VPNs fail at grid-edge scale, what a Zero Trust pattern looks like for OT, and how IXT SecureNet implements it without ripping out what you already have.

 

 

The problem: flat tunnels in a world of spiky, remote work

 

VPNs were designed to connect trusted networks. Utilities don’t have “one trusted network” any more; they have thousands of small, intermittently connected sites, many run by contractors, all changing over time. A site-to-site VPN drops every device on one side into the same flat address space as the other. That makes day-to-day ops easy, until an account is phished, a laptop is lost, or a misconfigured rule exposes half your estate.

 

Meanwhile, field teams need surgical access to one device for one task. VPNs give them a fire hose.

 

 

Risk scenarios you’ll recognise

 

1) Lateral movement from a single compromised credential

 

Shared VPN accounts or jump hosts are convenient. They also mean a single phished password can see more than it should. Once inside a flat subnet, an attacker can scan, pivot and tamper.

 

2) Shadow rules and “temporary” exceptions that never die

 

An urgent fault, a quick firmware push, a contractor who needs access “just for today”. Exceptions pile up, and nobody is fully sure what’s open where.

 

3) IP allow-lists that don’t match the real world

 

Dynamic addresses, roaming SIMs and multi-tenant platforms make static IP allow-lists brittle. You either over-permit or lock people out.

 

4) Over-exposed protocols at the grid edge

 

RTUs, IED gateways, meters and field controllers speak MQTT, IEC-104, DNP3 and DLMS/COSEM. A flat tunnel can expose management interfaces you never meant to publish.

 

5) Audit you can’t actually use
VPNs tell you a user connected to a network. They rarely tell you which device they touched, which flows were approved, or when a session truly ended.

 

 

The Zero Trust pattern for IoT 

 

Identity first, for people and things
Every device has a strong identity (SIM/eUICC + device posture). Every user does too (MFA/identity provider). No identity, no access.

 

Approve only the flows a task needs
Define protocols and FQDNs per device type. Allow MQTT to a defined broker, IEC-104/DNP3 to named SCADA headends, DLMS/COSEM to metering systems—and block everything else by default.

 

Per-session, per-app access
When someone needs to work on a site, grant time-bound access to a single device for a specific protocol. When the job is done, the session auto-expires and the door closes.

 

Segmentation without flat networks
No site-to-site tunnels that merge subnets. Build thin, temporary paths for specific tasks.

 

Audit that’s actually useful
Record who accessed which device, for how long, with which protocol, and what policy allowed it. Make it easy to review and revoke.

 

 

How IXT SecureNet + Zero Trust implements this

 

One SIM, global by default

Our secure IoT SIM gives resilient coverage across borders with multi-IMSI and eUICC profile management. Steer by policy, not luck, and swap profiles over the air to avoid site visits.

 

Device identity tied to the SIM

Each device gets a cryptographic identity anchored to its SIM/eUICC. Policies follow that identity, so you can enforce controls per device and per fleet, not per subnet.

 

Protocol allow-lists at device level

Approve only the flows your assets need, MQTT, IEC-104/DNP3, DLMS/COSEM or standard IP to defined FQDNs. Everything else is denied by default.

 

Just-in-time privileged access

Grant an engineer time-boxed access to a single device/session for maintenance. No broad VPN, no shared jump host. Sessions close automatically.

 

End-to-end audit

Every session is logged with identity, device, policy and duration. You get an audit trail you can actually use in incident reviews and compliance checks.

 

Keep what works, remove what doesn’t

SecureNet layers on top of your existing platforms and APNs where needed. You can phase out flat tunnels at your pace while gaining control and visibility from day one.

 

 

VPNs join networks. Utilities need to join people and devices to tasks—briefly, narrowly and with proof. If you’re scaling AMI, substation automation or distributed energy, moving from flat tunnels to per-session, per-app access is the difference between “mostly fine” and “operationally safe”.

 

Next steps

• Download the utilities edition of our Zero Trust guide to see the pattern, checklists and reference architecture.

• Want to prove it? Request a test SIM and we’ll help you pilot just-in-time access on 10–20 sites.

 

 

About the author

IXT writes about IoT connectivity because we build it. We’re a Full-MVNO with our own core network and a CMP we designed in-house, so we see what works at scale and what doesn’t. Our team has decades of experience in M2M/IoT, from network engineering to enterprise rollouts, so the guidance we share is practical, vendor-agnostic and field-tested. Connect, secure and manage devices with confidence using our IoT Connectivity.

IXT – Connected. Secure. Everywhere.

 

 

FAQ: Zero Trust vs. VPNs for utility connectivity

 

Q: Why are traditional site-to-site VPNs a problem for utilities?

A: VPNs create a flat, shared network once a tunnel is open, if one device is compromised, attackers can move laterally across sites. They’re also complex to manage at scale and don’t meet modern compliance requirements like NIS2.

 

Q: How does Zero Trust networking improve IoT security for utilities?

A: Zero Trust removes implicit trust. Each device session is verified individually, with least-privilege access and application-level isolation. This means even if one endpoint is breached, the rest of your network remains protected.

 

Q: How does IXT implement Zero Trust for utility networks?

A: IXT SecureNet embeds Zero Trust directly into connectivity. It uses private APN/DNN, dual VPN tunnels, and per-session policy enforcement, keeping operational traffic off the public internet while maintaining central visibility through the CMP.

 

Q: How can utilities transition away from VPNs without downtime?

A: Start by deploying IXT Secure SIMs on existing devices. Connect them via SecureNet to segment traffic securely. Use the Connectivity Management Platform (CMP) to monitor data flows, apply policies, and scale gradually across regions.