Unlike VPNs and private APNs, Zero Trust eliminates the attack surface by allowing only device-initiated connections with no exposed ports. It applies identity-based access control at the SIM and network level, making it effective for headless IoT and OT devices lacking the resources to run endpoint security software. Zero Trust for IoT aligns with NIST SP 800-207 principles and directly supports NIS2 compliance requirements for risk management, access control, incident detection, and supply chain security. IXT, a full MVNO operating across 600+ mobile networks in 190+ countries, includes Zero Trust as standard with every IXT Global SIM deployment, powered by Zscaler ZTNA and Illumio visualisation.
Why does IoT need a different security model?
Connected devices now run critical infrastructure across every industry. Power grids, water treatment plants, factory floors, EV charging networks, surveillance systems, and logistics fleets all depend on IoT devices to operate. According to IoT Analytics, the number of connected IoT devices reached 21.1 billion globally in 2025, growing 14% year over year, with projections exceeding 25 billion in 2026.
The problem is most of these devices were never designed with security in mind. They ship with default credentials, run on firmware rarely updated, and lack the computing resources to run security software. Research from Forescout shows average device risk scores increased 15% year over year in 2025, with routers and IoT endpoints carrying the most critical vulnerabilities.
The consequences are measured in real numbers. IoT devices face approximately 820,000 attacks per day. IoT malware surged 124% in 2025. Ransomware targeting operational technology systems rose 46% during the same period, according to Nozomi Networks. The average cost of an IoT security incident is $330,000, while breaches involving industrial IoT regularly exceed $10 million.
Traditional security approaches assumed everything inside the network perimeter was safe. This assumption is now the vulnerability. Firewalls protect the boundary. VPNs create encrypted tunnels. Private APNs isolate traffic. None of these approaches verify what a device is doing once it connects, or limit what it is allowed to reach.
Zero Trust offers a different model. Instead of trusting devices based on their network location, Zero Trust verifies every connection, limits every access path, and monitors every communication.
What is Zero Trust and what are its core principles?
Zero Trust is a security architecture built on one principle: never trust, always verify. No device, user, or connection is granted access based on where it sits on the network. Every request is authenticated, authorized, and continuously evaluated.
The concept is formalized in NIST Special Publication 800-207, published by the U.S. National Institute of Standards and Technology. NIST defines Zero Trust as a set of cybersecurity paradigms shifting defenses away from static network perimeters and toward a focus on users, assets, and resources.
The key tenets of Zero Trust, as outlined by NIST, include:
All resources are treated as if they exist on a hostile network. This applies to IoT devices, SaaS applications, printers, and any connected endpoint.
Access decisions are made per session and continuously evaluated. Trust is not granted once at login and assumed from there. It is reassessed based on context, behavior, and risk.
Authentication and authorization are enforced for every connection. No exceptions for internal traffic or previously verified devices.
Least-privilege access is the standard. A device or user receives access only to the specific resources required for the task at hand. Nothing more.
One clarification matters here: Zero Trust is not a product you buy. It is an architectural approach. It governs how you design access control, verify identity, monitor behavior, and segment your network.
Zero Trust was originally designed for IT environments, where users log in to laptops, authenticate with passwords, and run security agents. IoT devices do not work this way. They are headless. They do not support user logins. They lack the compute resources for endpoint software. Applying Zero Trust to IoT requires a different implementation, one enforcing security at the network and connectivity layer rather than on the device itself.
Why do VPNs and private APNs fall short for IoT security?
Most IoT deployments today rely on three security layers: firewalls at the perimeter, VPNs for remote access, and private APNs for network isolation. Each provides value. None is sufficient on its own.
Perimeter security assumes trust inside the network. A firewall protects the boundary between the corporate network and the internet. Once a device or user is past the perimeter, they typically have broad access to internal resources. A compromised IoT device, whether a camera, a sensor, or a gateway, becomes a stepping stone to more valuable targets. Forescout demonstrated this attack pattern in their R4IoT research, showing how an attacker moves from a compromised IP camera (IoT) to a workstation (IT) and then disables programmable logic controllers (OT) in a single chain.
VPNs were built for people, not devices. A VPN creates an encrypted tunnel between two endpoints. The problem is what happens after the tunnel is established. VPNs grant network-level access. Once connected, the user or device has visibility into the broader network. For IoT environments, this creates specific challenges. Each device needs VPN credentials managed individually. Most IoT hardware lacks the compute resources to run a VPN client. A single compromised VPN credential opens the full network to the attacker.
The SANS ICS 2025 survey found among organizations experiencing an OT cybersecurity incident, half traced the origin to external connectivity or remote access pathways. VPN was the most common method of remote access for the vendors, technicians, and contractors involved.
Private APNs isolate traffic but assume trust within. A private APN keeps IoT data off the public internet by routing it through a dedicated network path. This is a meaningful step. It prevents casual interception and keeps device traffic separate from general internet traffic. The limitation is a private APN does not inspect what devices are doing within the private network. If a sensor starts communicating with an unexpected destination, or if a compromised device begins lateral movement, the APN itself will not detect, alert, or block the behavior.
The common thread across these approaches: they authenticate at the door, then trust everything happening inside. They provide connectivity and some degree of isolation. They do not provide continuous verification, granular access control, or visibility into device behavior.
How do VPN, private APN, and Zero Trust compare for IoT?
Attack surface VPN: Exposed ports, full network access once connected Private APN: Isolated from public internet, trust assumed inside Zero Trust: No exposed ports. Device-initiated connections only.
Device visibility VPN: Tunnel status only Private APN: No insight into device behavior Zero Trust: Full traffic mapping with anomaly detection
Third-party access VPN: Full network access via VPN client Private APN: Not specifically addressed Zero Trust: Application-specific, time-limited, recorded sessions
Client software VPN: Required on every device Private APN: None Zero Trust: None. Security enforced at network level.
NIS2 alignment VPN: Encryption only Private APN: Limited audit trail Zero Trust: Full audit trail, segmentation, and access control
Built for VPN: Laptops and users Private APN: Basic IoT traffic isolation Zero Trust: IoT and OT, including headless devices
How does Zero Trust work for IoT devices?
Applying Zero Trust to IoT requires adapting the architecture for devices operating in constrained, headless, and remote environments. The implementation works across four layers.
Eliminating the attack surface
In a traditional setup, servers and applications expose ports and IP addresses so devices reach them. Every exposed port is a target for scanning, probing, and exploitation.
Zero Trust reverses this model. All connections are device-initiated. No inbound ports are exposed on the application side. This is achieved through a broker or proxy architecture, aligned with the policy enforcement point model described in NIST SP 800-207. The device connects outbound to a trusted broker, which then connects it to the authorized application. The device and the application never communicate directly on the open network. If there is no listening port, there is nothing to attack.
For IoT connectivity providers operating at the SIM and cellular level, this enforcement happens before traffic ever reaches the public internet. The SIM routes traffic through private infrastructure and into the Zero Trust enforcement layer. This is the approach IXT takes as standard with every Global SIM deployment: traffic is routed through private infrastructure and inspected by the Zscaler Zero Trust Exchange before reaching any application. No exposed ports. No VPN required.
Identity and access control at the device level
In IT environments, Zero Trust ties identity to the user. In IoT, identity is tied to the device or the SIM itself.
Each device is authenticated before any connection is established. Access policies define which specific applications or endpoints a device is allowed to reach. A temperature sensor in a factory is authorized to send data to the monitoring platform. It is not authorized to reach the ERP system, the email server, or any other resource on the network. If it tries, the connection is denied.
This replaces the broad network access VPNs grant with precise, application-specific permissions. The result is a significantly smaller blast radius if any single device is compromised.
Continuous traffic monitoring and anomaly detection
Trust is not granted once and forgotten. In a Zero Trust architecture, device behavior is monitored continuously.
Traffic mapping shows which devices communicate with which endpoints. Normal patterns are established over time. When a power meter always reporting to the same monitoring application suddenly starts sending data to an unfamiliar server, the system flags the anomaly and alerts the operations team.
This visibility layer is especially important for IoT. Devices often operate autonomously for months or years without human interaction. Without continuous monitoring, a compromised device exfiltrates data, participates in a botnet, or serves as a pivot point for lateral movement, all without anyone noticing.
Microsegmentation
Even within a private network, Zero Trust segments devices so a compromise in one segment does not cascade across the environment.
Segmentation policies are enforced based on device identity, not physical network location. A camera and a PLC on the same factory floor are governed by entirely different security policies. The camera reaches the video management system. The PLC reaches the SCADA controller. Neither reaches the other.
For deployments spanning multiple countries and mobile networks, segmentation policies follow the device. The same rules apply whether the device connects in Germany, the Netherlands, or Sweden.
What role does cellular connectivity play in Zero Trust for IoT?
Most IoT devices operating outside of fixed premises connect over cellular networks. Cellular has inherent advantages for security. It is physically separated from corporate IT networks. SIM-based authentication provides a hardware root of trust harder to spoof than software credentials. Cellular traffic does not share the same infrastructure as employee laptops, email, and cloud applications.
Cellular connectivity alone is not security. A SIM provides reachability. Without additional controls, a cellular-connected device faces the same risks as any other networked endpoint: lateral movement, unmanaged third-party access, and no visibility into what the device is doing after it connects.
This is why the SIM and connectivity layer is a strategic control point for Zero Trust. When Zero Trust enforcement is built into the cellular connectivity itself, every device is protected at the network level from the moment it powers on. No client software to install. No per-device configuration. No reliance on the device having the compute resources to protect itself.
This approach works for both intelligent devices (gateways, controllers, routers running an operating system) and unintelligent devices (sensors, meters, and actuators with no ability to run security software). Security is a property of the connectivity, not a requirement of the hardware.
IXT Zero Trust is included with every IXT Global SIM deployment as standard. Connectivity routes through private infrastructure, with traffic inspected and policy-enforced by the Zscaler Zero Trust Exchange and device communications mapped by Illumio for real-time visibility and anomaly detection. IXT SecureNet, the private networking option with VPN tunnels and direct cloud connect, remains available as a lighter alternative for deployments not requiring full Zero Trust.
For organizations deploying devices across multiple countries and mobile networks, SIM-level Zero Trust enforcement provides consistent security policies regardless of which of IXT's 600+ partner networks the device connects through.
How does Zero Trust support NIS2 compliance for IoT?
The EU's NIS2 Directive, which replaced the original NIS Directive in October 2024, raises the baseline for cybersecurity across critical sectors including energy, transport, water, manufacturing, and digital infrastructure. Member states are transposing NIS2 into national law, with enforcement ramping up through 2025 and 2026. In January 2026, the European Commission proposed targeted amendments to simplify compliance requirements, but the core obligations remain.
For organizations with cellular-connected IoT and OT devices, NIS2 means SIM-based connectivity is part of the compliance scope. The directive requires risk-based, proportionate security measures across all network and information systems supporting critical services.
Zero Trust architecture maps directly to several NIS2 requirements:
-
Risk management. NIS2 requires organizations to identify vulnerabilities, assess threats, and implement proportionate controls. Zero Trust addresses this by eliminating the attack surface (no exposed ports), reducing blast radius through segmentation, and enforcing least-privilege access at the device level.
-
Access control. The directive mandates enforcement of access control and reduction of implicit trust. Zero Trust replaces broad VPN-based access with identity-verified, application-specific permissions. Third-party access is controlled through time-limited, browser-based sessions recorded for audit purposes.
-
Incident detection. NIS2 requires the ability to detect and limit the impact of security incidents. Continuous traffic monitoring with anomaly detection provides this for IoT environments, where traditional endpoint detection tools have no foothold.
-
Supply chain and third-party risk. Managing vendor and contractor access is a specific NIS2 obligation. Privileged remote access through a browser portal, with session recording and time-based controls, directly addresses this requirement without the security risks of distributing VPN credentials to external parties.
-
Reporting and audit trails. Significant incidents must be reported within 24 to 72 hours. The audit trails generated by Zero Trust enforcement support both incident reporting and ongoing compliance documentation.
Non-compliance carries real consequences. Fines reach up to EUR 10 million or 2% of global annual turnover for essential entities, and senior management is personally accountable.
NIS2 does not demand more complexity. It demands better control. Zero Trust applied at the IoT connectivity layer is one of the most direct ways to demonstrate control to auditors and regulators.
How is Zero Trust applied across IoT industries?
Zero Trust for IoT addresses specific, documented security gaps across industries where connected devices support critical operations.
Industrial automation
Factory equipment connected over cellular enables remote monitoring and predictive maintenance. Service technicians and third-party vendors need remote access to specific machines for diagnostics and updates. With VPN, this access grants visibility across the entire OT network. Zero Trust provides application-specific access through the browser. The technician sees only the machine they are authorized to service. Sessions are time-limited and recorded. No VPN client distribution required.
Security and surveillance
IP cameras and access control systems are deployed across dozens or hundreds of sites. These devices are documented entry points into corporate networks when compromised. Security researchers have demonstrated a single hijacked camera serves as a pivot point for network-wide infiltration. Zero Trust maps all device communications in real time, detects the moment a camera contacts an unexpected destination, and segments surveillance systems from other network resources.
Tracking and logistics
GPS trackers and cargo condition sensors transmit commercially sensitive location and status data across borders, often over multiple mobile networks. This data reveals supply chain patterns, customer relationships, and operational details competitors would value. Zero Trust routes this data through private, inspected channels regardless of which country or mobile network the device operates in. Segmentation controls ensure only authorized systems receive the data.
EV charging
Charging stations process payments and communicate with energy grid management systems. Payment card data and grid infrastructure signals share the same connected device. Zero Trust segments payment processing from grid communication at the network level. Remote maintenance is handled through recorded browser sessions, replacing VPN credential distribution across a growing network of charging points.
How do you get started with Zero Trust for IoT?
Zero Trust is not a single deployment. It is an architectural shift most organizations implement in stages. Four starting points deliver the highest impact:
Map your connected devices and their communication patterns. Identify every IoT device in your environment, what it connects to, and how. Pay specific attention to devices with remote access enabled and third-party vendor connections. You need to know what is communicating before you control it.
Evaluate whether your current connectivity provides visibility or only reachability. If your IoT connectivity tells you a device is online but not what it is doing, there is a gap. Visibility into device behavior, including which endpoints each device communicates with, is the foundation of Zero Trust.
Address your highest-risk access points first. Third-party vendor access and cross-border deployments are common starting points. They combine high security risk with significant business impact, and they tend to be the areas where VPN-based approaches create the most operational friction.
Align your IoT infrastructure with compliance requirements. If NIS2 applies to your organization, map your cellular-connected devices against the directive's requirements for access control, incident detection, network segmentation, and supply chain risk management. The gaps will point you toward where Zero Trust delivers the most compliance value.
The organizations moving fastest are those making Zero Trust a property of the connectivity itself, enforced at the SIM and network level rather than requiring each device to protect itself. This is the most practical path for IoT, where devices are constrained, distributed, and designed for a single purpose.
If you are evaluating how Zero Trust applies to your IoT deployment, our connectivity specialists walk you through how it works in practice and what it looks like for your specific environment.
Frequently asked questions about Zero Trust for IoT
What is the difference between Zero Trust and a VPN for IoT?
A VPN creates an encrypted tunnel and grants the connected device or user broad network-level access. Once inside the tunnel, the device is trusted. Zero Trust takes the opposite approach. Every connection is verified individually. Devices are granted access only to the specific application they need to reach. No VPN client software is required on the device, and no ports are exposed on the application side. For IoT environments with hundreds or thousands of headless devices, Zero Trust removes the operational burden of managing per-device VPN credentials while closing the security gaps VPNs create.
Do IoT devices need to run software for Zero Trust to work?
No. Traditional Zero Trust implementations for IT require agent software on each endpoint. IoT devices, including sensors, meters, and controllers, typically lack the compute resources for this. Zero Trust for IoT enforces security at the network and SIM level instead. The device connects through a SIM routed to a Zero Trust enforcement point. All policy enforcement, traffic inspection, and access control happen at the network layer. The device does not need to run any security software.
How does Zero Trust for IoT support NIS2 compliance?
NIS2 requires organizations in critical sectors to implement risk management, access control, incident detection, and supply chain security measures across all network and information systems. Zero Trust for IoT maps to these requirements directly. It eliminates exposed attack surfaces, enforces least-privilege access per device, provides continuous traffic monitoring for incident detection, and controls third-party access through time-limited, recorded sessions. The audit trails generated by Zero Trust enforcement support the reporting obligations NIS2 imposes.
Is Zero Trust for IoT relevant for small device fleets?
Zero Trust becomes most valuable as the number of connected devices, remote access points, and third-party connections grows. For organizations with 500+ devices, cross-border deployments, or regulatory compliance requirements, the security and operational benefits are significant. Smaller deployments in regulated industries or with sensitive data also benefit, particularly where NIS2 or GDPR applies.
What is IXT Zero Trust?
IXT Zero Trust is a security architecture included as standard with every IXT Global SIM deployment. It combines Zero Trust Connectivity powered by Zscaler ZTNA (eliminating the attack surface with no exposed ports, clientless remote access, and full traffic inspection) with Zero Trust Visualisation powered by Illumio (visual traffic mapping, anomaly detection, and policy-based device segmentation). IXT Zero Trust is the first solution to extend Zero Trust to OT and IoT endpoints over cellular. IXT SecureNet, IXT's private networking option, remains available as a lighter alternative for deployments not requiring full Zero Trust.
Sources referenced in this guide:
IoT Analytics, "State of IoT 2025," iot-analytics.com NIST Special Publication 800-207, "Zero Trust Architecture," csrc.nist.gov Nozomi Networks, "OT/IoT Cybersecurity Trends and Insights," nozominetworks.com Forescout, "2025 Threat Roundup Report," forescout.com European Commission, "NIS2 Directive," digital-strategy.ec.europa.eu SANS Institute, "NIS2 Compliance for OT," sans.org