IoT Security: Enterprise Smart Devices & OT Systems in 2025

The Scale of the Problem

15+ billion IoT devices deployed globally. Most devices have 5-10 year lifespans but software support ends in 2-3 years. 23% of enterprise IoT devices still use default credentials. 57% are vulnerable to medium or high-severity attacks. Attack consequences range from building automation breaches enabling physical access to industrial attacks disrupting manufacturing to medical device attacks endangering patients.

Device Identity and Authentication

X.509 Certificate-Based Identity

Each device gets a unique certificate during manufacturing or provisioning. PKI hierarchy: root CA, intermediate CAs per product line, device certificates. Enables mutual TLS authentication to IoT platforms. Private keys never transmitted after provisioning.

Hardware Security Modules

TPM 2.0 stores private keys in tamper-resistant hardware. Private key never leaves the chip—even firmware compromise cannot extract it. Require TPM 2.0 for enterprise IoT procurement.

Zero-Touch Provisioning

AWS IoT Core, Azure IoT Hub, and Google Cloud IoT provision devices at scale using unique certificates. Devices authenticate, receive configuration, and join the correct network segment automatically without manual intervention.

Secure Boot and Firmware Integrity

Chain of trust: hardware root of trust verifies bootloader, bootloader verifies OS kernel, OS verifies application firmware. Any unsigned or modified component halts boot. Firmware updates: sign all images, verify signatures on device, implement rollback protection, use delta updates for bandwidth efficiency.

Network Segmentation

Never put IoT devices on the corporate network. Segment by risk: High-Trust Zone (IT endpoints, servers), IoT Zone (cameras, printers, smart building), OT Zone (industrial control, SCADA—air-gapped where possible), DMZ (guest WiFi, BYOD).

VLANs for IoT: IoT VLAN communicates only with IoT management server on specific ports. Deny IoT-to-Corporate traffic. Deny IoT-to-IoT by default (no lateral movement). Allow IoT to cloud telemetry endpoints only.

Use 802.1X NAC to validate device certificates before granting VLAN access.

AI Behavioral Detection

IoT devices have predictable patterns—a temperature sensor always sends small packets to one endpoint. Deviations indicate compromise.

AI baseline modeling captures: destination IPs/ports, protocol, frequency, traffic volume (bytes/hour), DNS queries, sleep/wake cycles. Anomaly flags: new destination IP, unusual volume, unexpected protocol, DNS to new domains, any inbound connections (most IoT should be outbound-only).

Deploy Claroty, Armis, or Microsoft Defender for IoT for agentless device fingerprinting and ML anomaly detection. These provide automatic inventory, vulnerability mapping per device type, and compliance reporting.

OT/ICS Security: Purdue Model

Level 0: Physical processes (sensors, actuators). Level 1: Intelligent devices (PLCs, RTUs). Level 2: Control systems (SCADA, DCS). Level 3: Operations zone (historians, engineering stations). Level 3.5: Industrial DMZ (separates IT from OT—critical). Level 4: Enterprise zone (ERP, business systems).

OT security tools: Claroty (passive OT monitoring, never disrupts industrial protocols), Dragos (OT threat intelligence, specializes in industrial malware like TRITON/Industroyer), Nozomi Networks (real-time OT monitoring, supports Modbus/DNP3/IEC 61850).

Medical IoT (IoMT) Security

FDA/CE certification limits software updates. Clinical workflow disruption unacceptable. HIPAA data privacy requirements. Device downtime could be life-threatening.

Framework: complete medical device inventory, dedicated IoMT network segment, passive monitoring only (no active scanning), compensating controls (firewall rules, encryption wrappers) for unpatched devices, coordinate security patches with biomedical engineering during maintenance windows.

EU Cyber Resilience Act (CRA)

Mandatory for IoT products sold in EU, effective 2027: vulnerability disclosure policy, security updates for expected product lifetime, minimum security properties at launch. Also: NIST IR 8259 baseline (identification, configuration, data protection, interface access, software update), ETSI EN 303 645 (prohibits default universal passwords, requires vulnerability disclosure policy).

IoT security spans the full lifecycle: procurement (require security certifications), deployment (network segmentation), operation (continuous monitoring), decommissioning (secure data deletion).