The increasing number of connected devices in critical infrastructure introduces new cybersecurity risks. Systems providing vital services—from energy and water supply to transportation and industry—are becoming increasingly interconnected. As approximately two-thirds of the world’s population uses the internet, according to ITU Facts and Figures 2025, the attack surface for malicious actors significantly expands, and the consequences of cyberattacks can be substantial.
This is why isolating IoT devices in critical infrastructure is not merely a recommendation but a fundamental architectural solution for enhancing security. This is achieved without compromising operational manageability through the implementation of network segmentation, access control, and monitoring based on industry standards. The goal is to create barriers between different system components, minimizing the risks of attack propagation while preserving the ability for effective device management and interaction.
IoT security risks in critical infrastructure: expanding the attack surface
The Internet of Things (IoT) is transforming critical infrastructure by integrating thousands of sensors, controllers, and actuators. These devices collect data, automate processes, and optimize system operations. However, each new connected device represents a potential entry point for a cyberattack. Vulnerabilities can arise at various levels: from unsecured firmware and weak credentials to a lack of encryption and uncontrolled remote access.
Critical infrastructure often combines legacy Operational Technology (OT) with modern IT systems, creating a complex hybrid environment. This complicates security management, as traditional IT solutions are not always compatible with OT protocols or may disrupt the stability of sensitive industrial processes. An additional risk is the integration of Artificial Intelligence (AI) into OT, which requires comprehensive risk management, as highlighted by NIST AI RMF 1.0, structuring AI risk management around Govern, Map, Measure, and Manage functions.
Isolation strategies: network segmentation and access control
Effective isolation of IoT devices begins with an architectural approach that limits their interaction to the necessary minimum. Two primary strategies are network segmentation and access control.
- Network segmentation: Dividing the network into smaller, isolated segments. This can be implemented using Virtual Local Area Networks (VLANs), which logically separate traffic, or micro-segmentation, which creates individual security policies for each device or workload. For IoT devices in critical infrastructure, this means creating separate network segments where they can only exchange data with specific controllers or gateways, rather than the entire corporate network. For example, temperature sensors in a power substation should only communicate with a local SCADA controller, not office computers.
- Access control: Implementing strict policies that define who, what, and when can interact with IoT devices and their data. Role-Based Access Control (RBAC) ensures that only authorized personnel or systems have permission to manage devices, update firmware, or access telemetry. This includes multi-factor authentication, least privilege, and continuous activity monitoring.
Technological solutions for managed isolation: from network devices to management platforms
Specialized technological solutions are necessary to implement segmentation and access control. This includes the use of firewalls, Intrusion Prevention Systems (IPS), and IoT gateways that can filter traffic, enforce security policies, and ensure secure connectivity to cloud platforms.
In a typical architecture, IoT devices connect to local gateways that aggregate data and provide initial processing at the edge. These gateways, in turn, connect to a centralized IoT management platform, which can be deployed on-premises or in the cloud. A platform like AZIOT (an IoT platform for managing the physical environment) allows for centralized management of the lifecycle of isolated IoT devices in critical infrastructure. It ensures secure connectivity, Over-The-Air (OTA) software updates, status and security monitoring, and the enforcement of access policies. This allows for maintaining device manageability even when they are in isolated network segments.
The development of 5G also impacts IoT security and manageability. According to the Ericsson Mobility Report November 2025, 5G will become the dominant mobile technology by the end of 2027. This opens up opportunities for creating private 5G networks in critical infrastructure, providing high bandwidth, low latency, and enhanced security features for isolated IoT devices, especially for mobile or remote assets. However, this also requires new approaches to network security management and device identity.
IoT security standardization: the role of ISA/IEC 62443 and NIST AI RMF
To ensure a robust level of security for critical infrastructure, adherence to recognized international standards is essential. The ISA/IEC 62443 series of standards is foundational for the cybersecurity of industrial automation and control systems, covering over 20 sectors. These standards provide a framework for risk assessment, security architecture development, implementation of protective measures, and security lifecycle management for OT systems, including IoT components.
ISA/IEC 62443 requires the application of the concept of zones and conduits for network segmentation, which is ideal for isolating IoT devices. This helps define critical zones, such as sensor or controller networks, and protect them using dedicated communication conduits with clearly defined security policies.
Furthermore, with the integration of AI into operational technologies, the importance of managing artificial intelligence-related risks is growing. NIST AI RMF 1.0 provides a framework for assessing and mitigating these risks, emphasizing the need to evaluate the context of use, potential harm, trustworthiness, security, and accountability of AI systems in critical infrastructure. This includes ensuring the security of data used to train AI models, protecting the models themselves from manipulation, and ensuring the transparency of their decisions.
Operational manageability in isolation: monitoring, updates, and response
Isolation should not mean a lack of control. On the contrary, the manageability of isolated IoT devices is essential for their secure and efficient operation. This is achieved through three key aspects:
- Centralized monitoring: Security Information and Event Management (SIEM) systems and specialized IoT management platforms collect data on the status, performance, and security events from isolated devices. This allows operators to detect anomalies, unauthorized access attempts, or operational failures in a timely manner.
- Secure Over-The-Air (OTA) software updates: Regular firmware and software updates are vital for patching identified vulnerabilities. Platforms like AZIOT provide mechanisms for secure and remote Over-The-Air (OTA) deployment of updates to isolated devices, minimizing the risk of compromise during this process.
- Effective incident response: Even with isolation, security incidents can occur. Clearly defined response procedures, including rapid detection, containment, eradication, and recovery, are mandatory. Isolation helps contain the spread of an attack, but effective response requires integration with centralized security systems and operations centers.
The future of IoT security in critical infrastructure: integrating AI and new network technologies
This year and in the coming years, IoT security in critical infrastructure will continue to evolve. AI integration will play an increasingly significant role not only in risk management but also in proactive threat detection. AI models can analyze large volumes of telemetry data from isolated devices, identifying patterns that indicate potential attacks or anomalies that cannot be detected by traditional methods.
The development of network technologies such as 5G provides a foundation for more reliable and secure connections. Private 5G networks can offer increased control over traffic and device identification, which is crucial for isolation. However, this also requires adapting existing security strategies to the new capabilities and risks these technologies bring. The focus remains on creating flexible, adaptive architectures that allow for device isolation while preserving their operational manageability and ability to respond quickly to changes and threats.
Checklist for secure isolation of IoT devices in critical infrastructure
- Have critical IoT devices and their roles in operational processes been identified?
- Has network segmentation (VLAN, micro-segmentation) been implemented to isolate IoT devices from corporate and other OT networks?
- Are Role-Based Access Control (RBAC) policies applied for interaction with IoT devices and their data?
- Is there a mechanism for centralized monitoring of the status, security, and traffic anomalies of isolated IoT devices?
- Have procedures for secure Over-The-Air (OTA) software and firmware updates been developed and tested?
- Has a risk assessment for AI integration into OT been conducted according to the NIST AI RMF framework?
- Does the security architecture comply with ISA/IEC 62443 standards, particularly the concept of zones and conduits?