IoT Security Best Practices 2026: Hardening Edge Devices for Production

TL;DR:

• Every device needs a unique, hardware-backed X.509 certificate — shared credentials are a fleet-wide liability
• Network segmentation (dedicated VLAN, no inbound connections) limits blast radius when something is compromised
• OTA updates must be signed and use A/B partitions with automatic rollback — the update pipeline is itself an attack surface

Standard IT security playbooks don’t transfer cleanly to IoT. Enterprise endpoints run EDR agents and receive automatic OS patches. A Cortex-M4 sensor on 256KB flash does neither. A Linux gateway in a field cabinet may have only a cellular modem for connectivity. The security model needs to reflect three things that make IoT different from managed IT infrastructure: devices are physically accessible to attackers, they run for a decade without replacement, and there’s no user in the loop to approve updates.

In industrial IoT, availability and integrity often matter more than confidentiality. A sensor feeding false data to a process control system is more dangerous than a leaked temperature log. For UK operators of critical national infrastructure covered by NIS Regulations 2018, this isn’t a design preference — it’s a regulatory reality.

Device Identity at Scale

The foundational security primitive: every device has a unique, unforgeable identity. Shared credentials mean a single compromised device exposes your entire fleet.

Hardware-backed key storage is non-negotiable. The Microchip ATECC608B (around £1–2/unit) stores private keys in hardware-protected memory — the chip performs crypto operations but never exposes the key. It connects via I2C and integrates with OpenSSL via an engine plugin. TPM 2.0 is the alternative for more capable devices (£2.50–6/unit) with equivalent key isolation.

Each device should receive a unique X.509 certificate at manufacture: the device generates a key pair on the ATECC608B (key never leaves the chip), sends a CSR to your provisioning service, and the service signs it with your device CA. Certificates live on the filesystem; keys stay in hardware.

Maintain a Certificate Revocation List (CRL) or OCSP responder. When a device is decommissioned, revoke its certificate. The broker checks the CRL on each connection, excluding just that device.

Network Segmentation

IoT devices shouldn’t share a network segment with corporate IT systems. A compromised device on a flat network is a pivot point into everything else — and this is exactly how several high-profile industrial breaches have unfolded.

Assign all IoT devices to a dedicated VLAN with no route to corporate IT, outbound-only internet access, and ACLs permitting only required traffic (MQTT on port 8883, NTP — nothing else). No inbound connections. IoT devices initiate all connections outbound. If a vendor requires an inbound port, use a reverse proxy or VPN tunnel instead.

Secure Boot and Firmware Signing

dm-verity provides block-level integrity verification of the root filesystem. The kernel verifies a hash tree against a root hash stored in the bootloader or TPM — any modification causes the system to refuse to boot. Mender and Yocto both have dm-verity integration.

Sign Mender artefacts with Ed25519:

openssl genpkey -algorithm ed25519 -out mender-signing-key.pem
mender-artifact sign artifact.mender --key mender-signing-key.pem

The public key is embedded in the Mender client at manufacture. The client refuses unsigned artefacts. An attacker who compromises your update server cannot push malicious firmware without the signing key.

OTA Update Security

The update system is a mechanism to replace software on every device in the fleet. Compromising it gives an attacker that same capability — treat it as a primary attack surface.

Required properties: signed artefacts (Ed25519 or RSA-4096; devices verify before applying), atomic A/B updates with rollback (updates write to an inactive partition; on boot failure the bootloader reverts automatically), channel authentication (devices authenticate to the update server using their device certificate), and delivery integrity (HTTPS plus SHA-256 checksum verification as defence in depth).

Communication Security

TLS 1.3 minimum. TLS 1.2 is still common in IoT; TLS 1.3 removes obsolete cipher suites, requires forward secrecy, and has a faster handshake. Configure Mosquitto: tls_version tlsv1.3.

MQTT runs on port 8883 (TLS), not 1883 (plaintext). Enable mTLS so both sides present certificates:

listener 8883
require_certificate true
use_identity_as_username true

use_identity_as_username true maps the device certificate CN to the MQTT username, enabling per-device ACL rules without separate password management.

Vulnerability Management

Generate an SBOM for every firmware release using Syft, scan it with Grype against the NVD. Patch cadence by CVSS score: Critical (9.0–10.0) within 7 days, High (7.0–8.9) within 30 days, Medium (4.0–6.9) in the next maintenance window.

Incident Response

When a device is suspected compromised:

1. Isolate — block all traffic from the device’s MAC/IP on the VLAN boundary immediately
2. Preserve logs — pull journalctl -a, network state, and process list before reimaging
3. Reimage — flash a known-good firmware image; never remediate in place
4. Revoke and reissue — revoke the certificate via CRL; issue a new one during re-provisioning
5. Document — timeline, indicators of compromise, and process improvements

Compliance Reference

IEC 62443 is the primary standard for industrial automation security; IEC 62443-4-2 covers component-level requirements and is required for critical infrastructure customers across the UK and Europe.

ETSI EN 303 645 is the UK’s consumer IoT security baseline. The PSTI Act 2022 makes several EN 303 645 provisions legally mandatory for products sold in the UK.

EU Cyber Resilience Act (CRA) — in effect since 2024 — mandates vulnerability reporting and update commitments for products sold in the EU.

The Bottom Line

IoT security is fundamentally about eliminating attack surface rather than monitoring it. Hardware-backed device identity, VLAN isolation with no inbound connections, and signed OTA updates with automatic rollback cover the majority of real-world threat vectors. Build these in from the start — retrofitting them onto a deployed fleet is significantly more expensive and operationally risky. And with the PSTI Act now in force in the UK, basic security is no longer optional for consumer IoT products.