In industrial IoT, data moves between sensors,, controllers and cloud platforms. If this data is not encrypted it can be easily accessed, changed or copied by anyone who has access to the network.
MQTT over TLS also known as MQTTS is a solution to this problem. It brings together the MQTT messaging protocol and Transport Layer Security (TLS) encryption. This is the kind of encryption that keeps online banking and shopping safe.
This guide will explain why MQTTS is important, for uses what the data says about security threats to IoT and how to set up TLS-encrypted MQTT on industrial devices.
The Reality: IoT Security Is Not Optional Anymore
The numbers tell a clear story.
| Metric | Value |
|---|---|
| Global IoT devices (2025) | 41 billion |
| IoT security attacks (2024) | +400% increase from 2020 |
| Organizations that experienced IoT security incidents | 78% |
Source: IBM X-Force Threat Intelligence Index 2024
In industrial settings, unencrypted communications expose operational data, equipment status, and control commands. A compromised gateway can give attackers access to PLCs, sensors, and critical infrastructure.
The TLS 1.3 protocol (RFC 8446) is the current standard for encrypted communications. It reduces handshake latency while improving security compared to earlier versions. When combined with MQTT 5.0 , it provides a secure, efficient foundation for industrial IoT.
How TLS-Encrypted MQTT Works
Three core security features come into play:
1. Full Data Encryption
Messages are encrypted before transmission. Intercepted traffic appears as scrambled data, unreadable without the correct keys.
2. Mutual Authentication
The client device and the MQTT broker check each other to make sure they are who they say they are. They use digital certificates to do this. This stops devices that are not allowed from getting on the network. It also stops brokers from pretending to be real services. The client device and the MQTT broker are safer because of these certificates.
3. Certificate-Based Encryption
Public-key infrastructure (PKI) and X.509 certificates provide high-grade encryption. Each certificate has a validity period—typically one to two years—after which renewal is required.
When Do You Need MQTT over TLS?
Not every application needs encryption. But these scenarios do:
- Remote monitoring—data traveling over cellular networks (4G/5G) or the public internet
- Critical infrastructure—where unauthorized control could cause physical harm
- Regulated industries—energy, water, healthcare, manufacturing with compliance requirements
- Multi-tenant environments—shared networks where traffic isolation is needed
For example a water treatment facility that uses 4G DTUs to monitor pump stations over a city should make sure to encrypt all of the communications. If someone intercepts the communications or even worse sends commands the water treatment facility will be, in big trouble. The water treatment facility should encrypt all communications from the 4G DTUs to keep the water treatment facility safe.
Product Capabilities: What to Look For
When selecting hardware for TLS-encrypted MQTT, check for:
| Feature | Why It Matters |
|---|---|
| TLS 1.2 / 1.3 support | Older TLS versions have known vulnerabilities |
| Certificate management | Ability to upload root CA, client certificates, and private keys |
| Mutual authentication | Verifies both device and server identity |
| MQTT keep-alive | Maintains connection through firewalls and NAT |
| Certificate auto-update | Prevents expiration-related downtime |
Industrial devices like serial servers and 4G DTUs that support these features can act as secure gateways for RS485 equipment, PLCs, and sensors.
Configuration Walkthrough
Here’s how TLS-encrypted MQTT is typically configured on industrial devices.
Before You Start
- Ensure firmware version supports MQTTS (v1.477 or later)
- Obtain certificates from your IT department or certificate authority:
- Root CA certificate (for server validation)
- Client certificate and private key (for device authentication)
- Know your MQTT broker’s hostname and port (typically 8883 for MQTTS)
Step-by-Step Setup
- Access the device’s web interface via its IP address.
- Navigate to MQTT configuration. Look for a section labeled “MQTT” or “MQTT Client”.
- Enter broker details:
- Hostname or IP address of the MQTT broker
- Port (8883 for MQTTS)
- Upload certificates:
- Root CA certificate
- Client certificate
- Private key
- Set TLS version to TLS 1.2 or 1.3 (avoid SSL or TLS 1.0/1.1).
- Enable mutual authentication if required by the broker.
- Test the connection. Most devices show connection status (connected / disconnected) on the status page.
Common Pitfalls and Best Practices
Certificate Expiration
Certificates expire. When they do, devices lose connectivity.
Fix: Enable “Remote Device Management” or certificate auto-update features if available. Set calendar reminders for certificate renewal—well before expiration dates.
Firmware Version
TLS support requires recent firmware. Older versions may not include the necessary libraries.
Fix: Before deployment, verify firmware version. Update if needed. The TLS feature increases firmware size, so allow extra time for the upgrade process.
Configuration Tools
Some devices require specific versions of configuration software to manage certificates.
Fix: Use the recommended tool version (e.g., Vircom v6.66 or later) for certificate configuration.
Root Certificate Renewal
When the broker’s root certificate changes, all devices need the updated root CA.
Fix: Plan for root certificate rotation. Maintain a process to push updated certificates to deployed devices.
Why This Matters: A Real Scenario
Consider a utility company deploying 4G DTUs at remote pump stations. Each DTU connects to a PLC over RS485 and sends pump status, pressure, and flow data to a central SCADA system via MQTT.
Without TLS:
- Data is plaintext over cellular networks
- An attacker with radio equipment could intercept and read operational data
- Worse, they could inject commands to start or stop pumps
With TLS:
- All data is encrypted end-to-end
- Mutual authentication ensures only authorized DTUs can connect
- Certificate management prevents long-term security drift
This is why industrial 4G DTUs with MQTT over TLS are becoming standard for critical infrastructure.
What the Market Says
The global industrial wireless market is growing. According to MarketsandMarkets :
| Metric | Value |
|---|---|
| Industrial wireless market (2024) | USD 6.2 billion |
| Projected by 2030 | USD 12.8 billion |
| Annual growth | 11.1% CAGR |
Security features—including encrypted protocols like MQTTS—are cited as key drivers for adoption in industrial environments.
Next Steps
MQTT over TLS isn’t complicated, but it requires attention to certificates and firmware versions.
Key points to remember:
- Use TLS 1.2 or 1.3 (avoid older versions)
- Implement mutual authentication where possible
- Plan for certificate expiration—set reminders or use auto-update
- Verify firmware and software versions before deployment
- Start with a test connection before moving to production
If you’re deploying remote monitoring with cellular networks, or connecting RS485 equipment to cloud platforms, TLS-encrypted MQTT is a practical step toward securing your industrial IoT infrastructure.
