IoT News Digest 2622
Weekly Strategy Signals for Connected Hardware
This week's IoT News Digest at a glance. Earth-by-night background image: NASA via Wikimedia Commons.
This week’s stories cluster around three pressures now shaping IoT roadmaps: securing hardware for the quantum era, extending wireless coverage beyond terrestrial networks, and closing the governance gap as AI agents enter operational technology environments.
The common thread is earlier control. Security, connectivity, logging, and deployment services are all moving upstream - into silicon choices, network standards, procurement rules, and managed service contracts - rather than being patched around products after deployment.
Cross-Cutting Signals
Post-quantum cryptography is reaching open-source silicon.
GlobalPlatform’s Pavona distribution gives IoT chip designers access to ML-KEM and ML-DSA algorithms aligned with FIPS 140-3, lowering the cost barrier that has kept PQC out of constrained embedded designs.
Satellite connectivity is becoming part of the cellular IoT stack.
Telenor IoT and Sateliot’s 3GPP Release 17 NTN partnership means OEMs can design one NB-IoT product that uses terrestrial cellular where available and LEO satellite where it is not, without custom firmware or antennas.
Battery-free IoT is becoming a managed supply chain service.
AT&T’s expanded role with Wiliot - installation, certification, maintenance, and connectivity - signals that operators increasingly see IoT deployment as a service category, not just a connectivity add-on.
Manufacturing AI is moving faster than its security controls.
Darktrace finds that only 37% of manufacturers have formal AI deployment policies, while 51% say they are unprepared for AI-driven threats. The gap becomes more serious as AI agents gain access to OT data and production systems.
This Week at a Glance
Five developments this week span silicon security, supply chain IoT, satellite connectivity, federal cyber governance, and AI-driven manufacturing exposure.
GlobalPlatform Pavona brings post-quantum cryptography to open silicon. GlobalPlatform launched Pavona, an open silicon distribution combining composable root-of-trust architecture with production-grade PQC, including ML-KEM and ML-DSA algorithms showing 6-9x performance gains on embedded silicon at TSMC 3nm. Founding members include Meta, Qualcomm Technologies, Tenstorrent, Analog Devices, and ZeroRISC.
AT&T expands into full-stack supply chain IoT through Wiliot. AT&T broadened its Wiliot partnership to cover systems integration, certification, field deployment, and maintenance alongside connectivity. Wiliot’s battery-free IoT Pixels track location and temperature, with deployments reporting 99% inventory accuracy, 30-50% receiving labor reductions, and up to 90% fewer mis-shipments.
Telenor IoT and Sateliot link NB-IoT devices to LEO satellite coverage. The partners will enable standard NB-IoT devices supporting 3GPP Release 17 to connect through Sateliot’s LEO constellation without hardware changes, firmware changes, or custom antennas. Field tests in Spain validated the approach for agriculture, maritime, logistics, and energy use cases.
OMB extends centralized logging requirements to federal IoT and OT systems. Memorandum M-26-14 replaces earlier logging mandates with a risk-based framework requiring continuous event monitoring and six-month searchable log retention across federal systems, explicitly including IoT devices and OT environments. CISA has 90 days to publish an OT-specific Logging Reference Architecture.
Darktrace warns that manufacturing AI is creating unmanaged OT exposure. Darktrace research finds that 76% of manufacturing security professionals are seeing AI-powered threats, 51% feel unprepared for AI-driven attacks, and only 37% have formal AI deployment policies, even as AI agents reach scheduling, inspection, logistics, and maintenance systems.
News In Detail
1. GlobalPlatform Pavona: Open Silicon Security With Post-Quantum Cryptography
Post-quantum cryptography is now available as open-source silicon IP, lowering the cost and integration barrier for resource-constrained IoT designs.
GlobalPlatform launched Pavona on May 26, 2026, positioning it as the first open silicon distribution with production-grade post-quantum cryptography for embedded and high-performance systems. The distribution includes two taped-out reference designs fabricated at TSMC 3nm: a standalone chip root of trust and an integrated root of trust for chiplet architectures. Instead of fixed reference designs, Pavona provides a composition engine and curated IP library, allowing chip teams to assemble security subsystems for architectures ranging from AI datacenter chips to constrained IoT devices. The algorithms include ML-KEM and ML-DSA, with reported 6-9x performance improvements on embedded silicon and minimal area cost. The framework aligns with FIPS 140-3 and Common Criteria certification requirements.
The founding membership - including Meta, Qualcomm Technologies, Tenstorrent, Analog Devices, ZeroRISC, the Max Planck Institute for Security and Privacy, and others - reflects the range of silicon categories Pavona is designed to serve. Governance follows the Yocto and Zephyr model: a GlobalPlatform-hosted foundation with an independent Technical Steering Committee controlling the technical roadmap. Pavona is positioning itself as an equivalent open layer for hardware security IP.
For IoT products designed today with 15-20 year operational lifespans, the security architecture is being locked in now. Classical cryptographic algorithms certified for those lifetimes may face quantum attack risk within the deployment window. Pavona’s composable model lets chip teams build post-quantum readiness into root-of-trust IP at design time instead of retrofitting it later. Its FIPS 140-3 alignment also shortens the certification path for regulated markets such as medical devices, automotive, and critical infrastructure, where security certification is often a procurement requirement.
Signals to Watch
Whether Qualcomm Technologies or Tenstorrent release production silicon incorporating Pavona IP, proving the model can move from reference tape-out to volume silicon.
Whether EU CRA conformity assessment bodies begin including post-quantum readiness in hardware security evaluations, turning Pavona’s certification alignment into a compliance advantage.
Whether competing hardware security initiatives from Arm TrustZone or RISC-V foundations converge with Pavona’s composable approach or differentiate against it.
Key Links
2. AT&T Moves Deeper Into Full-Stack Supply Chain IoT Through Wiliot
AT&T is moving from connectivity supplier to deployment integrator for Wiliot’s battery-free supply chain tags, reframing what carriers offer connected hardware teams.
AT&T expanded its collaboration with Wiliot in May 2026, taking on device certification, field deployment, systems integration, and ongoing maintenance alongside its existing connectivity role. Wiliot’s platform uses battery-free IoT Pixels - Bluetooth sensors that harvest ambient radio-frequency energy instead of carrying a battery - to track location, temperature, and other attributes from physical goods. Deployments across tens of thousands of sites and hundreds of millions of assets report 99% inventory accuracy, dock-to-stock time reduced from 24-48 hours to 2-6 hours, 30-50% receiving labor reductions, and up to 90% fewer mis-shipments. Wiliot says most Fortune 50 companies with active supply chain programs are customers.
The move positions AT&T as a managed IoT service provider rather than a connectivity utility. Battery-free tags remove the maintenance burden that has historically limited BLE tracking to higher-value goods: when every tag needs battery replacement, the economics break down for cartons, returnable packaging, and other ambient-value assets. AT&T’s role extends that argument to deployment, reducing the coordination overhead across tags, gateways, networks, and maintenance vendors.
Supply chain hardware teams should test whether the battery-free model fits the lifecycle economics of their target asset category. The 30-50% labor reduction and 90% mis-shipment reduction figures are vendor-reported from deployed customers, not forecasts, but they still create a useful benchmark for RFP teams. The larger signal is that carriers are competing for the deployment contract, not only the SIM slot.
Signals to Watch
Whether Verizon or T-Mobile announce comparable managed supply chain IoT offerings, confirming battery-free IoT integration as a carrier service category.
Whether Wiliot extends the AT&T collaboration beyond retail supply chains into industrial and manufacturing logistics, where harsher environments will test energy-harvesting tags.
Whether pharmaceutical cold chain and medical device tracking programs adopt battery-free Pixels, where temperature monitoring and battery elimination create combined regulatory value.
Key Links
3. Telenor IoT and Sateliot Link NB-IoT Devices to LEO Satellite Coverage
Standard NB-IoT devices with 3GPP Release 17 support can now connect through Sateliot’s LEO satellite network without hardware changes, reducing the need for separate remote-connectivity hardware stacks.
Telenor IoT and Sateliot announced a partnership on May 28, 2026, to let standard NB-IoT devices connect through Sateliot’s LEO satellite constellation as a direct extension of terrestrial cellular coverage. The technical foundation is 3GPP Release 17, which standardizes 5G Non-Terrestrial Network specifications. Devices supporting Release 17 NTN connect to Sateliot satellites without hardware modifications, custom antennas, or firmware changes. Field tests in Spain validated satellite connectivity using Telenor IoT SIM cards, with additional multi-country testing planned before commercial launch. Target sectors include agriculture, maritime, transport and logistics, and energy infrastructure, where terrestrial cellular coverage is often unavailable for long periods.
OEMs building for agricultural equipment, offshore vessels, or remote pipeline infrastructure have traditionally faced two choices: maintain separate hardware variants or use more expensive hybrid modems. The 3GPP NTN path changes that equation. A single Release 17 device design can cover both terrestrial cellular and LEO satellite, reducing separate product lines and satellite-specific certification work.
Hardware teams designing remote agricultural, maritime, logistics, or energy devices should track when their target silicon vendors ship Release 17 NTN-compliant modules. That timing determines when the single-hardware architecture becomes production viable. Commercial availability and per-connection satellite pricing will decide whether this approach undercuts existing dual-stack or satellite-only architectures. The Spain field tests confirm the technical route; the commercial model is still forming.
Signals to Watch
Commercial availability dates and per-connection pricing from Telenor IoT and Sateliot, which will show whether the 3GPP NTN path undercuts traditional satellite IoT economics.
Release 17 NTN-certified products from major NB-IoT chipset and module vendors such as Nordic Semiconductor, Sequans, and Quectel.
Agricultural and maritime IoT platforms specifying 3GPP Release 17 NTN support in procurement requirements, turning the standard from optional feature into supply chain baseline.
Key Links
4. OMB Directive M-26-14 Extends Centralized Logging to Federal IoT and OT Systems
OMB (Office of Management and Budget) has extended mandatory logging and AI-assisted monitoring expectations to federal IoT and OT systems, with CISA due to publish an OT-specific logging reference architecture within 90 days.
The White House Office of Management and Budget issued Memorandum M-26-14 on May 22, 2026, replacing the Biden-era M-21-31 logging mandate with a risk-based framework for federal cybersecurity monitoring. The directive explicitly covers all federal information systems, including IoT devices and OT environments that lack native logging capabilities. Requirements center on two objectives: Continuous Event Monitoring for real-time anomaly detection, and Threat Hunting, Investigation, Response, and Forensics for centralized post-compromise analysis. Minimum retention requirements are six months for searchable logs and one year for retrievable records. CISA has 90 days to publish a Logging Reference Architecture that includes OT-specific logging methods, followed by agency-level implementation plans.
The directive reflects the AI-accelerated threat environment documented in last week’s Verizon DBIR. OMB notes that adversaries are using AI to compress the time between initial access and lateral movement, while also improving persistence. The move from M-21-31’s large-volume retention requirement to a risk-based CEM model reflects enterprise feedback that compliance-driven log storage has not produced proportional security outcomes. The directive also requires agencies to examine how AI can improve monitoring and forensic capabilities, making AI-assisted detection a mandatory evaluation topic in federal IT and OT environments.
For vendors selling to federal civilian agencies, defense contractors, or critical infrastructure operators that mirror federal security standards, the IoT and OT scope matters. Device makers and platform vendors that cannot document how their products export log data for centralized collection will face a difficult audit question. Teams building connected products for defense, healthcare, or utilities should evaluate their architecture against CISA’s forthcoming Logging Reference Architecture before procurement requirements harden around it.
Signals to Watch
CISA’s Logging Reference Architecture publication, expected in mid-August 2026, which will specify OT logging methods and AI-assisted detection expectations for federal IoT and OT procurement.
Updated Federal Acquisition Regulation clauses that convert the OMB memo from agency guidance into contractual terms for connected-hardware procurements.
Critical infrastructure sectors such as energy, water, and healthcare referencing M-26-14 logging standards in their own sector guidance.
Key Links
OMB - M-26-14 full text: Ensuring Effective and Efficient Agency Logging and Network Visibility
Federal News Network - OMB revamps federal cyber event logging requirements
5. Darktrace: AI in Manufacturing Is Creating OT Exposure Security Teams Are Not Ready For
Most manufacturers lack formal AI deployment policies, even as AI-powered attacks are already reaching OT operations.
Darktrace published research in May 2026 on how AI agent deployment in manufacturing is creating new cyber exposure. Among manufacturing security professionals surveyed, 76% are already experiencing AI-powered threats, 51% say they are unprepared for AI-driven attacks, and only 37% have formal AI deployment policies. AI agents are being deployed in production scheduling, quality inspection, logistics, and predictive maintenance - processes directly connected to OT data and physical operations - often with broad permissions and limited oversight. Darktrace identifies three requirements for managing AI risk in OT: visibility into where AI systems operate and what they can access, behavioral context for detecting deviations, and guardrails embedded into systems rather than applied afterward.
The exposure pattern is architectural. AI agents deployed for operational efficiency need permissions across OT data systems to do their jobs: reading sensor feeds, writing to scheduling systems, and flagging anomalies. Those same permissions make them attractive targets. A threat actor who can influence an AI agent’s decisions without triggering signature-based detection may gain broader operational reach than one who compromises a single workstation. The low share of manufacturers with formal AI deployment policies suggests that capability is being deployed faster than the governance needed to monitor misuse.
Product teams building AI-augmented industrial hardware should treat the device’s AI agent as part of the attack surface from the first connection to a customer’s OT network. Security requirements should include logging the agent’s access and decision history, limiting write permissions to documented operational parameters, and exposing behavioral dashboards to customers. Products that ship AI capabilities without these controls reproduce the governance gap the Darktrace data is already exposing.
Signals to Watch
IEC 62443 or NIST SP 800-82 guidance that directly addresses AI agent security in OT environments, formalizing visibility, behavioral context, and guardrail requirements.
Manufacturing cyber insurance policies that require AI agent deployment policies, turning the governance gap into a financial incentive.
Industrial automation vendors such as Siemens, ABB, and Rockwell shipping AI-capable platforms with behavioral audit trails as standard features rather than leaving logging entirely to the customer.
Key Links
From TheRoad / IoT News Digest
Previous issue: IoT News Digest #2621 covered Verizon DBIR 2026’s finding that software vulnerability exploitation overtook credential theft as the leading breach vector for the first time in nineteen years; Google opening Gemini AI to its 750-million-device Home platform at I/O 2026; Northern.tech extending Mender OTA to Zephyr microcontrollers alongside a 60% OEM infrastructure strain report; Ericsson and Net Feasa deploying carrier-grade 5G IoT on container vessels; and Comminent shipping 500,000 Wi-SUN modules for India’s national smart meter program targeting 250 million endpoints.
Deep dive and case submissions: Tangibles case study submission page - share real-world examples of connected products, smart infrastructure, and service-backed hardware.
Tangibles book progress: GlobalPlatform Pavona strengthens the security chapter’s argument that trust must be designed into hardware at the earliest stage. Its reported 6-9x performance improvement for ML-KEM and ML-DSA on embedded silicon directly addresses the objection that post-quantum cryptography is too costly for constrained devices. The AT&T and Wiliot collaboration reinforces the services chapter: hardware value increasingly accumulates in the operational layer around the device. Reported outcomes such as 99% inventory accuracy and 90% fewer mis-shipments carry the buyer value proposition, while AT&T’s role in installation, certification, and maintenance shows how service integration can become the defensible layer.
How to Use This Digest
Audit post-quantum readiness. For IoT devices designed for 15-year deployments, check whether the root of trust can incorporate PQC algorithms and whether Pavona’s open distribution changes the cost of building that flexibility at tape-out.
Map log export capabilities. Products sold to US federal agencies, defense contractors, or critical infrastructure operators should be checked against CISA’s forthcoming Logging Reference Architecture before August 2026 hardens procurement expectations.
Use one story for cross-functional discussion. Bring one item into product, hardware, security, and operations meetings each week to test how platform and policy shifts affect portfolio assumptions and contracts.
Govern AI agents before deployment. For any AI agent in an industrial or OT product context, document what it can access, what it can write, and how its decisions are logged. That is now a security requirement, not an operational preference.
This news digest is compiled weekly. If you find this useful, subscribe here for future issues.
Also, do share it with a colleague.