Lock the memory so that update is physical only and restart regularly to avoid no-memory malware. Not 100% secure and very inconvenient, so people prefer to isolate IOT in its own network and preferably have a good network security like putting the devices behind VPN/firewall/other gatekeeper.
Actually, if you want to have IOT access outside of the network, the best approach is to close all ports and for the device to initiate connection with a control server. The device is dark when scanned while a heartbeat signal will ensure connectivity. This will require a good security on the control server, but that is okay because server security is much better understood and does not suffer from the constraints of the embedded software.
