The Internet of Things (IoT) is creating a network of cyber-physical devices – sensors, actuators, and other devices, which monitor and control physical systems, such as manufacturing facilities operating with the Industry 4.0 paradigm, while collecting and sharing massive data globally over the internet. As the IoT security landscape evolves, so does the “cyber mafia,” which targets cyber-physical systems from the corporate level all the way to Industry 4.0 floor-shop control systems, in which IoT is a key component. IoT devices are becoming ubiquitous and controllable from hand-held devices, raising the potential to disrupt or destroy large industrial complexes in a touch of a screen if not protected properly. This growing risk mandates the adoption of new approaches to incorporating rigorous security standards into IoT systems as early as possible in their system lifecycle. A methodology is presented for incorporating into IoT systems security as a bona fide, quantifiable attribute that is built into the components (objects) and operations (processes). To this end, the synergy of combining model-based systems engineering with embedded IoT system security is leveraged. At the heart of the methodology is a combined qualitative-quantitative IoT OPM model of the system with security scores, which provides for evaluating underlying system configurations, each with its level of security and possibly other optimization criteria. This approach enables balancing IoT systems’ metrics, such as performance and cost, with security, and even optimizing the system under specified constraints.