ZERO-TRUST ARCHITECTURE FOR INDUSTRIAL IOT (IIOT): PROTECTING CRITICAL INFRASTRUCTURE IN IT/OT CONVERGENCE
DOI:
https://doi.org/10.32782/2786-9024/v4i6(38).359304Keywords:
Zero-Trust, IIoT, micro-segmentation, convergence, cyber resilience.Abstract
The purpose of article. The current stage of industrial systems development is characterised by an unprecedented integration of information technology (IT) and operational technology (OT), resulting in complex ecosystems of the Industrial Internet of Things (IIoT). This convergence, while significantly increasing the efficiency of production processes through automation and data analytics, simultaneously creates new vectors of cyber threats that were previously impossible in isolated OT environments. Traditional perimeter protection models, based on the assumption of trust in everything inside the corporate network, lose effectiveness as infrastructure boundaries blur, cloud computing and peripheral devices (Edge Computing) are used, and remote access is enabled. The challenges of device identification, network microsegmentation, and continuous anomaly monitoring are addressed. Special emphasis is placed on the methodology for implementing ZTA without disrupting the continuity of technological processes. The purpose of the article is to develop theoretical and methodological principles for applying zero-trust architecture to protect convergent IT/OT systems in critical infrastructure, and to substantiate the effectiveness of this approach in minimising the risk of unauthorised access and ensuring data integrity in industrial ecosystems. Scientific novelty. The scientific novelty of the research lies in developing an adaptive model to implement the Zero Trust architecture in heterogeneous IIoT environments, which, unlike existing approaches, accounts for the strict latency constraints of industrial automation protocols and the specifics of the OT equipment life cycle. A method for dynamically calculating the trust level (Trust Score) for industrial controllers and sensors is proposed, based not only on static identification attributes but also on real- time behavioural analysis of the technological process. Results. The work forms a holistic conceptual and methodological model for implementing Zero-Trust architecture for Industrial IoT in the context of IT/OT convergence, combining asset and data flow identification, micro-segmentation, continuous verification of subjects/ devices, and context-adaptive access control. A set of critical control points (policy enforcement points) for typical IIoT chains “field devices – gateways – edge/ SCADA – analytical services” is specified, and a consistent telemetry profile is proposed for assessing trust in nodes (device posture), taking into account OT constraints on latency and determinism. A practice- oriented procedure for “Zero-Trust-Inventory” for mixed-protocol environments (including industrial ones) has been developed, which allows formalizing access policies at the level of minimally necessary privileges and linking them to roles, functions, device state, and network context. Additionally, mechanisms for secure interaction between IT and OT domains through trust gateways have been substantiated, and an approach to phased migration from the perimeter model to Zero Trust without disrupting technological processes has been proposed.It has been shown that the most effective combination for IIoT is: (i) segmentation by technological contours, (ii) strong management of machine subject identities (certificates/ attestation), (iii) constant behaviour monitoring, and (iv) automated response to policy deviations. The results obtained form the basis for creating a unified profile of Zero-Trust maturity requirements for critical IIoT systems. They are suitable for use when designing or modernising convergent IT/OT infrastructure. Conclusions. Zero-Trust architecture is methodologically sound response to specific IIoT threats, a which are exacerbated by IT/OT convergence and the growth of heterogeneous devices and interaction channels. Adequate protection of critical IIoT infrastructure is achieved not by declarative “zero trust”, but by the systematic implementation of managed policy enforcement points, micro-segmentation and continuous access context verification. The model, inventory procedure, and telemetry profile proposed in the article enable alignment of cybersecurity requirements with the technological limitations of OT environments (determinism, availability, limited node resources), minimising the risk of process downtime. The transition to Zero Trust should be implemented in stages, starting with critical areas and the riskiest inter-domain interactions, and then expanding policies to the entire device and service life cycle.
References
A. Alagappan, S. K. Venkatachary, and L. J. B. Andrews, “Augmenting zero trust network architecture to enhance security in virtual power plants,” Energy Rep., vol. 8, pp. 123–134, 2022. DOI: 10.1016/j.egyr. 2021.11.272.
C. Zanasi, F. Magnanini, S. Russo, and M. Colajanni, “A zero trust approach for the cybersecurity of industrial control systems,” in Proc. 2022 IEEE 21st Int. Conf. Netw.- Based Inf. Syst. (NBiS), 2022, pp. 1–6. DOI: 10.1109/ NCA57778.2022.10013559.
M. Fogli, C. Giannelli, E. Mari, and C. Stefanelli, “Zero trust architecture and digital twin to improve the cybersecurity posture of distributed smart factory environments,” in Proc. 2025 IEEE Int. Conf. Distrib. Comput. Smart Syst. Internet Things (DCOSS-IoT), 2025, pp. 1–8. DOI: 10.1109/DCOSS-IoT65416.2025.00115.
K. G. Crowther, “Blending shared responsibility and zero trust to secure the industrial Internet of Things,” IEEE Secur. Privacy, vol. 22, no. 5, pp. 45–52, 2024. DOI: 10.1109/MSEC.2024.3432208.
B. Yasotha, V. Thiagarajan, P. Thirumoorthy, S. Priya, S. Sasidaran, and S. B. Prakalya, “Enabling protection for critical infrastructure through security and privacy in the industrial Internet of Things,” in Proc. 2024 Int. Conf. Commun., Energy Elect. Eng. (ICCEEE), 2024, pp. 1–6. DOI: 10.1109/ICCES63552.2024.10859918.
A. Farraj, “On using zero trust to securing industrial control systems in the power systems industry,” in Proc. 2025 IEEE Texas Power Energy Conf. (TPEC), 2025, pp. 1–6. DOI: 10.1109/TPEC63981.2025.10906998.
F. Lv et al., “Asynchronous federated learning based zero trust architecture for the next generation industrial control systems,” Comput. Netw., vol. 252, Art. 111459, 2025. DOI: 10.1016/j.comnet.2025.111459.
G. Sunkara, “Implementing zero trust architecture in modern enterprise networks,” Samriddhi: J. Phys. Sci., Eng. Technol., vol. 17, no. 3, pp. 1–10, 2025. DOI: 10.18090/ samriddhi.v17i03.01.
H. Al-Balasmeh, “Zero trust architecture for IoT device ecosystems,” Research Square, 2025. DOI: 10.14419/ r30vpf59 (preprint/platform).
S. Mushtaq, M. Mohsin, and M. M. Mushtaq, “A systematic literature review on the implementation and challenges of zero trust architecture across domains,” Sensors, vol. 25, no. 19, Art. 6118, 2025. DOI: 10.3390/s25196118.
S. L. Narra, “Demystifying zero trust architecture: Why it’s not just a buzzword,” Int. J. Comput. Eng., vol. 6, no. 1, pp. 1–15, 2025. DOI: 10.47941/ijce.2955.
H. Zhang, Z. Zhang, and L. Chen, “Toward zero trust in 5G industrial Internet collaboration systems,” Digit. Commun. Netw., 2025. DOI: 10.1016/j.dcan.2024.03.011.
C. Giannelli and M. Picone, “Editorial ‘Industrial IoT as IT and OT convergence: Challenges and opportunities’,” IoT, vol. 3, no. 1, pp. 14–17, 2022. DOI: 10.3390/iot3010014.
B. Zahran, A. Hussaini, and A. Ali-Gombe, “Security of IT/OT convergence: Design and implementation challenges,” arXiv:2302.09426, 2023. DOI: 10.48550/ arXiv.2302.09426.
S. M. Abdullahi and S. Lazarova-Molnar, “On the adoption and deployment of secure and privacy-preserving IIoT in smart manufacturing: A comprehensive guide with recent advances,” Int. J. Inf. Secur., 2025. DOI: 10.1007/ s10207-024-00951-8.
T. Kampa, C. K. Muller, and D. Grossmann, “Interlocking IT/OT security for edge cloud-enabled manufacturing,” Ad Hoc Netw., vol. 150, Art. 103384, 2023. DOI: 10.1016/j.adhoc.2023.103384.
