Skip to main content
Have a personal or library account? Click to login
A Zero-Trust Iot Security Architecture for Defence and Public Security Systems Cover

A Zero-Trust Iot Security Architecture for Defence and Public Security Systems

Open Access
|Jun 2026

Full Article

1.
Introduction

The rapid integration of Internet of Things (IoT) technologies into defence and public security systems has fundamentally reshaped modern military and security operations. Distributed sensors, edge-processing units, and intelligent communication infrastructures now support surveillance, reconnaissance, logistics coordination, border monitoring, and emergency response functions. These interconnected systems enable real time situational awareness and distributed decision-making in increasingly complex operational environments (Burmaoglu et al., 2019; Bognár, 2018). As a result, IoT platforms have become integral components of contemporary defence and civil-military infrastructures. However, the operational advantages of IoT deployment are accompanied by significant cybersecurity challenges. Defence IoT environments typically operate across heterogeneous devices, resource-constrained hardware platforms, and mission-critical communication channels, often within contested or adversarial conditions (Sfar et al., 2017). This structural complexity substantially expands the cyber-physical attack surface. Threat vectors such as sensor spoofing, unauthorized device access, insider compromise, data injection, and lateral movement across network segments have been widely documented in IoT security research (Cha et al., 2018; Damianou et al., 2021). Moreover, prior studies indicate that compromise of a single node may trigger cascading system-level consequences, highlighting the fragility of conventional security approaches in distributed IoT deployments (Casola et al., 2019).

Despite these risks, many defence IoT systems continue to rely on perimeter-based security architectures. In such models, trust is implicitly granted to devices and users once network access is established (Khan, 2023). While this approach was appropriate for centralized and relatively static infrastructures, it is increasingly misaligned with highly distributed, mobile, and heterogeneous IoT ecosystems. Once perimeter protections are bypassed, traditional architectures often provide limited mechanisms to restrict internal lateral movement or privilege escalation (Arifeen et al., 2021). In mission-critical defence and public security contexts, where operational continuity and rapid recovery are strategic imperatives, this structural weakness represents a substantial vulnerability. The Zero-Trust security paradigm has emerged as an alternative model designed to address these limitations. Built on the principle of “never trust, always verify”, Zero-Trust architectures eliminate implicit internal trust and require continuous validation of every access request, regardless of network location (Ghasemshirazi et al., 2023). Zero-Trust mechanisms have been extensively explored in enterprise IT systems, cloud environments, and industrial infrastructures, where they have demonstrated improved resistance to insider threats and internal attack propagation (Paul & Rao, 2022; Feng & Hu, 2023). More recent research has combined Zero-Trust principles with structured threat modelling frameworks such as MITRE ATT&CK to support systematic adversary behaviour mapping (Ahn et al., 2024). However, the majority of existing Zero-Trust studies remain enterprise-centric or industrially oriented. They do not sufficiently account for the operational constraints, layered command hierarchies, contested communication environments, and cyber-physical interdependencies characteristic of defence and public security IoT systems.

In particular, there is limited research that formally contrasts perimeter-based IoT security models with defence-tailored Zero-Trust architectures using a transparent, scenario-driven, and reproducible architectural evaluation framework. Furthermore, the specific architectural mechanisms through which Zero-Trust principles reduce attack surface exposure and constrain internal threat propagation in mission-oriented IoT environments have not been systematically formalized within a comparative assessment structure. To address these gaps, this study proposes a defence-oriented, layered Zero-Trust IoT security architecture that embeds continuous authentication, identity-centric access control, least-privilege enforcement, and micro-segmentation across the sensor, edge, network, and command-and-control layers. In addition, a structured scenario-based architectural risk evaluation model is introduced to comparatively analyse the proposed design against conventional perimeter-based IoT architectures under representative defence threat scenarios. By integrating defence-specific architectural design with a transparent and reproducible evaluation framework, this work provides architecture-level insight into how Zero-Trust principles can enhance structural resilience and containment capability in mission-critical IoT systems.

1.1.
Contributions

The main contributions of this study can be summarized as follows:

  • A defence-oriented Zero-Trust IoT architecture is proposed, explicitly tailored to the structural and operational characteristics of mission-critical defence and public security environments. Unlike conventional enterprise-focused Zero-Trust models, the architecture systematically integrates continuous authentication, identity-aware access control, least-privilege enforcement, and micro-segmentation across the sensor, edge, network, and command-and-control layers to address adversarial cyber-physical threat conditions.

  • A transparent and reproducible scenario-based architectural risk evaluation framework is developed to enable structured comparison between security paradigms. The framework formalizes evaluation criteria, scoring anchors, and aggregation logic, thereby providing a clearly defined method for assessing relative architectural exposure in defence IoT contexts.

  • A comparative architecture-level assessment is conducted between traditional perimeter-based IoT security and the proposed Zero-Trust IoT model using a rubric-driven scoring approach. The analysis suggests consistent model-derived reductions in relative structural exposure across representative defence attack scenarios, particularly in areas involving lateral movement and unauthorized device access.

2.
Background and Related Work
2.1.
IoT in Defence and Public Security

The Internet of Things (IoT) has become a foundational technology in modern defence and public security ecosystems. It enables a broad spectrum of applications, including battlefield surveillance, border monitoring, critical infrastructure protection, logistics coordination, and disaster response. Defence IoT systems typically consist of distributed sensors, unmanned platforms, communication nodes, and command-and-control interfaces that collectively support real-time situational awareness and informed operational decision-making. Unlike civilian IoT deployments, defence-oriented IoT environments operate under significantly stricter requirements for reliability, availability, and resilience. Failures in such systems may lead to operational disruption, strategic disadvantage, or even national security consequences. In public security and civil-military coordination contexts, IoT technologies are increasingly deployed to enhance emergency response, urban safety management, and multi-agency crisis coordination. Intelligent sensor networks enable early threat detection, rapid situational updates, and timely information exchange across agencies. However, the increasing scale, heterogeneity, and interconnectivity of defence and public security IoT infrastructures introduce substantial security challenges. These systems frequently integrate legacy platforms with modern networked devices, operate in contested or degraded communication environments, and must withstand persistent adversarial activity. Ensuring secure communication, device authenticity, and system integrity under such conditions remains a central challenge in both military and public security domains.

2.2.
Traditional IoT Security Models

Conventional IoT security strategies largely derive from perimeter-based network security paradigms originally designed for centralized information technology environments. In these models, system boundaries are protected through mechanisms such as firewalls, intrusion detection systems, and centralized access control gateways. Once devices or users successfully authenticate and enter the internal network, they are generally treated as trusted entities. Security enforcement is therefore concentrated at the boundary, while internal communication often operates under implicit trust assumptions. This approach presumes relatively stable network perimeters and a limited internal threat landscape. While such assumptions may hold in tightly controlled and centralized infrastructures, they are increasingly misaligned with the structural realities of modern IoT deployments. Defence and public security IoT systems are inherently distributed, frequently mobile, and often dependent on wireless and dynamically reconfigured communication channels. Under these conditions, defining and maintaining a fixed security perimeter becomes operationally complex. More critically, once an attacker bypasses perimeter defences, traditional architectures typically lack robust internal containment mechanisms. Controls for restricting lateral movement, limiting privilege escalation, or isolating compromised components are often insufficiently granular. As a result, initial breaches may propagate across multiple layers of the system. Several studies have highlighted that conventional IoT security frameworks tend to lack continuous authentication, fine-grained authorization policies, and adaptive response mechanisms suited to dynamic threat conditions. In mission-critical defence and public security contexts, these structural limitations pose significant risks. Operational continuity, system integrity, and rapid recovery are strategic priorities; architectures that rely on implicit internal trust may therefore introduce systemic vulnerabilities that extend beyond isolated component failures.

2.3.
Zero-Trust Security Principles

The Zero-Trust security paradigm emerged as a structural alternative to perimeter-based models. Rather than assuming trust based on network location, Zero-Trust operates on the principle that no device, user, or communication path should be implicitly trusted. Every access request must be verified continuously, regardless of whether it originates inside or outside the network boundary. Access decisions are evaluated based on identity, contextual attributes, and behavioural indicators, with permissions granted strictly according to least-privilege principles. Core Zero-Trust mechanisms include continuous authentication and authorization, strong device identity management, micro-segmentation of network resources, and persistent monitoring of user and device behaviour. By eliminating implicit internal trust and constraining unrestricted communication pathways, Zero-Trust architectures aim to limit breach impact and improve containment capability following compromise. Although Zero-Trust has gained substantial traction in enterprise IT systems, cloud infrastructures, and industrial environments, its systematic adaptation to defence-oriented IoT ecosystems remains comparatively underexplored. Much of the existing literature focuses on software-defined enterprise networks or industrial automation platforms, where operational assumptions differ significantly from those of mission-critical defence and public security systems. Defence IoT environments must contend with resource-constrained sensing devices, hierarchical command structures, contested communication channels, and adversarial cyber-physical threat conditions. These distinct characteristics require architectural considerations that extend beyond conventional enterprise Zero-Trust implementations. The absence of structured, defence-specific Zero-Trust IoT frameworks particularly those supported by transparent, scenario-driven architectural evaluation methodologies highlights a clear research gap. Addressing this gap necessitates the development of tailored architectural models capable of aligning Zero-Trust principles with the operational constraints and resilience requirements of defence and public security IoT deployments.

3.
Proposed Zero-Trust IoT Architecture

The primary contribution of this work is the design of a defence-oriented Zero-Trust IoT architecture that directly addresses the limitations of traditional perimeter-based security approaches. Rather than granting implicit trust once network access is obtained, the proposed architecture enforces continuous verification, identity-centric access control, and strict least-privilege operation across all system layers. This design philosophy aligns closely with the operational realities of defence and public security environments, where IoT systems operate under dynamic, contested, and adversarial conditions. The architecture is structured into four interconnected layers: the sensor layer, edge layer, network layer, and command- and-control layer. Zero-Trust principles are systematically embedded at each level to ensure that trust assumptions are eliminated and that all interactions are subject to continuous validation. By distributing security enforcement mechanisms throughout the architecture instead of concentrating them at the network boundary, the proposed framework reduces attack surface exposure and constrains the propagation of cyber-physical threats. Through layered enforcement of authentication, authorization, segmentation, and monitoring mechanisms, the architecture aims to enhance structural resilience and containment capability within defence and public security IoT ecosystems.

3.1.
Sensor Layer

The sensor layer consists of distributed sensing devices responsible for collecting operational data such as environmental parameters, surveillance imagery, and situational indicators. In defence and public security systems, these sensors are often deployed in exposed or hostile environments, making them particularly vulnerable to physical tampering, spoofing, and unauthorized access. To mitigate these risks, Zero-Trust enforcement at the sensor layer emphasizes strong device identity and continuous authentication. Each sensor is assigned a unique cryptographic identity that must be verified prior to data transmission. Data generated at this layer is encrypted at the source, and communication privileges are restricted strictly to authorized edge nodes. By eliminating implicit trust at the device level, the proposed architecture significantly reduces the risk of sensor spoofing and malicious data injection.

3.2.
Edge Layer

The edge layer is responsible for preliminary data processing, aggregation, and filtering before information is transmitted to higher system layers. In defence and public security operations, edge nodes play a crucial role in reducing communication latency and enabling timely decision-making under dynamic conditions. Their enhanced computational capabilities, however, also make them attractive targets for attackers seeking to escalate privileges, manipulate intermediate data, or disrupt operational functionality. Within the proposed architecture, Zero-Trust principles are enforced at the edge layer through continuous authentication of both connected devices and executing processes. Access to edge resources is governed by fine-grained, context-aware policies that adapt to operational roles and mission requirements. Even when successfully authenticated, edge nodes are granted access strictly according to the principle of least privilege, meaning they can access only the resources necessary to perform their designated functions. In addition, continuous behavioural monitoring is implemented to identify anomalies or deviations from expected operational patterns. These measures collectively reduce the likelihood of undetected compromise and limit the potential impact of malicious activity at the edge.

3.3.
Network Layer

The network layer provides communication services that connect distributed IoT components and facilitate data exchange across operational domains. In many traditional defence IoT deployments, network architectures are flat or only loosely segmented, which can unintentionally enable lateral movement if an attacker gains initial access. The proposed Zero-Trust architecture addresses this weakness through the implementation of network micro-segmentation. System components are logically isolated into controlled segments, and communication paths are explicitly authorized rather than implicitly permitted. Network access decisions are dynamically evaluated based on verified device identity, communication context, and mission-specific requirements. All data flows are encrypted to protect confidentiality and integrity, and network traffic is continuously monitored for anomalous or suspicious behavior. By restricting unnecessary communication pathways and enforcing identity-based authorization, the architecture significantly reduces the potential for attack propagation and enhances containment capability under cyber-physical threat conditions.

3.4.
Command-and-Control Layer

The command-and-control layer represents the highest level of the architecture, where aggregated information is analysed and operational decisions are formulated. This layer supports mission planning, strategic coordination, and situational awareness across defence and public security units. Due to its strategic significance, compromise at this level could result in severe operational disruption or security consequences. Zero-Trust enforcement at the command-and-control layer emphasizes rigorous user authentication, role-based access control, and continuous authorization. Access to mission-critical interfaces and decision-support systems is restricted to verified users and trusted processes, with permissions dynamically adjusted according to operational context. In addition, comprehensive auditing and logging mechanisms are integrated to maintain accountability, ensure traceability, and support rapid incident response. These measures strengthen oversight while minimizing the risk of privilege misuse or unauthorized system manipulation.

3.5.
Architectural Overview

Figure no. 1 illustrates the overall structure of the proposed Zero-Trust IoT architecture tailored for defence and public security systems. The design is organized into four interdependent layers sensor, edge, network, and command-and-control each incorporating embedded Zero-Trust enforcement mechanisms aligned with its operational role. Rather than treating security as a perimeter-bound function, the architecture distributes identity verification, access control enforcement, and monitoring capabilities throughout all system layers. This layered integration ensures that authentication and authorization decisions are continuously evaluated at multiple points within the architecture, reducing reliance on any single control boundary. By embedding identity-centric policies, least-privilege principles, and logical segmentation across the vertical structure of the system, the architecture systematically minimizes implicit trust relationships between components. The resulting design enables both horizontal containment within functional domains and vertical containment across architectural tiers. Compromise at one layer does not automatically grant unrestricted progression to adjacent components, as access pathways are constrained by continuous authorization and segmentation policies. This distributed enforcement strategy enhances structural resilience by limiting attack propagation and improving containment capability under adversarial cyber-physical conditions typical of defence IoT environments.

Figure no. 1:

Proposed Zero-Trust IoT Architecture for Defence and Public Security Systems

(Source: Author’s conceptual architectural mode)

4.
Threat Modelling Framework

To evaluate the architectural security characteristics of the proposed Zero-Trust IoT design, a structured threat modelling framework is developed for defence and public security IoT environments. The purpose of this framework is to identify representative cyber-physical attack scenarios, associate them with specific architectural layers, and establish a consistent basis for comparative risk assessment. Given the mission-critical nature of defence IoT deployments, the framework focuses on threats that could directly affect system availability, data integrity, and operational decision-making processes. Rather than relying on deployment-specific datasets, the framework adopts a structured and architecture-oriented approach to analyse how different security models respond to common adversarial behaviours in defence contexts.

4.1.
Defence IoT Attack Scenarios

Defence and public security IoT systems frequently operate in adversarial settings where cyber and physical attacks may occur independently or in coordinated forms. Drawing on established security literature and practical operational considerations, this study identifies a set of representative attack scenarios that are particularly relevant to distributed defence IoT architectures.

The selected scenarios include:

  • Sensor spoofing

  • Edge node compromise

  • Insider attacks

  • Lateral movement across network segments

  • Data injection

  • Unauthorized device access

Sensor spoofing targets the data acquisition stage by injecting falsified or manipulated sensor readings, potentially leading to incorrect situational awareness and flawed operational responses. Edge node compromise involves exploiting intermediate processing components to gain elevated privileges, disrupt aggregation processes, or manipulate computational outputs. Insider attacks originate from authorized users or compromised credentials and are especially difficult to detect in traditional architectures that rely on implicit internal trust. Lateral movement describes an attacker’s ability to traverse system components after gaining initial access. Data injection and unauthorized device access focus on manipulating system inputs or introducing malicious entities into the network infrastructure. Together, these scenarios reflect a broad spectrum of cyber physical-threats that are commonly discussed in defence and public security IoT research.

4.2.
Mapping Threats to IoT Layers

To support structured evaluation, each identified attack scenario is mapped to the layered architecture of defence IoT systems. This mapping enables a clearer understanding of where vulnerabilities arise and how they propagate across system components. Sensor spoofing and unauthorized device access primarily affect the sensor layer, where device identity verification and data authenticity are essential. Edge node compromise targets the edge layer, where intermediate computation and aggregation functions are performed. Lateral movement and data injection predominantly impact the network layer, particularly in architectures with insufficient segmentation or weak internal access control. Insider threats and advanced persistent activities may extend across multiple layers, including the command-and-control layer, where operational decisions are centralized. By explicitly linking attack scenarios to architectural layers, the framework allows for a granular analysis of containment capabilities and highlights the structural limitations of perimeter-based security models, which often struggle to restrict internal threat propagation once access has been established.

4.3.
Risk Assessment Rationale

The risk assessment approach adopted in this study is comparative and scenario-driven. Instead of estimating absolute probabilities of attack occurrence, the framework evaluates relative architectural risk exposure under different security models. This approach is particularly appropriate in defence research contexts, where access to operational deployment data is often restricted.

Risk evaluation is guided by three primary architectural factors:

  • Attack surface exposure

  • Strength of authentication and access control mechanisms

  • Potential for lateral movement within the system

For each identified attack scenario, risk scores are assigned to both traditional perimeter-based IoT architectures and the proposed Zero-Trust IoT architecture. These scores represent structured assessments of relative exposure and containment capability under each architectural model. The emphasis is placed on architectural characteristics rather than system-specific implementation details.

By focusing on comparative structural properties, the framework enables a consistent and reproducible analysis of how different security paradigms influence resilience and threat containment.

4.4.
Framework Overview

Figure no. 2 presents the conceptual threat modelling framework developed for defence IoT systems. The figure illustrates the relationship between IoT architectural layers, representative cyber-physical attack scenarios, and the structured scenario-based risk evaluation process. By integrating threat identification, layered mapping, and comparative risk scoring, the framework provides a transparent foundation for analysing the architectural security implications of adopting Zero-Trust principles in defence and public security IoT environments.

Figure no. 2:

Threat modelling framework for defence IoT systems, illustrating the mapping of representative cyber-physical attack scenarios to IoT system layers and their evaluation using a scenario-based security risk assessment approach

(Source: Author’s conceptual architectural mode)

4.5.
Evaluation Assumptions and Scope Delimitation

To support clarity and responsible interpretation of the comparative analysis, it is important to outline the assumptions and scope boundaries that underpin the proposed threat modelling and risk assessment framework.

First, the evaluation is conducted at the architectural level rather than at the level of specific deployments. The framework assumes a representative defence-oriented IoT ecosystem composed of distributed sensors, intermediate edge processing units, communication infrastructure, and centralized command-and-control elements. While this abstraction reflects typical structural characteristics reported in defence IoT literature, actual operational systems may differ in scale, topology, and implementation detail.

Second, the selected attack scenarios are intended to represent structurally meaningful cyber-physical threat vectors that challenge internal trust relationships and containment mechanisms. The framework does not attempt to catalogue every possible adversarial technique. Instead, it focuses on scenarios that directly test architectural properties such as segmentation boundaries, authentication robustness, and internal propagation resistance.

Third, the comparative analysis assumes that both traditional perimeter-based architectures and the proposed Zero-Trust architecture are implemented according to their intended design principles. The objective is to contrast structural security characteristics under defined architectural assumptions rather than evaluate imperfect or partially implemented real-world systems. Finally, the risk assessment remains intentionally relative and non-probabilistic. It does not estimate attack likelihood, operational impact magnitude, or incident frequency. Rather, it provides a structured comparison of architectural exposure and containment capability within the defined scoring framework. The resulting values should therefore be interpreted as comparative architectural indicators rather than predictive security metrics. By explicitly defining its assumptions and analytical boundaries, the framework maintains methodological transparency while enabling a consistent and reproducible comparison of security paradigms in defence and public security IoT contexts.

5.
Methodology

The purpose of this methodology is to comparatively evaluate the architectural security characteristics of the proposed Zero-Trust IoT framework relative to traditional perimeter-based IoT security models. Due to the limited availability of publicly accessible defence IoT datasets and the sensitivity of operational systems, a structured scenario-based architectural assessment approach is adopted. This approach enables a transparent, reproducible, and architecture-focused evaluation without reliance on classified deployment data or implementation-specific measurements. Rather than estimating absolute vulnerability probabilities, the methodology emphasizes relative structural exposure and containment capability under defined attack scenarios. This makes it particularly appropriate for defence and public security research contexts.

5.1.
Scenario-Based Risk Evaluation Model
5.1.1.
Risk Scoring Approach

To compare the architectural security characteristics of the proposed Zero-Trust IoT framework with traditional perimeter-based IoT models, a structured scenario based evaluation approach is adopted. Each identified defence IoT attack scenario is examined independently under two architectural configurations:

  • A traditional perimeter-based IoT architecture

  • The proposed Zero-Trust IoT architecture

Security exposure is expressed using an ordinal risk scale ranging from 0 to 10. The scale is interpreted as follows:

  • 0-3: Low architectural exposure with strong containment characteristics

  • 4-6: Moderate exposure with partial containment

  • 7-10: High exposure reflecting weak containment and broad attack propagation potential

These scores represent architecture-level comparative judgments rather than empirical measurements or simulation outputs. The objective of the model is not to predict real-world breach probabilities, but to provide a transparent and reproducible framework for analysing how structural design choices influence relative security exposure.

Each scenario is evaluated using three defined criteria:

  • Attack Surface Exposure (AS)

  • Authentication and Access Control Strength (AC)

  • Lateral Movement Potential (LM)

For a given scenario sunder architecture a, the overall risk score is calculated using equal weighting: R(s,a)=AS(s,a)+AC(s,a)+LM(s,a)3R(s,a) = {{AS(s,a) + AC(s,a) + LM(s,a)} \over 3}

All three criteria are scored independently on the same 0-10 scale, and the final value represents the average structural exposure level within the defined assessment framework. The analytical logic guiding scenario evaluation is conceptually aligned with structured adversary behaviour modelling approaches; however, the present assessment remains strictly focused on architectural characteristics and does not rely on system-specific datasets, simulations, or operational testing.

5.1.2.
Robustness of Aggregation Assumptions

To assess the robustness of the aggregation approach, alternative weighting distributions were examined within defined bounds (±20% variation across the AS, AC, and LM criteria).

To provide an explicit and auditable illustration, one alternative weighting configuration was evaluated:

  • WAS = 0.4

  • WAC = 0.3

  • WLM = 0.3

Under this configuration, the risk score becomes: Rw(s,a)=0.4AS+0.3AC+0.3LM{R_w}(s,a) = 0.4AS + 0.3AC + 0.3LM

Table no. 1 presents the recalculated scenario-level results.

Table no. 1

Alternative Weighting Verification (AS=0.4, AC=0.3, LM=0.3)

Attack ScenarioTraditional IoTZero-Trust IoTComparative Ordering
Sensor Spoofing7.92.8Unchanged
Edge Node Compromise8.73.7Unchanged
Insider Attack7.32.8Unchanged
Lateral Movement8.92.0Unchanged
Data Injection7.93.0Unchanged
Unauthorized Device Access8.92.0Unchanged

Across all evaluated scenarios, the relative ordering between traditional perimeter-based and Zero-Trust architectures remains unchanged. This confirms that the comparative exposure differences are structurally driven by architectural properties rather than artifacts of equal weighting. The equal-weight formulation therefore provides a balanced and methodologically neutral aggregation within the defined rubric.

5.1.3.
Scoring Anchors and Evaluation Logic

To promote methodological clarity and reproducibility, explicit scoring anchors are defined for each criterion.

1. Attack Surface Exposure (AS)

This criterion reflects the extent to which system components become reachable or indirectly exposed under a given attack scenario.

  • 0-2: Strong segmentation with tightly restricted communication paths; minimal reachable components.

  • 3-5: Partial segmentation; limited cross-layer exposure under defined policies.

  • 6-8: Broad internal connectivity; implicit trust relationships remain present.

  • 9-10: Flat or weakly segmented structure; extensive internal reachability once initial access is obtained.

2. Authentication and Access Control Strength (AC)
  • 0-2: Continuous authentication, identity-aware policy enforcement, and strict least-privilege access.

  • 3-5: Strong authentication with moderate contextual adaptation; partially granular authorization.

  • 6-8: Primarily static authentication; coarse access control; internal trust after entry.

  • 9-10: Limited identity validation and broad privilege allocation.

3. Lateral Movement Potential (LM)
  • 0-2: Micro-segmentation and continuous authorization significantly restrict internal traversal.

  • 3-5: Controlled segmentation with limited cross-segment movement possible.

  • 6-8: Weak segmentation; multiple components reachable post-compromise.

  • 9-10:Unrestricted internal propagation due to flat network structure.

Scores are assigned by systematically analysing architectural topology, segmentation structure, identity enforcement mechanisms, and post-compromise communication constraints. Equal weighting is applied to maintain methodological neutrality and avoid overemphasizing any single dimension.

The resulting values should be interpreted strictly as rubric-driven architectural indicators rather than empirical vulnerability measurements or deployment-specific performance metrics.

5.1.4.
Scenario-Level Scoring Traceability and Justification

To strengthen transparency and reproducibility, this subsection explicitly links scenario-level scores to the anchor bands defined in Section 5.1. Table no. 2 summarizes the architectural reasoning underlying the assigned values.

Table no. 2

Scenario-Level Scoring Justification Matrix (Architecture-Level Assessment)

Attack ScenarioArchitectureASACLMArchitectural Justification
Sensor SpoofingTraditional IoT878Broad internal reachability following initial access corresponds to the 6-8 AS anchor band defined in Section 5; primarily static device authentication with implicit post-entry trust corresponds to the 6-8 AC anchor band; weak internal containment and multi-component exposure correspond to the 6-8 LM anchor band.
Zero-Trust IoT323Logical segmentation limiting cross-layer exposure corresponds to the 3-5 AS anchor band; continuous device identity verification and least-privilege enforcement correspond to the 0-2 AC anchor band; restricted traversal enforced by repeated authorization checks corresponds to the 0-2 LM anchor band.
Edge Node CompromiseTraditional IoT988Elevated privilege potential combined with weak segmentation corresponds to the 9-10 AS anchor band; coarse-grained access control and static authentication correspond to the 6-8 AC anchor band; limited containment once compromise occurs corresponds to the 6-8 LM anchor band.
Zero-Trust IoT434Controlled segmentation boundaries and policy-enforced isolation correspond to the 3-5 AS anchor band; context-aware authorization corresponds to the 3-5 AC anchor band; limited cross-segment propagation under enforced policies corresponds to the 3-5 LM anchor band.
Insider AttackTraditional IoT778Implicit internal trust relationships correspond to the 6-8 AS anchor band; primarily static authentication with broad internal privileges corresponds to the 6-8 AC anchor band; extensive internal traversal capability corresponds to the 6-8 LM anchor band.
Zero-Trust IoT323Segmentation that restricts domain-level exposure corresponds to the 3-5 AS anchor band; continuous verification of user and device identity corresponds to the 0-2 AC anchor band; constrained lateral movement enforced through micro-segmentation corresponds to the 0-2 LM anchor band.
Lateral MovementTraditional IoT989Flat or weakly segmented topology corresponds to the 9-10 AS anchor band; static trust after entry corresponds to the 6-8 AC anchor band; unrestricted internal propagation pathways correspond to the 9-10 LM anchor band.
Zero-Trust IoT222Micro-segmentation restricting reachable components corresponds to the 0-2 AS anchor band; continuous authentication and least-privilege enforcement correspond to the 0-2 AC anchor band; repeated authorization checks that prevent cross-domain traversal correspond to the 0-2 LM anchor band.
Data InjectionTraditional IoT878Limited validation controls and broad system connectivity correspond to the 6-8 AS anchor band; primarily static access enforcement corresponds to the 6-8 AC anchor band; weak containment once malicious data is introduced corresponds to the 6-8 LM anchor band.
Zero-Trust IoT333Segmented communication pathways correspond to the 3-5 AS anchor band; identity-bound communication policies correspond to the 3-5 AC anchor band; restricted cross-segment propagation corresponds to the 3-5 LM anchor band.
Unauthorized Device AccessTraditional IoT989Weak device identity validation and broad internal exposure correspond to the 9-10 AS anchor band; static authentication mechanisms correspond to the 6-8 AC anchor band; extensive internal traversal capability corresponds to the 9-10 LM anchor band.
Zero-Trust IoT222Strong device identity enforcement limiting reachable components corresponds to the 0-2 AS anchor band; continuous authentication and strict least-privilege access correspond to the 0-2 AC anchor band; segmentation-enforced traversal constraints correspond to the 0-2 LM anchor band.

The final scenario-level risk scores reported in Table no. 1 are derived from equal-weight aggregation of the anchored AS, AC, and LM values. Because each assigned score is explicitly mapped to defined rubric bands, the aggregated results are traceable to structured architectural assumptions. While alternative expert interpretations may produce minor ordinal variation, the comparative relationship between traditional and Zero-Trust architectures remains structurally consistent within the defined framework.

5.2.
Attack Surface Analysis

In addition to the scenario-based risk scores presented earlier, a broader architectural comparison is conducted to examine differences in attack surface characteristics between traditional perimeter-based IoT systems and the proposed Zero-Trust IoT architecture. While the previous subsection focused on structured ordinal scoring, this analysis considers how structural connectivity, segmentation boundaries, and containment mechanisms influence overall exposure and recovery behaviour. The purpose of this comparison is not to simulate a specific operational deployment, but to provide a transparent, assumption-driven architectural contrast grounded in clearly stated modelling conditions.

5.2.1.
Node Exposure

For comparative consistency, a reference defence IoT deployment consisting of approximately 120 interconnected components is assumed. These components represent a realistic mix of distributed sensors, edge processing devices, communication nodes, and command-and-control elements typically found in mission-oriented defence or public security IoT environments.

Under a conventional perimeter-based architecture, security enforcement is primarily concentrated at the network boundary. Once an attacker gains internal access – for example, through a compromised sensor or credential – internal communication pathways may remain broadly accessible due to implicit trust relationships. In architectures with limited segmentation, this can allow substantial portions of the network to become reachable after the initial breach. Within the reference deployment model, this structural assumption corresponds to near-complete internal exposure, reflected as an estimated 120 potentially reachable nodes.

In contrast, the proposed Zero-Trust architecture assumes logical micro-segmentation across functional domains. For modelling clarity, the 120-node system is conceptually divided into multiple isolated segments, such as sensor clusters, edge processing groups, and command subsystems. Communication between these segments is governed by identity-aware authorization policies and continuous verification mechanisms.

Under these assumptions:

  • A compromise within one segment primarily affects components inside that segment.

  • Cross-segment communication requires explicit authorization.

  • Continuous access validation limits unrestricted traversal.

Given this segmentation structure, the number of nodes realistically reachable following an initial compromise is significantly constrained. Within the defined architectural model, reachable components are estimated to fall within a limited subset of the total deployment. For illustrative consistency in the comparative table, this subset is represented as approximately 45 nodes a midpoint estimate derived from segmentation and policy enforcement assumptions rather than a measured operational statistic.

These exposed-node values should therefore be interpreted as structural modelling estimates used for architectural comparison, not as empirical breach data.

5.2.2.
Lateral Movement

Lateral movement describes the ability of an attacker to propagate through system components after obtaining an initial foothold. In perimeter-based IoT architectures, authentication typically occurs at the point of network entry. Once inside, communication between devices and subsystems may proceed with minimal additional validation. This structural property increases the risk of multi-stage compromise, allowing attackers to traverse interconnected components with relatively limited resistance. The Zero-Trust architecture, by contrast, embeds identity verification and authorization checks throughout all communication layers. Micro-segmentation restricts inter-domain connectivity, and each access request is evaluated independently. As a result, even after a successful breach, attacker mobility is constrained by explicit policy enforcement rather than implicit internal trust. Within the defined modelling assumptions, lateral propagation is therefore considered substantially more limited in the Zero-Trust configuration than in the traditional perimeter-based model.

5.2.3.
Recovery Time

Recovery time represents the estimated duration required to restore operational integrity following detection of a security incident. The values presented in the comparative analysis reflect structural containment assumptions and incident isolation capabilities rather than measured operational recovery durations. In traditional architectures, broader internal exposure may require system-wide inspection and remediation, potentially increasing recovery complexity. Limited segmentation can expand the scope of affected components, leading to longer containment and verification cycles. In contrast, the Zero-Trust architecture supports compartmentalized containment through distributed monitoring, granular access logging, and logical isolation of system segments. These structural features reduce the scope of investigation and enable more targeted remediation actions. Within the reference deployment model, this containment advantage is represented as a comparatively shorter recovery interval. It is important to emphasize that recovery time values are conceptual architectural estimates intended for structured comparison. They should not be interpreted as operational performance benchmarks or deployment-specific measurements.

6.
Results and Analysis

This section presents the results of the structured scenario-based architectural assessment comparing traditional perimeter-based IoT architectures with the proposed Zero-Trust IoT framework. The analysis focuses on relative security exposure, scenario-level risk reduction, and architecture-level containment capability across representative defence IoT attack scenarios. The reported values are derived from the defined scoring model and reflect comparative architectural characteristics rather than empirical system measurements.

6.1.
Security Risk Comparison

Figure no. 3 presents the comparative scenario-level risk scores assigned to traditional perimeter-based IoT and the proposed Zero-Trust IoT architectures across six representative defence attack scenarios: sensor spoofing, edge node compromise, insider attacks, lateral movement, data injection, and unauthorized device access. These scenarios reflect structurally relevant cyber-physical threat patterns within distributed defence and public security IoT environments. Within the defined rubric-driven architectural assessment framework, the traditional perimeter-based model corresponds to higher relative exposure scores across all evaluated scenarios. Under the stated modelling assumptions, these higher scores align with anchor bands associated with broader internal reachability, reliance on static trust relationships following initial authentication, and comparatively weaker structural containment once perimeter controls are bypassed. In contrast, the Zero-Trust IoT architecture corresponds to lower relative exposure scores within the same evaluation structure. Under the anchor-based scoring logic defined in Section 5, these lower values align with segmentation boundaries, continuous authentication, identity-aware authorization, and least-privilege enforcement mechanisms that structurally constrain cross-layer communication and internal traversal conditions. The largest comparative differences appear in the lateral movement and unauthorized device access scenarios. Within the defined architectural model, these scenarios are particularly sensitive to segmentation constraints and repeated authorization checks, which influence the assigned rubric-based exposure levels. The reported score differences should be interpreted strictly as model-derived architectural indicators under explicitly defined assumptions. They do not represent empirical breach measurements, operational performance data, or simulation-based validation outcomes. Rather, they reflect comparative structural exposure characteristics within the established ordinal scoring framework.

Figure no. 3:

Security Risk Comparison between Traditional IoT and Zero-Trust IoT Architectures

(Source: Author’s model-derived illustration based on the rubric defined in Section 5)

The figure illustrates the comparative security risk scores derived from the structured scenario-based architectural assessment framework for traditional perimeter-based IoT and the proposed Zero-Trust IoT architectures. The evaluated scenarios include sensor spoofing, edge node compromise, insider attacks, lateral movement, data injection, and unauthorized device access. The plotted values represent rubric-driven comparative scores calculated from the defined evaluation criteria attack surface exposure, authentication and access control strength, and lateral movement potential. These values reflect architecture level assessments within the specified scoring model and do not represent empirical measurements, simulation outputs, or deployment-specific performance data. Lower scores indicate reduced relative structural exposure under the defined assessment assumptions. As shown in Figure no. 3, traditional perimeter-based IoT architectures receive higher relative exposure scores across all evaluated scenarios within the rubric. Under the stated modelling assumptions, these higher values correspond to broader internal reachability, reliance on static trust relationships after entry, and comparatively weaker structural containment mechanisms. In contrast, the proposed Zero-Trust IoT architecture yields consistently lower relative exposure scores within the same evaluation structure. Within the anchor-based scoring logic, these lower values correspond to the presence of continuous authentication, identity-aware authorization, and segmentation controls that structurally constrain cross-layer communication and internal traversal pathways.

The scenario-level scores supporting this comparison are summarized in Table no. 3.

Table no. 3

Security Risk Evaluation Across Defence IoT Attack Scenarios

Attack ScenarioTraditional IoT Risk ScoreZero-Trust IoT Risk ScoreRisk Reduction (%)
Sensor Spoofing8362.50
Edge Node Compromise9455.56
Insider Attack7357.14
Lateral Movement9277.78
Data Injection8362.50
Unauthorized Device Access9277.78

Note: Risk scores are derived from the structured scenario-based architectural scoring model described in Section 5. Scores are assigned on a normalized ordinal scale from 0 (low relative exposure) to 10 (high relative exposure) based on attack surface exposure, authentication and access control strength, and lateral movement potential. Percentage reductions are computed using Equation (A1) and represent comparative model-derived differences rather than empirical measurements.

Table no. 3 presents the scenario-level risk scores assigned to both architectural models using the defined scoring rubric. Across all evaluated attack scenarios, the Zero-Trust IoT architecture receives lower relative exposure scores than the traditional perimeter-based model. These differences reflect the structural characteristics embedded in the Zero-Trust design, including continuous authentication, identity-aware access control, and micro-segmentation. The calculated percentage reductions represent relative improvements in architectural containment capability within the defined evaluation framework. The largest comparative differences are observed in scenarios involving lateral movement and unauthorized device access, where segmentation and continuous authorization mechanisms most directly influence risk exposure.

6.2.
Risk Reduction Performance

To provide a consolidated representation of the comparative assessment, Figure no. 4 illustrates the percentage differences in relative architectural exposure derived from the structured scenario-based scoring model. These values are computed from the scenario-level scores summarized in Table no. 3 using the risk reduction formulation defined in Section 5. Within the rubric-driven aggregation framework, the calculated relative differences range from approximately 55% to 78% across the evaluated defence attack scenarios. The largest percentage differentials appear in the lateral movement and unauthorized device access scenarios. Under the stated architectural assumptions, these scenarios are particularly influenced by segmentation boundaries and repeated authorization checks, which affect the assigned anchor-based exposure levels within the scoring rubric. Comparative differences are also observed in sensor spoofing, insider attack, and data injection scenarios. Although the magnitude of the percentage variation differs across scenarios, the overall pattern within the defined model corresponds to consistently lower aggregated exposure scores for the Zero-Trust architecture relative to the traditional perimeter-based model. These percentage values should be interpreted strictly as model-derived comparative indicators within the established ordinal framework. They do not represent empirical breach probabilities, operational performance benchmarks, or simulation-based validation outcomes. Rather, they reflect differences in aggregated rubric scores under explicitly defined architectural modelling assumptions.

Figure no. 4:

Risk Reduction Achieved by the Zero-Trust IoT Architecture

(Source: Author’s model-derived illustration based on the rubric defined in Section 5)

The figure illustrates the percentage reduction in relative architectural exposure derived from the structured scenario-based scoring model. The values are calculated using the risk reduction formulation defined in Section 5 and represent comparative differences between traditional perimeter-based IoT and the proposed Zero-Trust IoT architectures across representative defence attack scenarios. These percentages reflect model-derived architectural comparisons within the defined rubric and do not constitute empirical measurements or simulation-based validation results. As shown in Figure no. 4, the calculated percentage reduction in relative exposure ranges from approximately 55% to 78% across the evaluated scenarios. The largest relative differences appear in the lateral movement and unauthorized device access scenarios. Within the defined scoring logic, these scenarios are particularly influenced by segmentation boundaries and repeated authorization checks, which affect the assigned exposure levels under the rubric. Relative reductions are also observed in sensor spoofing, insider attack, and data injection scenarios. Although the magnitude of the percentage differences varies across scenarios, the overall pattern within the model reflects consistently lower aggregated exposure scores for the Zero-Trust architecture. These values should be interpreted as aggregated architectural indicators derived from the specified evaluation framework. They illustrate comparative differences in structural exposure characteristics under explicitly defined modelling assumptions.

6.3.
Architecture-Level Security Capability Coverage

While the scenario-level risk scores and percentage comparisons provide a structured view of relative exposure differences, it is also informative to examine the architectural capability dimensions underlying these results. Figure no. 5 presents a comparative illustration of selected security capability categories for traditional perimeter-based IoT systems and the proposed Zero-Trust IoT architecture. The evaluated dimensions include authentication robustness, access control granularity, lateral movement containment, device identity assurance, and system recovery support. The capability levels shown in Figure no. 5 are derived from the same rubric-based framework defined in Section 5 and represent relative architectural coverage within the established ordinal scoring structure. Within this evaluation model, traditional IoT architectures correspond to static authentication mechanisms, coarse-grained authorization, and limited internal segmentation. Under the defined anchor logic, these structural characteristics align with comparatively partial or uneven coverage across capability dimensions associated with containment and internal trust management.

Figure no. 5:

Architecture-Level Security Capability Coverage Comparison

(Source: Author’s model-derived illustration based on the rubric defined in Section 5)

In contrast, the proposed Zero-Trust IoT architecture incorporates continuous authentication, identity-aware authorization, logical micro-segmentation, and distributed monitoring across system layers. Within the rubric framework, these mechanisms correspond to higher relative coverage levels across preventive and containment-oriented capability categories. This architectural perspective complements the earlier scenario level assessment by linking differences in aggregated exposure scores to underlying structural design attributes. Rather than concentrating security enforcement at a single network boundary, the Zero-Trust configuration distributes verification and access control mechanisms across architectural tiers. Within the defined scoring logic, this distributed enforcement corresponds to reduced implicit trust relationships and more constrained internal traversal pathways. The capability coverage differences illustrated in Figure no. 5 should be interpreted strictly as rubric-derived architectural indicators under explicitly stated modelling assumptions. They do not represent empirical performance measurements or deployment-validated benchmarks. Instead, they provide an additional architecture-level perspective on comparative structural resilience characteristics in defence and public security IoT environments.

The figure presents the relative architectural capability coverage scores derived from the structured evaluation rubric described in Section 5. The comparison highlights differences between traditional perimeter-based IoT architectures and the proposed Zero-Trust IoT architecture across selected security capability dimensions, including authentication robustness, access control granularity, lateral movement prevention, device identity assurance, and system recovery support. The scores represent comparative architectural assessments rather than empirical measurements of deployed systems.

As illustrated in Figure no. 5, traditional IoT architectures exhibit uneven coverage across key security capability dimensions within the defined assessment framework. In particular, lower relative scores are assigned to areas such as fine grained access control, lateral movement containment, and device identity assurance. These lower coverage levels reflect structural characteristics associated with perimeter-focused security models and static trust assumptions. In contrast, the proposed Zero-Trust IoT architecture receives higher relative capability coverage scores across the evaluated dimensions within the same rubric. This reflects the integration of continuous authentication, identity-aware authorization, micro-segmentation, and distributed monitoring mechanisms throughout the system layers. The capability differences shown in Figure no. 5 provide architectural context for the comparative risk scores discussed in previous sections. Rather than concentrating security controls at the network boundary, the Zero-Trust model distributes verification and access enforcement mechanisms across all layers, thereby structurally limiting implicit trust relationships and internal attack propagation pathways. These observations should be interpreted as comparative architectural assessments derived from the defined scoring model.

Table no. 4 provides a structured architectural comparison between traditional perimeter-based IoT and the proposed Zero-Trust IoT model under a defined reference deployment scenario. Within this illustrative framework, traditional architectures are associated with broader internal connectivity, resulting in a higher number of potentially reachable components during an attack scenario. In contrast, the Zero-Trust architecture, through segmentation and identity-based access enforcement, reduces the number of accessible components under the same structural assumptions. Similarly, differences in estimated recovery intervals reflect the architectural capacity for compartmentalization and continuous monitoring. Distributed containment mechanisms and segmentation policies in the Zero-Trust model correspond to more localized isolation and narrower recovery scope within the defined evaluation logic. These values should be interpreted as structured architectural comparisons derived from the evaluation framework described in Section 5 rather than as empirical performance metrics from operational deployments.

Table no. 4

Architectural Attack Surface Comparison Between Traditional and Zero-Trust IoT Models

ArchitectureExposed Nodes*Authentication ModelLateral Movement PossibleEstimated Recovery Interval (hrs)**
Traditional IoT120Static / Perimeter-BasedYes10-15
Zero-Trust IoT45Continuous / Identity-BasedNo (restricted by segmentation)2-5
*

Exposed nodes are derived from a reference architectural scenario assuming an illustrative defence IoT deployment consisting of approximately 120 interconnected components (sensors, edge nodes, and command elements). The values represent model-based comparative estimates of reachable components under each architectural paradigm rather than empirical deployment counts.

**

Estimated recovery interval reflects structured architectural assumptions regarding containment visibility and segmentation-based isolation capabilities. These values represent comparative model-derived interval estimates within the defined evaluation framework and do not correspond to measured operational recovery durations.

7.
Implications for Defence and Public Administration

The architectural assessment presented in this study offers several implications for defence organizations and public administration systems that increasingly depend on interconnected IoT infrastructures. In military environments, a defence-oriented Zero-Trust IoT architecture can contribute to improved structural resilience by reducing implicit trust relationships and limiting the potential impact of localized system compromises. Mechanisms such as continuous authentication, identity-centric access control, and network micro-segmentation provide architectural safeguards that constrain internal attack propagation and support containment under adverse conditions. Such characteristics are particularly relevant for modern military operations that rely on distributed sensing, real-time data processing, and rapid decision-making in contested and dynamic environments. Beyond military applications, the proposed framework has relevance for civil-military cooperation and broader public security ecosystems. Public administration systems involved in border management, disaster response, critical infrastructure protection, and emergency coordination increasingly integrate IoT platforms that must function securely across institutional and jurisdictional boundaries. A Zero-Trust approach can provide a structured security foundation that supports controlled information exchange while maintaining accountability and consistent access enforcement across multiple agencies. By emphasizing least privilege principles and continuous verification, the architecture may help reduce internal exposure while enabling coordinated operational responses. From a governance perspective, the comparative architectural analysis highlights structural limitations associated with perimeter-based security assumptions in distributed and mission-critical IoT deployments. Incorporating Zero-Trust principles into cybersecurity governance strategies may strengthen policy alignment with evolving threat landscapes and regulatory expectations. For defence planners and public sector decision-makers, the findings suggest that architecture-centric security design can serve as a foundational component in the modernization of defence and public security infrastructures, particularly where resilience and containment capability are strategic priorities.

8.
Limitations and Future Work

While this study presents a structured architectural assessment of Zero-Trust IoT models for defence and public security systems, several limitations should be acknowledged to clarify the scope of the findings.

First, the evaluation is based on a scenario-driven comparative risk assessment framework rather than empirical data collected from operational deployments. This methodological choice reflects practical constraints commonly encountered in defence and public security research, where access to real-world system configurations and performance data is often restricted due to confidentiality and security considerations. The adopted approach enables a transparent and reproducible architectural comparison, but it necessarily abstracts from system specific implementations and mission-dependent operational conditions.

Second, the proposed architecture has not been validated through large-scale simulation or real-world field deployment within the scope of this study. Consequently, performance-related parameters such as communication latency, computational overhead, resource utilization, and scalability under sustained operational workloads are not explicitly quantified. Security mechanisms such as continuous authentication, policy enforcement at the edge layer, and network micro-segmentation may introduce additional processing overhead. Balancing these mechanisms with real-time operational requirements remains an important direction for future implementation-focused research.

Scalability considerations also warrant further investigation. Deploying identity-centric controls and segmentation policies in large-scale IoT ecosystems involving thousands of heterogeneous devices may present integration and management challenges that extend beyond the architectural scope analysed here. It is also important to emphasize that the reported risk scores represent relative architectural exposure levels derived from the defined scoring rubric. They should not be interpreted as absolute measures of system vulnerability or as direct indicators of operational performance. Instead, they provide a structured comparative perspective on how different security paradigms influence containment and exposure characteristics. Future research can extend this work through simulation-based experimentation, controlled testbed validation, and performance benchmarking under dynamic and mission representative conditions. The incorporation of automated threat detection, artificial intelligence-based anomaly detection, and explainable security analytics into the Zero-Trust IoT framework represents another promising direction for enhancing adaptive defence capabilities. Furthermore, validation in joint civil-military and multi-agency operational environments would strengthen the practical applicability and generalizability of the proposed architectural model.

9.
Conclusions

This study examined a critical architectural security challenge in defence and public security IoT environments by proposing a defence-oriented Zero-Trust IoT framework designed to address the structural limitations of traditional perimeter-based security models. As mission-critical IoT systems continue to grow in scale, heterogeneity, and operational complexity, security strategies that rely on implicit internal trust and boundary-focused controls introduce increasing systemic risk. The proposed architecture seeks to mitigate these vulnerabilities by embedding continuous authentication, identity-aware access control, least-privilege enforcement, and logical micro-segmentation across the sensor, edge, network, and command-and-control layers. Rather than concentrating protection at the network perimeter, security enforcement is distributed throughout the system, enabling structured containment of threats and reducing uncontrolled internal propagation. To analyse the comparative security characteristics of this design, a structured scenario-based architectural evaluation framework was developed. The assessment focused on architecture-level properties attack surface exposure, authentication robustness, and lateral movement containment without relying on deployment-specific datasets or simulation outputs. Within the defined scoring rubric, the Zero-Trust architecture consistently exhibited lower relative exposure scores across all evaluated defence IoT threat scenarios. The comparative model indicated an average reduction in relative architectural exposure of approximately 65% under the assumptions of the defined framework, with the most notable differences observed in lateral movement and unauthorized device access scenarios. These findings should be interpreted as structured architectural indicators derived from the established evaluation logic rather than as empirical performance measurements. Nevertheless, they suggest that systematically embedding Zero-Trust principles into defence and public administration IoT infrastructures may strengthen structural resilience, reduce implicit trust relationships, and enhance containment capability in adversarial environments. By combining a defence-layered architectural model with a transparent and reproducible comparative assessment methodology, this work contributes an architecture-centric perspective to the ongoing evolution of secure IoT systems in mission-sensitive domains. Future research can build upon this foundation through simulation-based validation, controlled testbed experimentation, scalability analysis, and real-world deployment studies to further examine operational performance and implementation considerations.

DOI: https://doi.org/10.2478/bsaft-2026-0008 | Journal eISSN: 3100-5098 | Journal ISSN: 3100-508X
Language: English
Page range: 101 - 125
Submitted on: Jan 10, 2026
Accepted on: Mar 13, 2026
Published on: Jun 24, 2026
In partnership with: Paradigm Publishing Services
Publication frequency: 2 issues per year

© 2026 Aswin KARKADAKATTIL, published by Nicolae Balcescu Land Forces Academy
This work is licensed under the Creative Commons Attribution-NonCommercial-NoDerivatives 3.0 License.