Skip to main content
Have a personal or library account? Click to login
A Zero-Trust Iot Security Architecture for Defence and Public Security Systems Cover

A Zero-Trust Iot Security Architecture for Defence and Public Security Systems

Open Access
|Jun 2026

Figures & Tables

Figure no. 1:

Proposed Zero-Trust IoT Architecture for Defence and Public Security Systems (Source: Author’s conceptual architectural mode)

Figure no. 2:

Threat modelling framework for defence IoT systems, illustrating the mapping of representative cyber-physical attack scenarios to IoT system layers and their evaluation using a scenario-based security risk assessment approach (Source: Author’s conceptual architectural mode)

Figure no. 3:

Security Risk Comparison between Traditional IoT and Zero-Trust IoT Architectures (Source: Author’s model-derived illustration based on the rubric defined in Section 5)

Figure no. 4:

Risk Reduction Achieved by the Zero-Trust IoT Architecture (Source: Author’s model-derived illustration based on the rubric defined in Section 5)

Figure no. 5:

Architecture-Level Security Capability Coverage Comparison (Source: Author’s model-derived illustration based on the rubric defined in Section 5)

Scenario-Level Scoring Justification Matrix (Architecture-Level Assessment)

Attack ScenarioArchitectureASACLMArchitectural Justification
Sensor SpoofingTraditional IoT878Broad internal reachability following initial access corresponds to the 6-8 AS anchor band defined in Section 5; primarily static device authentication with implicit post-entry trust corresponds to the 6-8 AC anchor band; weak internal containment and multi-component exposure correspond to the 6-8 LM anchor band.
Zero-Trust IoT323Logical segmentation limiting cross-layer exposure corresponds to the 3-5 AS anchor band; continuous device identity verification and least-privilege enforcement correspond to the 0-2 AC anchor band; restricted traversal enforced by repeated authorization checks corresponds to the 0-2 LM anchor band.
Edge Node CompromiseTraditional IoT988Elevated privilege potential combined with weak segmentation corresponds to the 9-10 AS anchor band; coarse-grained access control and static authentication correspond to the 6-8 AC anchor band; limited containment once compromise occurs corresponds to the 6-8 LM anchor band.
Zero-Trust IoT434Controlled segmentation boundaries and policy-enforced isolation correspond to the 3-5 AS anchor band; context-aware authorization corresponds to the 3-5 AC anchor band; limited cross-segment propagation under enforced policies corresponds to the 3-5 LM anchor band.
Insider AttackTraditional IoT778Implicit internal trust relationships correspond to the 6-8 AS anchor band; primarily static authentication with broad internal privileges corresponds to the 6-8 AC anchor band; extensive internal traversal capability corresponds to the 6-8 LM anchor band.
Zero-Trust IoT323Segmentation that restricts domain-level exposure corresponds to the 3-5 AS anchor band; continuous verification of user and device identity corresponds to the 0-2 AC anchor band; constrained lateral movement enforced through micro-segmentation corresponds to the 0-2 LM anchor band.
Lateral MovementTraditional IoT989Flat or weakly segmented topology corresponds to the 9-10 AS anchor band; static trust after entry corresponds to the 6-8 AC anchor band; unrestricted internal propagation pathways correspond to the 9-10 LM anchor band.
Zero-Trust IoT222Micro-segmentation restricting reachable components corresponds to the 0-2 AS anchor band; continuous authentication and least-privilege enforcement correspond to the 0-2 AC anchor band; repeated authorization checks that prevent cross-domain traversal correspond to the 0-2 LM anchor band.
Data InjectionTraditional IoT878Limited validation controls and broad system connectivity correspond to the 6-8 AS anchor band; primarily static access enforcement corresponds to the 6-8 AC anchor band; weak containment once malicious data is introduced corresponds to the 6-8 LM anchor band.
Zero-Trust IoT333Segmented communication pathways correspond to the 3-5 AS anchor band; identity-bound communication policies correspond to the 3-5 AC anchor band; restricted cross-segment propagation corresponds to the 3-5 LM anchor band.
Unauthorized Device AccessTraditional IoT989Weak device identity validation and broad internal exposure correspond to the 9-10 AS anchor band; static authentication mechanisms correspond to the 6-8 AC anchor band; extensive internal traversal capability corresponds to the 9-10 LM anchor band.
Zero-Trust IoT222Strong device identity enforcement limiting reachable components corresponds to the 0-2 AS anchor band; continuous authentication and strict least-privilege access correspond to the 0-2 AC anchor band; segmentation-enforced traversal constraints correspond to the 0-2 LM anchor band.

Alternative Weighting Verification (AS=0_4, AC=0_3, LM=0_3)

Attack ScenarioTraditional IoTZero-Trust IoTComparative Ordering
Sensor Spoofing7.92.8Unchanged
Edge Node Compromise8.73.7Unchanged
Insider Attack7.32.8Unchanged
Lateral Movement8.92.0Unchanged
Data Injection7.93.0Unchanged
Unauthorized Device Access8.92.0Unchanged

Architectural Attack Surface Comparison Between Traditional and Zero-Trust IoT Models

ArchitectureExposed Nodes*Authentication ModelLateral Movement PossibleEstimated Recovery Interval (hrs)**
Traditional IoT120Static / Perimeter-BasedYes10-15
Zero-Trust IoT45Continuous / Identity-BasedNo (restricted by segmentation)2-5

Security Risk Evaluation Across Defence IoT Attack Scenarios

Attack ScenarioTraditional IoT Risk ScoreZero-Trust IoT Risk ScoreRisk Reduction (%)
Sensor Spoofing8362.50
Edge Node Compromise9455.56
Insider Attack7357.14
Lateral Movement9277.78
Data Injection8362.50
Unauthorized Device Access9277.78
DOI: https://doi.org/10.2478/bsaft-2026-0008 | Journal eISSN: 3100-5098 | Journal ISSN: 3100-508X
Language: English
Page range: 101 - 125
Submitted on: Jan 10, 2026
Accepted on: Mar 13, 2026
Published on: Jun 24, 2026
In partnership with: Paradigm Publishing Services
Publication frequency: 2 issues per year

© 2026 Aswin KARKADAKATTIL, published by Nicolae Balcescu Land Forces Academy
This work is licensed under the Creative Commons Attribution-NonCommercial-NoDerivatives 3.0 License.