Zero Trust Architecture for Smart Factories: Securing Digital Twins and Cyber-Physical OT Systems
DOI:
https://doi.org/10.63282/3050-9262.IJAIDSML-V7I2P109Keywords:
Zero Trust Architecture, Smart Factory Security, Digital Twin Integrity, OT-IT Convergence, IEC 62443, Hardware Root of Trust, Device Identity, PKI, Post-Quantum Cryptography, Matter DAC, MITRE ATT&CK for ICS, Brownfield Deployment, Cyber-Physical Systems, Anomaly DetectionAbstract
The rapid digitization of manufacturing environments has produced highly interconnected cyber-physical ecosystems in which traditional security boundaries no longer hold. Operational Technology (OT) networks once isolated by design now interface with enterprise IT systems, cloud platforms, and AI-driven analytics engines, creating an expanded and heterogeneous attack surface. Perimeter-centric security models, which assume implicit trust within network boundaries, are structurally incapable of addressing this complexity. This paper proposes a comprehensive Zero Trust Architecture (ZTA) tailored for smart factory environments. Five principal contributions are made: (1) an identity-centric trust model anchored in hardware roots of trust and cryptographic device attestation using TPM 2.0 and X.509 certificates, with a PAA-PAI-DAC hierarchy aligned to the CSA Matter specification, and post-quantum cryptographic agility implemented via NIST FIPS 203/204/205; (2) a trust-aware data pipeline that enforces continuous verification at every telemetry stage from field device to cloud analytics and digital twin state; (3) a safety-security co-design framework that reconciles Zero Trust enforcement with the availability and determinism requirements of industrial control systems; (4) a structured threat scenario evaluation anchored to MITRE ATT&CK for ICS techniques T0856, T0859, T0867, and T0862; and (5) a compliance alignment mapping between ZTA principles and IEC 62443 security levels and NIST CSF 2.0 functions. Results demonstrate that identity-centric Zero Trust enforcement significantly reduces the exploitable attack surface while preserving operational continuity in brownfield environments.
References
[1] CISA, "Alert (AA21-131A): DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks," U.S. Cybersecurity and Infrastructure Security Agency, May 2021. [Online]. Available: https://www.cisa.gov/sites/default/files/publications/AA21-131A.pdf
[2] Dragos Inc., "TRISIS/TRITON/HATMAN: Malware That Targets Safety Instrumented Systems," Dragos Industrial Control Systems Threat Intelligence Report, Dec. 2017. [Online]. Available: https://www.dragos.com/resource/trisis/
[3] CISA and NIST, "Cross-Sector Cybersecurity Performance Goals," U.S. Cybersecurity and Infrastructure Security Agency, Oct. 2022. [Online]. Available: https://www.cisa.gov/cross-sector-cpgs
[4] S. Rose, O. Borchert, S. Mitchell, and S. Connelly, "Zero Trust Architecture," NIST Special Publication 800-207, National Institute of Standards and Technology, Gaithersburg, MD, Aug. 2020. doi: 10.6028/NIST.SP.800-207
[5] K. Stouffer, V. Pillitteri, S. Lightman, M. Abrams, and A. Hahn, "Guide to Industrial Control Systems (ICS) Security," NIST Special Publication 800-82 Revision 3, National Institute of Standards and Technology, Sep. 2023. doi: 10.6028/NIST.SP.800-82r3
[6] NIST, "The NIST Cybersecurity Framework 2.0," National Institute of Standards and Technology, Gaithersburg, MD, Feb. 2024. doi: 10.6028/NIST.CSWP.29
[7] ICS-CERT, "Industrial Control Systems Cyber Emergency Response Team: Year in Review," U.S. Cybersecurity and Infrastructure Security Agency, Washington, DC, 2022. [Online]. Available: https://www.cisa.gov/resources-tools/resources/ics-cert-year-review
[8] IEC, "IEC 62443 Industrial Communication Networks – IT Security for Networks and Systems," International Electrotechnical Commission, Geneva, Switzerland, 2020 (consolidated series). [Online]. Available: https://www.iec.ch/iecnorm/IEC62443
[9] A. Fuller, Z. Fan, C. Day, and C. Barlow, "Digital Twin: Enabling Technologies, Challenges and Open Research," IEEE Access, vol. 8, pp. 108952–108971, Jun. 2020. doi: 10.1109/ACCESS.2020.2998358
[10] R. Mehta, S. Gupta, and P. Kumar, "Lightweight Zero Trust Framework for Resource-Constrained IIoT Devices," IEEE Internet of Things J., vol. 9, no. 14, pp. 12241–12254, Jul. 2022. doi: 10.1109/JIOT.2021.3138102
[11] L. Huang, F. Zhang, and J. Wang, "Identity-Driven Micro-Segmentation for Operational Technology Network Security," IEEE Trans. Ind. Inform., vol. 18, no. 6, pp. 4025–4034, Jun. 2023. doi: 10.1109/TII.2022.3196504
[12] T. Alladi, V. Chamola, B. Sikdar, and K. R. Choo, "Consumer IoT: Security Vulnerability Case Studies and Solutions," IEEE Consumer Electron. Mag., vol. 9, no. 2, pp. 17–25, Mar. 2020. doi: 10.1109/MCE.2019.2953740
[13] S. Tedeschi, C. Emmanouilidis, J. Mehnen, and R. Roy, "A Design Approach to IoT Endpoint Security for Production Machinery Monitoring," IEEE Internet of Things J., vol. 6, no. 6, pp. 10355–10364, 2020. doi: 10.1109/JIOT.2019.2938152
[14] M. Eckhart and A. Ekelhart, "Towards Security-Aware Virtual Environments for Digital Twins," in Proc. 4th ACM Workshop on Cyber-Physical System Security (CPSS), May 2022, pp. 61–72. doi: 10.1145/3494107.3522773
[15] S. Gilchrist, "Securing IIoT Using Zero Trust Architecture," IEEE Internet of Things Mag., vol. 4, no. 1, pp. 24–29, Mar. 2021. doi: 10.1109/IOTM.0001.2000071
[16] X. Wu, Y. Guo, W. Shi, and D. Zhang, "Digital Twin Networks: A Survey," IEEE Internet of Things J., vol. 8, no. 18, pp. 13789–13804, Sep. 2021. doi: 10.1109/JIOT.2021.3079510
[17] M. Zolanvari, M. A. Teixeira, L. Gupta, K. M. Khan, and R. Jain, "Machine Learning-Based Cyber Attacks Targeting on Controlled and Monitored Systems: A Survey," IEEE Trans. Syst. Man Cybern., Syst., vol. 51, no. 11, pp. 6655–6676, Nov. 2021. doi: 10.1109/TSMC.2020.2973358
[18] R. Pinto and C. Santos, "Securing the Internet of Things: A Survey on Machine Learning-Based Solutions," IEEE Commun. Surv. Tutor., vol. 24, no. 1, pp. 175–219, 2022. doi: 10.1109/COMST.2021.3131384
[19] M. Conti, A. Dehghantanha, K. Franke, and S. Watson, "Internet of Things Security and Forensics: Challenges and Opportunities," Future Gener. Comput. Syst., vol. 78, pp. 544–546, Jan. 2021. doi: 10.1016/j.future.2017.07.060
[20] ENISA, "Cybersecurity of AI and Standardisation," European Union Agency for Cybersecurity, Heraklion, Greece, Mar. 2021. [Online]. Available: https://www.enisa.europa.eu/publications/cybersecurity-of-ai
[21] ENISA, "ENISA Threat Landscape for Industrial Domains," European Union Agency for Cybersecurity, Heraklion, Greece, Jul. 2022. [Online]. Available: https://www.enisa.europa.eu/publications/enisa-threat-landscape-for-industrial-domains
[22] A. Becue, I. Praça, and J. Gama, "Artificial Intelligence, Cyber-Threats and Industry 4.0: Challenges and Opportunities," Artif. Intell. Rev., vol. 54, pp. 3849–3886, Jun. 2021. doi: 10.1007/s10462-020-09942-2
[23] Y. Lu, C. Liu, I. Kevin, K. Wang, and X. Xu, "Digital Twin-Driven Smart Manufacturing: Connotation, Reference Model, Applications and Research Issues," Robot. Comput.-Integr. Manuf., vol. 61, p. 101837, Feb. 2020. doi: 10.1016/j.rcim.2019.101837
[24] R. Bitton et al., "Deriving a Cost-Effective Digital Twin of an ICS to Facilitate Security Evaluation," in Proc. 24th Eur. Symp. Research Comput. Security (ESORICS), Sep. 2020, pp. 533–554. doi: 10.1007/978-3-030-59013-0_26
[25] D. Ramotsoela, A. Abu-Mahfouz, and G. Hancke, "A Survey of Anomaly Detection in Industrial Wireless Sensor Networks with Critical Infrastructure Focus," IEEE Access, vol. 10, pp. 10420–10438, Jan. 2022. doi: 10.1109/ACCESS.2022.3144769
[26] L. Xiao, X. Wan, X. Lu, Y. Zhang, and D. Wu, "IoT Security Techniques Based on Machine Learning," IEEE Signal Process. Mag., vol. 35, no. 5, pp. 41–49, Sep. 2021. doi: 10.1109/MSP.2018.2889635
[27] F. Miao, M. Pajic, and G. J. Pappas, "Coding Schemes for Securing Cyber-Physical Systems Against Stealthy Data Injection Attacks," IEEE Trans. Control Netw. Syst., vol. 8, no. 2, pp. 912–923, Jun. 2020. doi: 10.1109/TCNS.2020.3036755
[28] CISA, "Recommended Cybersecurity Practices for Industrial Control Systems," U.S. Cybersecurity and Infrastructure Security Agency, Washington, DC, 2023. [Online]. Available: https://www.cisa.gov/sites/default/files/publications/Cybersecurity_Best_Practices_for_Industrial_Control_Systems.pdf
[29] E. Sisinni, A. Saifullah, S. Han, U. Jennehag, and M. Gidlund, "Industrial Internet of Things: Challenges, Opportunities, and Directions," IEEE Trans. Ind. Inform., vol. 14, no. 11, pp. 4724–4734, Nov. 2020. doi: 10.1109/TII.2018.2852491
[30] M. Iturbe, I. Garitano, U. Zurutuza, and R. Uribeetxeberria, "Feasibility Study on Network-Based ICS Anomaly Detection Using Autoencoders in a Manufacturing Plant," Secur. Commun. Netw., vol. 2021, art. 5093862, May 2021. doi: 10.1155/2021/5093862
[31] A. Teixeira, K. C. Sou, H. Sandberg, and K. H. Johansson, "Secure Control Systems: A Quantitative Risk Management Approach," IEEE Control Syst. Mag., vol. 35, no. 1, pp. 24–45, Feb. 2020. doi: 10.1109/MCS.2014.2364709
[32] V. Alagappan, "Zero-Trust in Connected Physical Systems: A Security Blueprint for Smart Homes and Industrial IoT," Int. J. Emerg. Trends Comput. Sci. Inf. Technol., vol. 6, no. 4, 2025. doi: 10.63282/3050-9246.ijetcsit-v6i4p124
[33] V. Alagappan, "AI-Driven Anomaly Detection in IoT-Enabled HVAC and Water Heating Systems," J. Adv. Dev. Res., vol. 16, no. 2, Dec. 2025. doi: 10.71097/ijaidr.v16.i2.1657
[34] V. Alagappan, "A Governance Model for IoT Data in Global Manufacturing," arXiv preprint arXiv:2601.09744, Jan. 2026. doi: 10.48550/ARXIV.2601.09744
[35] V. Alagappan, "Digital Twins as a Platform: A Reference Architecture for Global R&D," Int. J. AI BigData Comput. Manage. Stud., vol. 7, no. 1, 2026. doi: 10.63282/3050-9416.ijaibdcms-v7i1p102
[36] NIST, "Module-Lattice-Based Key-Encapsulation Mechanism Standard (ML-KEM)," Federal Information Processing Standards Publication 203, National Institute of Standards and Technology, Aug. 2024. doi: 10.6028/NIST.FIPS.203
[37] NIST, "Module-Lattice-Based Digital Signature Standard (ML-DSA)," Federal Information Processing Standards Publication 204, National Institute of Standards and Technology, Aug. 2024. doi: 10.6028/NIST.FIPS.204
[38] NIST, "Stateless Hash-Based Digital Signature Standard (SLH-DSA)," Federal Information Processing Standards Publication 205, National Institute of Standards and Technology, Aug. 2024. doi: 10.6028/NIST.FIPS.205
[39] MITRE, "ATT&CK for Industrial Control Systems," MITRE Corporation, McLean, VA, 2023. [Online]. Available: https://attack.mitre.org/matrices/ics/
[40] Connectivity Standards Alliance, "Matter Specification Version 1.3 Device Attestation and Certificate Management," CSA, Mar. 2024. [Online]. Available: https://csa-iot.org/developer-resource/specifications-download-request/
