Secure IoT Systems Gain Layered Protection Via Trusted Hardware and Software

Researchers are increasingly focused on bolstering the security of the Internet of Things (IoT) given the growing number of vulnerabilities across diverse operational environments. Muhammad Imran from Universidade da Coru na, alongside collaborators, presents a comprehensive security framework integrating Trusted Execution Environments, semantic middleware, and blockchain technologies to address these challenges. This work systematically analyses architectural patterns from over twenty recent studies and existing standards, proposing a layered security architecture encompassing hardware-rooted trust, zero trust principles, and semantic security mechanisms. The significance of this research lies in its focus on practical implementation, including performance overhead, interoperability, and regulatory compliance, crucial considerations for real-world IoT deployments, and is supported by quantitative metrics demonstrating cryptographic performance on Cortex-M microcontrollers, detection accuracy, and energy consumption. Ultimately, the proposed cross-layer integration offers a defence-in-depth approach suitable for resource-constrained IoT devices, while also outlining future research directions such as post-migration security and automated compliance verification.

This architecture includes hardware-rooted trust at the peripheral level, zero trust principles at the network level, and semantic security mechanisms at the application level, focusing on practical implementation aspects. The proposed architecture demonstrates that cross-layer security integration can provide defence in depth while satisfying the constraints of resource-limited IoT environments, presenting quantitative metrics including cryptographic performance on Cortex-M class microcontrollers, detection accuracy rates, and energy consumption values. The rapid growth of IoT devices introduces serious security challenges that traditional IT security architectures cannot fully address, encompassing resource-constrained devices, heterogeneous communication protocols, and distributed cloud and edge architectures, increasing the attack surface and impacting the physical world. An 82% compliance rate with the IoT Security Foundation best practices demonstrates the effectiveness of the proposed security architecture, contrasting with 65% achieved by conventional approaches and 78% by cloud-centric models, highlighting a substantial improvement in overall security posture. Comparative analysis against perimeter-based and cloud-centric architectures showed the proposed design achieved superior regulatory compliance at 87%, exceeding the 70% and 85% scores of the alternatives. The perimeter-based approach exhibited weak attack resistance with a score of 60%, due to its limited ability to address insider threats and compromised devices, while the cloud-centric model showed lower regulatory compliance, primarily due to data sovereignty and privacy concerns. Detailed evaluation revealed strong performance in identity and access management, data protection, and resistance to common attacks, although update management scored slightly lower due to the complexities of supporting secure updates across diverse IoT environments. The initialisation of Trusted Execution Environments introduced an energy overhead of 8.2% alongside a processing delay of 45ms, stemming primarily from the secure boot process and the establishment of the secure execution environment itself. Secure communication added a 6.5% energy overhead and 32ms of latency, attributable to cryptographic operations and protocol exchanges, while blockchain-related operations proved most demanding, increasing energy consumption by 15.3% and introducing an average latency of 320ms, reflecting the computational intensity of consensus processes and cryptographic verification. Semantic processing contributed a 9.8% energy overhead and an 85ms average delay, resulting from text analysis and context reasoning tasks. Scalability testing up to 10,000 simulated devices revealed stable performance up to 5,000 devices, after which performance gradually declined, with the blockchain component becoming the primary scalability limitation around 7,500 devices, consistent with known challenges in distributed consensus mechanisms. The architecture supports compliance with regulations like GDPR and CCPA through automated compliance checking using ontology-based policy representation, enabling continuous verification and automatic generation of compliance evidence. Trusted Execution Environments (TEEs) provide hardware-enforced isolation for security-critical operations, with ARM TrustZone technology widely available in Cortex-M and Cortex-A processors separating the processor into secure and non-secure worlds, protecting sensitive code and data even if the rich operating system is compromised. Semantic middleware aims to solve interoperability issues in IoT systems while improving security capabilities, with the Semantic IoT Middleware (SIM) integrating blockchain technology with AI-based context awareness for secure data management. This framework uses a canonical ontology to ensure data consistency and applies cryptographic mechanisms to protect data integrity, providing tools for information collection and processing. By attaching semantic metadata describing data origin and meaning, the system can securely share information and perform combined analysis across distributed devices. In IoT domains handling unstructured textual data, models like SynNER improve the extraction of security-related entities, supporting better contextual awareness, including recent LLM-based dependency parsing for code-switched text. Data quality and trustworthiness are also important in threat intelligence, with automated data quality assessment frameworks reducing false positives and improving confidence in AI-based security analysis. The zero-trust architecture follows the principle of “never trust, always verify,” avoiding implicit trust for any entity or endpoint regardless of network location, manifesting in IoT security environments through authentication of every access request, assignment of privileges based on the least privilege principle, use of microsegmentation to isolate network segments, and continuous monitoring of device behaviour. In decentralized IoT environments lacking a central authority, blockchain technology provides a foundation for distributed trust, supporting use cases including assigning cryptographically secure identities to devices, maintaining tamper-resistant audit records, and managing access control through consensus mechanisms. The Semantic IoT Middleware uses blockchain to improve data provenance and integrity, while research increasingly applies blockchain to specific security goals, such as verifying device authenticity and ensuring secure firmware update delivery. Recent research focuses on holistic security architectures protecting IoT systems across their entire lifecycle, with Naik et al. proposing a framework for product lifecycle information management (PLIM) integrating identity and access management across diverse IoT deployments, emphasizing that security must remain active from device manufacturing to decommissioning. Chandu et al. present a layered security model addressing threats at the perception, network, and application levels, highlighting the use of metaheuristic algorithms to enable secure routing in resource-limited environments0.2023 standard, recognising that improving security often reduces performance, energy efficiency, or processing capacity. The proposed IoT security architecture integrates multiple security technologies into a cohesive framework with five key components: hardware-rooted trust, secure communication, zero-trust control plane, semantic security middleware, and blockchain-based integrity verification. The perceptual layer includes sensors, actuators, and embedded devices using hardware-based security features, requiring Trusted Execution Environments (TEEs) for devices handling sensitive data, applying the Fortress design principles for peripheral protection. Each device has a unique hardware identity, preferably derived from Physical Unclonable Functions (PUFs) or hardware security modules (HSMs), providing a reliable root of trust for device identification and authentication. Device security requirements follow IoT Security Foundation guidelines, including secure boot with measured launch integrity, hardware-protected storage for cryptographic keys, tamper detection and response support, and secure firmware update mechanisms with rollback protection. Security is anchored in the physical hardware, establishing a chain of trust across the IoT ecosystem, enabling reliable authentication and operation in untrusted or adversarial network environments. The network layer enforces the zero-trust model through microsegmentation, cryptographically secured communication, and continuous authentication, integrating software-defined perimeter (SDP) mechanisms requiring explicit device attestation before network access is granted, hiding critical infrastructure from non-compliant devices. Microsegmentation creates isolated network segments based on device type, operational role, and compliance status, limiting lateral movement after a compromise. The relentless expansion of the Internet of Things has outpaced our ability to secure it, presenting a fundamental tension: how to protect billions of connected devices, often resource-constrained and deployed in unpredictable environments, from increasingly sophisticated attacks. This work offers a compelling architectural response, moving beyond fragmented solutions to propose a layered framework integrating trusted execution environments, semantic middleware, and blockchain technologies. What distinguishes this approach is its emphasis on practical implementation, addressing the realities of limited processing power, energy budgets, and the need for interoperability, demonstrated through performance metrics on common microcontrollers. Future work must consider the evolving threat landscape, particularly the potential impact of post-quantum cryptography, as the success of this, or any, IoT security framework will depend not just on technical innovation, but on widespread adoption and ongoing adaptation.