ZT-RIASE: Zero Trust-resilient identity attestation for securing smart industrial IoT environment

Abstract In the Industry 5.0 paradigm, collaborative intelligence, human–machine cooperation, and real-time cognitive automation have increased the dependence of industrial systems on secure and uninterrupted Industrial Internet of Things (IIoT) connectivity. However, this convergence also expands the cyberattack surface and exposes resource-constrained industrial devices to impersonation, replay, man-in-the-middle, rogue gateway, insider, and session-hijacking attacks. Existing authentication schemes mainly focus on initial access verification and often lack continuous Zero Trust enforcement, failure-resilient reconnection, and network-aware runtime validation. To address these limitations, this paper proposes ZT-RIASE, a Zero Trust-resilient identity attestation framework for securing smart industrial IoT environments. ZT-RIASE adopts a hybrid bootstrap–symmetric runtime design, where public-key cryptography is used only during initial device registration and key agreement, while recurring runtime identity attestation, session maintenance, reconnection, and continuous verification rely on lightweight symmetric-key and behavior-based mechanisms. The runtime protocol uses AES-128-GCM, hash/MAC-based integrity verification, nonce–timestamp freshness, and session-continuity tokens to ensure confidentiality, integrity, and replay resistance without repeated public-key operations. To further reduce recurrent authentication overhead, ZT-RIASE introduces Network-Aware Crypto-Behavioral Continuous Authentication (NA-CBCA), which verifies active sessions using token-use regularity, path/gateway consistency, command-access consistency, message-size deviation, request-rate behavior, packet-timing deviation, retransmission/error behavior, and energy/processing deviation. Timing-sensitive behavioral features are normalized using a network condition index based on RTT, jitter, packet loss, and retransmission rate, thereby reducing false positives under changing industrial network conditions. Performance evaluation using representative constrained-device profiles and ns-3 simulations demonstrates that runtime attestation requires 2.400 ms computation time, 0.625 KB communication overhead, 3.800 KB memory, and 1.998 mJ energy, while NA-CBCA requires only 0.350 ms, 64 bytes, 2.100 KB memory, and 0.246 mJ energy. Large-scale scalability analysis from 100 to 1000 IIoT devices further shows predictable aggregate overhead growth with stable per-device runtime delay. These results demonstrate that ZT-RIASE provides lightweight, failure-aware, and behavior-adaptive Zero Trust identity attestation suitable for realistic smart industrial IoT deployments.