Skip to main content

Zero-Trust Security for Embedded and IoT Devices

Published Date
Author Mouser Technical Content Staff

New Tech Tuesdays

Join Mouser's Technical Content team for a weekly look at all things interesting, new, and noteworthy for design engineers.

Published December 23, 2025

For nearly 20 years, zero trust was an information technology (IT) department's way of keeping employees, contractors, and cloud applications in check. In corporate networks and data centers, the idea was straightforward: trust nothing by default, verify everything, and tightly control who or what could access sensitive data.

Now, this mindset is moving beyond the server room and into the devices that run the world, from industrial control units in factories to Internet of Things (IoT) sensors in smart homes. Embedded systems are being treated like they're sitting on the open internet, even when they're inside a “closed” network.

For designers, this means every firmware update, data packet, and component interaction needs to be assumed as hostile until proven otherwise. Even a sensor deep in a closed industrial network can be jeopardized through an infected firmware update or a compromised maintenance laptop. Engineers must now treat every device as if it is directly connected to the public internet, which means building authentication, encryption, and verification into the hardware itself. This week’s New Tech Tuesdays looks at how zero-trust security enables a heightened level of protection for devices across various networking environments.

How Zero Trust Works at the Device Level

In a traditional network, once a device was “inside” the perimeter—for example, on the factory floor or plugged into a private local area network (LAN)—it was considered safe. Zero trust removes that assumption. All connections between devices, services, or users are verified before being trusted (Figure 1).

Figure 1: The zero-trust approach to security is built on key concepts that all connect to the core idea of verifying trust every time. (Source: Akash Sain/stock.adobe.com)

Instead of relying on perimeter firewalls, this approach builds security onto the device itself, embedding authentication, authorization, and continuous verification. The goal is to guarantee that no matter where the device operates—whether on a closed network, across the public internet, or in a hybrid environment—it never trusts anything without proof.

Zero-trust devices may include secure elements[1] or hardware security modules (HSMs) to store encryption keys,[2] trusted execution environments (TEEs) to isolate sensitive code,[3] and immutable bootloaders to ensure startup with trusted software.[4] They often feature intrusion detection for anomalies[5] and hardware tools for true random number generation, which strengthen encryption. These devices must authenticate using secure chips or authentication ICs before sharing data and receive minimal access thereafter. Not only should zero-trust devices revalidate connections frequently, but unusual behavior must also trigger alerts or isolation. Furthermore, firmware integrity on these devices is verified before running, and all data is encrypted—even internally.[6]

A zero-trust-enabled device will not just log in once and assume everything is fine. It will keep checking. In an industrial control system, that might mean a motor controller authenticates each command from the programmable logic controller (PLC), even if they are both connected to the same local network. In an IoT thermostat, it could mean rejecting cloud updates that aren't signed by a trusted vendor key.

Real-World Zero Trust in Action

As automation systems proliferate and the IoT grows exponentially, zero trust is moving beyond IT. It’s now showing up in smart home devices, industrial control systems, and IoT products—changing how they connect, share data, and verify trust.

Factory Networks and OT Devices

In industrial settings, companies are applying zero trust to better secure operational technology (OT) networks. For example, Microsoft Defender for IoT applies zero trust by segmenting factory networks into “sites and zones” and enforcing identity-based access at every layer.[7] By treating every device and connection as untrusted, this approach stops lateral movement inside even the most isolated production networks.

Field-Level IoT Maintenance and Control

For IoT endpoints like sensors and remote controls, manufacturers are adding continuous identity checks with real-time behavior monitoring.[8] That means verifying credentials and watching for unusual traffic or commands, so threats can be flagged and stopped before they spread.

Rules To Keep IoT Devices Safe

Security standards are installing zero trust into products before they even leave the factory. For example, Arm’s Platform Security Architecture (PSA) Certified framework defines requirements for secure boot, device identity, and encrypted communication.[9] Chipmakers are designing products to meet PSA Level 2 and 3 certifications, embedding hardware-based trust anchors into the next generation of embedded systems.

The Newest Products for Your Newest Designs®

Zero trust works best when it starts in the hardware. STMicroelectronics STSAFE-A120 authentication ICs provide a hardware root of trust for embedded and IoT designs, featuring an EAL5+ certified secure element, a unique device ID, and support for ECC, AES, and hashing. The ICs handle transport layer security (TLS) 1.2 and 1.3 handshakes, secure boot, and firmware verification, while offering 16KB of configurable nonvolatile memory (NVM) rated for 500,000 cycles. Communication with the STSAFE-A120 is via I²C at up to 400kbps, and it operates reliably from −40°C to +105°C. Available in compact SO8N or UFDFPN packages, the ICs are built for secure operation in connected devices from the start.

Tuesday’s Takeaway

Zero trust is no longer just for IT teams. It is headed to embedded, IoT, and industrial devices, and consequently changing how they are built. Treating every interaction as untrusted from the onset creates hardware that’s harder to compromise and easier to secure in the long run.

 

   

Sources

[1]https://promwad.com/news/zero-trust-in-embedded-security

[2]https://www.opencompute.org/documents/secure-boot-2-pdf

[3]https://www.wolfssl.com/difference-hsm-tpm-secure-enclave-secure-element-hardware-root-trust/

[4]https://www.opencompute.org/documents/secure-boot-2-pdf

[5]https://cactilab.github.io/assets/pdf/zhao2024seed.pdf

[6]https://arxiv.org/abs/2410.18291

[7]https://learn.microsoft.com/en-us/azure/defender-for-iot/organizations/concept-zero-trust

[8]https://deviceauthority.com/the-key-benefits-of-adopting-zero-trust-iot-for-device-identity-lifecycle-management

[9]https://www.trustcb.com/iot/psa-certified

About the Author

Mouser Electronics, founded in 1964, is a globally authorized distributor of semiconductors and electronic components for over 1,200 industry-leading manufacturer brands. We specialize in the rapid introduction of the newest products and technologies targeting the design engineer and buyer communities. Mouser has 28 offices located around the globe. We conduct business in 23 different languages and 34 currencies. Our global distribution center is equipped with state-of-the-art wireless warehouse management systems that enable us to process orders 24/7, and deliver nearly perfect pick-and-ship operations.

Profile Photo of Mouser Technical Content Staff
Visit Website More Content by Mouser Technical Content Staff