Real-time industrial IoT control systems that operate on physical variables depend on sensor readings that are assumed to be accurate, timely, and trustworthy. These assumptions break down under attack scenarios, sensor degradation, or physical tampering. We present a hardware-timed trust enforcement design that enforces trust decisions at the sensor fusion layer. The design targets post-ADC gating; all timing and fault results were obtained on a cycle-bounded, non-preemptive ESP32 firmware realization. Selected enforcement blocks were also built as discrete hardware but did not produce the reported metrics. The design combines redundancy-aware data integration with a continuous trust evaluation driven by hardware logic. Sensor nodes are linked to their identity through an on-chip eFuse device identifier read at boot and bound to the sensing channel. Data from redundant sources is filtered through a median-based fusion rule that considers delay patterns, value consistency, and trust history. When trust degrades, the ESP32 realization applies a cycle-synchronous digital mask to the post-ADC sample; GPIO lines are used for timing/observability only. We validate the architecture on a closed-loop testbed for IoT process control under spoofed and fault inputs. The results show bounded recovery latency and isolation of corrupted data within the same cycle in which degradation is first detected or, in the worst case, within four control cycles, depending on the pre-update trust level. In this prototype, gating occurs after ADC: corrupted digital samples are blocked from fusion within the same cycle, while analog front-end saturation cannot be prevented. These results were obtained with an ESP32 firmware realization that applies post-ADC gating within the control tick; discrete hardware builds were not used for the reported measurements.

Top