Zero Trust Architecture
Security Model
Role-safe by design. Local-first by default. Auditable at the boundary.
Trust Zones
The environment is segmented so a compromise in one zone does not cascade into control.
Interface Zone
Operator clients with role-scoped permissions
Core Zone
Policy, state, audit, and orchestration (Protected)
Control Zone
Gateways and protocol adapters
Device Zone
Field buses and endpoints
Muted note: Cloud connectivity is not required for core control.
Role Boundaries
Owner
High-level intents and modes. No engineering controls.
Staff
Operational controls within commissioned scope. No privileged actions.
⚙️
Engineering
Maintenance windows, diagnostics, updates, recovery procedures (audited).
Single Actuation Boundary
The interface does not actuate devices directly. All actuation passes through a deterministic policy gate with an audit record.
Actor→Decision→Actuation→Result
Controlled Updates
- Authenticated, integrity-checked packages
- Validated against certified hardware
- Scheduled within maintenance windows
- Rollback supported to last known-good
What we refuse to do
- No hidden telemetry by default
- No silent bypass of role boundaries
- No uncontrolled vendor auto-updates inside commissioned scope