Industrial IoT Protocols With Embedded Authority

1. Regulatory Framework

Industrial IoT operates under a layered regulatory regime that has tightened sharply since 2023. In the United States, NERC CIP reliability standards govern the bulk electric system, the FDA 21 CFR Part 11 framework constrains data integrity in pharmaceutical and biologics manufacturing, and the TSA Security Directives now apply to pipeline and rail operational technology after the Colonial Pipeline incident reset the threat assumptions. The CISA Cross-Sector Cybersecurity Performance Goals and the SEC cyber-disclosure rule together create a baseline expectation that operational telemetry, supervisory commands, and control loop integrity be evidenced with traceable governance, not merely with generic firewall posture.

In the European Union, NIS2 explicitly extends critical infrastructure obligations to manufacturing, food production, and waste management, with personal liability for management bodies that fail to maintain adequate cybersecurity. The Cyber Resilience Act adds a product-side obligation: every industrial device placed on the EU market must demonstrate secure-by-design properties across its lifecycle, including the ability to evidence the integrity and authority of its communications. The Machinery Regulation 2023/1230 introduces a digital-instructions and software-integrity dimension to the long-standing CE-marking regime. In parallel, the IEC 62443 family, ISA/IEC 61511 for safety instrumented systems, and the ISO/IEC 27019 energy-utility profile have all moved from "industry guidance" to de facto regulatory baselines through their incorporation by reference into NIS2 implementing acts and into the FDA Cybersecurity in Medical Devices premarket guidance.

The substance of these regimes converges on a single demand. Regulators no longer accept that operational data is "trusted because it came from inside the OT network." They require evidence that each measurement, each command, and each state change carries a verifiable authority trail from the originating device through every intermediate hop to the consuming system. The audit question is no longer "did the broker log it" but "what authority signed this command, what was the credential lineage of the sensor that produced this reading, and can the operator reconstruct, after the fact, the precise communication path that delivered it?"

Industrial IoT vendors have historically answered with bolt-on logging, TLS termination at the broker, and SOC 2 attestations of broker operations. None of these structurally satisfies the new regulatory shape, because the authority being evidenced is the broker's authority, not the device's. The regulatory framework is moving toward credentialed-device, credentialed-message expectations that the broker-centric architecture cannot supply without a substrate change.

2. Architectural Requirement

The architectural requirement implied by the modern regulatory framework, by the operational reality of safety-critical manufacturing, and by the IT/OT convergence trajectory is that industrial communication carry its own authority. A field device emitting a telemetry value must structurally produce more than a payload and a topic name. It must produce an object whose authority, scope, freshness, and trust posture are evaluable by every downstream consumer without recourse to a centralized broker, gateway, or directory.

This requirement has four concrete dimensions. First, every message must carry a credential that names the producing device under a published authority taxonomy: which plant, which cell, which device type, which firmware revision, which calibration epoch. Second, every message must carry routing intent that is enforceable at each hop: which classes of consumers may receive it, which jurisdictions it may traverse, which operational boundaries (safety zone, quality zone, IT enclave) constrain its propagation. Third, every message must carry a freshness and integrity envelope that downstream consumers can evaluate locally without phoning home to a central authority. Fourth, every message must contribute to a lineage that the operator can reconstruct after an incident, not merely from broker logs but from the messages themselves.

These four dimensions are not optional layers to add atop a broker. They define the substrate. A protocol that supplies them as native primitives produces a system in which a quality control supervisor reading a temperature value sees not a number but a credentialed observation; in which a safety PLC receiving a setpoint command sees not a register write but an authority-bound intent; in which an audit reconstruction sees not a log file but a lineage. The architectural requirement is for a memory-native protocol whose unit of communication is the credentialed object rather than the topic-routed payload.

This architectural shape also satisfies the resilience requirement that broker redundancy alone cannot supply. When devices speak credentialed objects, the loss of a broker degrades convenience but does not erase authority. Peer-to-peer paths can be established opportunistically because every party already carries the credentials needed to authenticate itself and the messages it produces. The architecture matches the physics of industrial environments, where electromagnetic interference, equipment failure, and adversarial action all attack the centralized layer first.

3. Why Procedural Approaches Fail

The procedural answer to the regulatory and architectural pressure has been to wrap brokers in additional process: tighter SOC 2 controls on broker operators, MQTT 5 user properties for limited metadata, OPC UA security policies layered on top of the existing broker-aggregator pattern, gateway-level TLS pinning, and SIEM forwarding of broker logs to enterprise security platforms. Each of these is a real improvement, and each fails the structural test for the same reason: the authority being attested is the authority of the broker, not the authority of the device or the message.

Concretely, MQTT topic-based access control enforces who may publish or subscribe at the broker boundary, but downstream consumers receive a payload that has lost the access policy. A reading marked "quality-control-only" at the broker arrives at the analytics platform as an unmarked number. The governance does not travel with the data. OPC UA's certificate model authenticates the OPC UA session but not the individual measurements within it; once a session is established, the measurements within it are credentialed only by the session, which is a coarser unit than the regulator wants to see. SCADA historians timestamp incoming values, but the timestamp is the historian's, not the device's, which fails the integrity envelope requirement.

The procedural failure is structural rather than incidental. Broker-mediated architectures place the trust boundary at the broker because that is where routing decisions are made. To move the trust boundary to the device requires moving the routing decision to the device, which requires a different protocol substrate. No amount of process discipline applied to the existing substrate produces credentialed messages, because the existing substrate has no field for credentials and no evaluator for them at consumption time.

A second procedural failure mode is the assumption that a future "blockchain for IoT" or "DLT for OT" can supply the missing authority. These efforts add a ledger alongside the broker, producing an after-the-fact log of selected events. The ledger does not carry routing authority; the broker still routes. The ledger is therefore an additional surface, not a substrate replacement, and its presence does not change the fact that downstream consumers receive uncredentialed payloads. Regulators who have evaluated these schemes have consistently found that they answer "did this happen" but not "by what authority and with what governance did it happen at the moment it propagated."

The third procedural failure is the IT/OT-convergence assumption that enterprise zero-trust frameworks can be extended into the operational network. Enterprise zero trust authenticates users and workloads against identity providers; it does not authenticate field devices or the measurements they emit. Extending it into OT produces additional authentication at gateways but does not credential the underlying telemetry stream. The IT/OT boundary remains a procedurally defended seam rather than a structurally credentialed flow.

4. The AQ Memory-Native Protocol Primitive

The Adaptive Query memory-native protocol primitive disclosed under USPTO provisional 64/049,409 specifies that every unit of communication be a credentialed object whose authority, routing, scope, freshness, and lineage are intrinsic to the object rather than to the surrounding broker, gateway, or session. The unit is not a topic-addressed payload but a structured artifact that carries, as native fields, the producing authority under a published taxonomy, the routing constraints that govern its propagation, the operational boundaries it may traverse, the integrity and freshness envelope under which downstream consumers evaluate it, and the lineage tail that links it to its predecessors and to the trust slope that admitted it.

Five structural properties define the primitive. First, the protocol object is authority-credentialed at production: the producing device emits the object signed under its credential within the authority taxonomy, with no intermediate trust boundary required to introduce credentials. Second, routing intent is intrinsic: the object carries explicit propagation rules that any compliant intermediary or consumer evaluates without consulting an external policy server. Third, evaluation is local: each consumer evaluates the object's authority, scope, and freshness against its own local policy, with no required round-trip to a central authority for routine operation. Fourth, lineage is recorded in the object: every hop and every transformation extends the object's lineage, producing forensic reconstructability without dependence on broker logs. Fifth, recursive closure: the lineage records and routing decisions are themselves credentialed objects that re-enter the protocol at the same level, producing a self-evidencing communication fabric.

The primitive is technology-neutral. Any signature scheme, any wire format, any transport layer can carry it, because the primitive is a structural property of the unit of communication rather than a specific encoding. It composes hierarchically: a device, a cell, a plant, an enterprise, a coalition each appear as a level in the authority taxonomy, and a deployment scales by adding levels rather than by re-architecting. It is independent of and complementary to the existing IEC 62443 zone-and-conduit model, which it satisfies as a special case while exceeding its evidentiary properties. The inventive step disclosed under provisional 64/049,409 is the credentialed, self-routing, self-evidencing communication object as the unit of an industrial protocol.

Critically, the primitive does not require the disappearance of brokers, OPC UA aggregators, or SCADA historians. It changes what those components are: from authority-bearing intermediaries to convenience-bearing intermediaries. A broker that handles credentialed objects is a router, not a trust boundary; its compromise degrades performance but does not break the credentialing. The substrate change preserves the operational topology operators have invested in while supplying the credentialing the regulators now require.

5. Compliance Mapping

The five-property primitive maps directly onto the structural demands of the modern industrial regulatory framework. Authority-credentialed production satisfies the NERC CIP-007 baseline configuration and CIP-010 change-management evidentiary requirements at the message level rather than the asset level, because the asset's identity travels with every message it produces. The FDA 21 CFR Part 11 electronic-records requirements for attribution and integrity are satisfied at the measurement level rather than at the application level, eliminating the long-standing dispute about whether an aggregated historian record meets the attribution standard.

Intrinsic routing intent maps onto NIS2 Article 21 risk-management measures and onto the IEC 62443-3-3 system-requirements catalog for zone segmentation, because the segmentation is enforced by the messages themselves rather than by perimeter equipment. The Cyber Resilience Act's secure-by-design and secure-by-default obligations are satisfied at the protocol substrate level, providing a defensible product-side answer to the conformity assessment that vendors otherwise struggle to construct from broker-based architectures.

Local evaluation satisfies the operational technology requirement that safety-critical decisions not depend on enterprise IT availability, which both NIS2 and the FDA Cybersecurity in Medical Devices guidance now treat as a control category rather than a nice-to-have. Lineage recording in the message satisfies the SEC cyber-disclosure requirement for material-incident reconstruction, because the operator can produce a credentialed lineage of every message implicated in the incident without depending on the integrity of broker-side logs whose own integrity is in question after a compromise. Recursive closure satisfies the audit-of-the-audit-trail concern that has dogged OT historian implementations for two decades.

The mapping also extends to the emerging coalition and cross-jurisdictional regimes. The U.S.-EU Trade and Technology Council's industrial cybersecurity workstream, the Quad critical-infrastructure cooperation framework, and the IEA-coordinated energy-sector resilience efforts all share an evidentiary expectation that authority and lineage cross jurisdictional boundaries with the data, not separately from it. The hierarchical-composition property of the primitive supplies this naturally: a coalition layer is just another level in the taxonomy, and cross-jurisdictional lineage is a property of the messages rather than of a separately negotiated audit framework.

6. Adoption Pathway

Adoption of the memory-native protocol primitive in industrial IoT proceeds along an incremental path that does not require rip-and-replace. The first stage is a credentialing wrapper: existing devices continue to publish to existing brokers, but a co-located adapter promotes outgoing payloads into credentialed objects under the device's authority. Downstream consumers begin to evaluate the credentialed envelopes, gaining the regulatory and forensic benefits without disrupting the underlying telemetry. This stage is achievable on existing hardware and produces immediate compliance value for FDA Part 11, NIS2, and IEC 62443 evidentiary obligations.

The second stage is native production: device firmware updates emit credentialed objects directly, and the adapter layer is retired. PLC vendors, sensor manufacturers, and OPC UA server vendors integrate the primitive into their reference platforms. The brokers and historians continue to operate but now route credentialed objects rather than uncredentialed payloads. The IT/OT seam becomes a credentialed boundary rather than a procedurally defended one, and zero-trust extension into OT becomes structurally meaningful rather than nominal.

The third stage is peer-to-peer fabric: as a critical mass of devices produces credentialed objects, opportunistic peer paths become viable for safety-critical and high-availability flows. The broker layer remains as a convenience and as a compatibility surface for legacy systems, but the operational dependence on it dissolves. At this stage the architecture matches the resilience requirement: a compromised or destroyed broker degrades convenience but does not blind the production line, because the devices already speak directly to the consumers that need them.

For system integrators, the adoption pathway is commercially attractive because each stage delivers standalone regulatory value. For device vendors, it is attractive because the primitive is a structural differentiator in conformity assessments under the Cyber Resilience Act and the Machinery Regulation. For operators, it is attractive because it converts the existing OT investment into a credentialed substrate without forcing migration. The honest framing is that the AQ memory-native protocol primitive does not replace industrial IoT; it gives industrial IoT the authority substrate the regulators have begun to require and that the broker-mediated architecture, by its structural shape, cannot supply.