Zero-Trust Agentic Federated Learning for Secure IIoT Defense Systems

In recent times there have been several attacks against critical infrastructure such as the 2021 Oldsmar Water Treatment System breach and the 2023 Denmark Energy Sector compromise. These breaches clearly show the need for security improvements within the deployment of Industrial IIoT. Federated Learning (FL) provides a path to conduct privacy preserving collaborative intrusion detection; however, all current FL frameworks are vulnerable to Byzone poisoning attacks and do not include a method for authenticating agents. In this paper we propose Zero-Trust Agentic Federated Learning (ZTA-FL), a defense-in-depth framework using TPM-based cryptographic attestation which has an extremely low (<10 -7 ) false acceptance rate and a new SHAP-weighted aggregation algorithm with explainable Byzantine detection under non-IID conditions with theoretical guarantees, and uses privacy-preserving on-device adversarial training. Experiments were conducted on three different IDS benchmarks (Edge-IIoT set, CIC-IDS2017, UNSW-NB15) to calculate the performance of ZTA-FL. The results indicate that ZTA-FL achieved a 97.8% detection rate, a 93.2% detection rate when subjected to 30% Byzantine attacks (an improvement over FLAME of 3.1%, p < 0.01) and 89.3% adversarial robustness, while reducing the communication overhead by 34%. This paper also includes theoretical analysis, failure mode characterization, and open-source code for reproducibility.

💡 Research Summary

The paper addresses the growing security concerns of industrial IoT (IIoT) infrastructures, exemplified by high‑profile incidents such as the 2021 Oldsmar water‑treatment breach and the 2023 Denmark energy‑sector compromise. While federated learning (FL) offers a privacy‑preserving avenue for collaborative intrusion detection, existing FL frameworks lack robust agent authentication and remain vulnerable to Byzantine (Byzone) poisoning attacks. To overcome these gaps, the authors introduce Zero‑Trust Agentic Federated Learning (ZTA‑FL), a defense‑in‑depth architecture that integrates three complementary mechanisms.

First, each edge device is equipped with a Trusted Platform Module (TPM) that performs cryptographic attestation at boot time. The central server verifies these attestations, ensuring that only hardware‑rooted, trustworthy agents can participate in model updates. This hardware‑based trust anchor yields an exceptionally low false‑acceptance rate (<10⁻⁷).

Second, the framework incorporates on‑device adversarial training. Local models are hardened against common adversarial perturbations (e.g., FGSM, PGD), which improves robustness when malicious inputs are injected during inference.

Third, the authors devise a SHAP‑weighted aggregation algorithm. By computing Shapley Additive Explanations for each client’s update, ZTA‑FL quantifies the true contribution of every participant, assigning lower weights to updates with anomalously low SHAP values—a reliable indicator of Byzantine behavior. The paper provides a theoretical guarantee that, under a Byzantine fraction β ≤ 0.3, the expected loss increase is bounded by O(β).

Experimental evaluation spans three widely used IDS benchmarks—Edge‑IIoT, CIC‑IDS2017, and UNSW‑NB15—each subjected to 30 % Byzantine attacks and 20 % adversarial samples. Compared with state‑of‑the‑art baselines (FLAME, FedAvg, Krum), ZTA‑FL achieves a 97.8 % overall detection rate, retains 93.2 % detection under Byzantine pressure (a 3.1 % improvement over FLAME, p < 0.01), and sustains 89.3 % accuracy against adversarial inputs. Communication overhead is reduced by 34 % thanks to efficient SHAP computation and selective transmission of verified updates.

The authors also present a failure‑mode analysis covering TPM compromise, SHAP overflow, and network latency, offering mitigation strategies such as re‑attestation, precision scaling, and asynchronous aggregation. All code and experimental pipelines are released as open‑source, facilitating reproducibility and encouraging adoption in real‑world IIoT defense deployments.