ENsuring Secure and Safe CMD Design with Zero TRUST Principles

The overarching goal of ENTRUST was to provide all the necessary security mechanisms and trust extensions for supporting the secure lifecycle management of Connected Medical Devices (CMDs), enabling the transition towards zero-trust architectures where CMDs can provide verifiable guarantees on their trustworthiness. The project addressed the need to bootstrap trust in CMDs and to support runtime trust assessment, expanding the notion of trust beyond device integrity to also include resilience, robustness and safety. ENTRUST defined trust and trustworthiness in the context of CMDs and designed a holistic overarching framework capturing the entire lifecycle of a medical device across the Manufacturing (Design), Pre-deployment and Runtime phases. At the core of the framework lies the Trust Assessment Framework (TAF), which tackles trust quantification in the medical domain through continuous and dynamic Trust Assessment anchored to decentralised Roots-of-Trust and supported by adaptive mechanisms capable of handling contradicting data through Subjective Logic. ENTRUST performed research, design and implementation activities spanning the provision of a holistic security and privacy solution throughout the CMD lifecycle, formal verification of end-to-end information flow to capture trust boundaries in medical service graph chain operations, the establishment of a Trusted Computing Base (TCB) with novel attestation capabilities, and the creation of trust enablers able to provide verifiable evidence for runtime trust quantification. The framework was deployed in realistic use cases providing safety-critical medical services, demonstrating how bootstrapping trust, secure communication, runtime monitoring and secure software update can operate in practical medical domain infrastructures while aligning with regulatory and standardisation efforts.

Over its full duration, ENTRUST completed the research, design, implementation, integration and evaluation of all core technical components and delivered the final version of the integrated ENTRUST framework. The final reference architecture and threat landscape were defined, and the TAF was integrated with all trust extensions, including the AI-based Misbehaviour Detection acting as a Trust Source, the Risk Assessment component calculating the Required Trust Level (RTL), and the Digital Twin enabled Secure Software Update functionality supporting scalable and hierarchical deployment. The interoperable security stack and harmonised Trusted Computing Base were implemented for both low-end and high-end devices, instantiated through Physical Unclonable Functions for low-end platforms and a Trusted Execution Environment (OP-TEE) for high-end devices. Novel mechanisms such as Zero-Touch Onboarding extending the IETF-proposed EAP protocol, Configuration Integrity Verification, Swarm Attestation, Conformity Certificates formatted as Verifiable Credentials, and privacy-preserving cryptographic constructions including Attribute-Based Credentials and Direct Anonymous Attestation were designed, implemented and benchmarked. Formal Verification using ProVerif and Tamarin was supported through a Domain-Specific Language and extended with runtime verification integrated into the Digital Twin. Threat Modelling leveraged Large Language Models to construct tailored threat landscapes, while Software Verification employed fuzzing techniques enhanced with LLM-generated seed inputs. The Blockchain Infrastructure and smart contracts supported auditable handling of attestation data, trust policies, Conformity Certificates and threat intelligence data, while the Tracer component enabled runtime monitoring in both low-end and high-end devices. All components were integrated and evaluated across five real-world use case demonstrators, with benchmarking against defined KPIs, demonstrating performance, scalability and applicability within medical domain infrastructures.

ENTRUST goes beyond the state of the art by delivering dynamic Trust Assessment capabilities in medical domains where trust cannot be assumed a priori and where security has traditionally relied on manufacturer-enabled mechanisms rather than continuous runtime trust quantification. The Trust Assessment Framework enables quantifiable, continuous and federated trust assessment across devices and domains, anchored to Roots-of-Trust and supported by formal verification, risk assessment, threat modelling, runtime attestation, AI-based misbehaviour detection and Digital Twin enabled mitigation. The harmonised Trusted Computing Base captures heterogeneity by supporting both low-end and high-end CMDs, while novel mechanisms such as Zero-Touch Onboarding, Configuration Integrity Verification, Swarm Attestation and Conformity Certificates enable verifiable and privacy-preserving evidence generation and runtime certification. The integration of Verifiable Credentials, privacy-preserving Attribute-Based Credentials and blockchain-based auditability in the context of CMDs represents a first-of-its-kind adoption within this domain. These results were validated in realistic, safety-critical use cases, demonstrating applicability in hospital environments, remote monitoring, ambulance scenarios and wearable platforms. Further uptake can be supported through continued deployment, alignment with standardisation activities and the structured Open-Source Exploitation Roadmap ensuring sustainable access and extensibility of core artefacts.