μTEE: Certification-ready RISC-V platform for secure IIoT lifecycle management

The digital transformation of industrial environments increasingly relies on resource-constrained Industrial Internet of Things (IIoT) devices, which must operate securely despite limited computational capabilities and hostile deployment conditions. Ensuring their trustworthiness is essential for complying with emerging regulations such as the EU Cyber-Resilience Act and for achieving certification under standards such as IEC 62443. This paper presents μTEE, a lightweight Trusted Execution Environment for RISC-V microcontroller-class platforms, explicitly designed to support certification-ready lifecycle security in ultra-lightweight IIoT nodes. μTEE combines hardware-enforced isolation, a secure root of trust, and enclave-based modularity for trusted system services, with an efficient symmetric-cryptography framework tailored to constrained devices. Beyond the architectural contribution, we perform a detailed IEC 62443 Security Level 3 compliance analysis, providing one of the first systematic demonstrations of how a constrained IIoT platform can be evaluated against this standard. The full compliance checklist is released as supplementary material, offering a practical methodology for applying IEC 62443 in novel IIoT contexts. We further illustrate μTEE's integration into lifecycle management flows and demonstrate its deployment in a PLC-based smart metering scenario. A prototypical FPGA implementation on an AMD-Xilinx Artix-7 platform shows modest area and performance costs, with limited overhead on application throughput. Comparative evaluation highlights μTEE's advantages over software-only TEEs, Arm TrustZone-M, and baseline RISC-V PMP approaches. The results confirm that μTEE delivers a certifiable, open-hardware trust anchor for IIoT, and that it serves as a replicable case study of IEC 62443 compliance evaluation, advancing the secure deployment of Industry 4.0 infrastructures.