Wireless Sensor and Actuator Networks (WSANs) are typically used in order to protect Critical Infrastructures (CIs). WSANs collect and transmit sensitive data and need to fulfil their defined security requirements according to the CI they protect. This however has a high impact on building such systems with respect to security. WSANs depend on secure operation of their nodes and thus need to rely on the used node operating system (OS). However, typical WSAN nodes are limited regarding their power consumption and available hardware resources, which makes it difficult to implement rich security or reliability features. Nevertheless, the used OS should still provide security mechanisms in order to limit the effects of both, accidental errors as well as malicious modifications of the running software. Within this paper, we solve a significant number of the before mentioned issues by providing a high-assurance security kernel for WSAN nodes. The security kernel provides strong process isolation. This allows for example to execute trusted and untrusted code on the same node, for instance to separate trusted encryption components and keys from untrusted network protocol stacks. Realizing trustworthiness inside a WSAN is one of the most important aspects for protecting CIs. Each sensor node needs to trust the information flow along the network. For example, in case of an incident, it is essential that a WSAN measuring a power grid notices this incident in a dependable and real-time way. All corresponding actuators or even persons behind the control panels have to react in-time on an abnormal behaviour of the system. Since possibly cost-intensive or even life-threatening decisions, such as shutting down a high-voltage power supply line, are made based on the measured information of WSANs, these networks have to be fully trustworthy with regard to the data provided. The main aspect of the presented security model is to isolate security-critical parts of the operating system, such as encryption mechanisms, encryption keys and security-related software, and encapsulate each of them in so called compartments. This is realized in such a way that no compartments can access, interact, or influence each other without permission of the underlying security kernel. The security kernel provides such a trustworthy platform for secure communication nodes. It is based on a microkernel system with a very small Trusted Computing Base (TCB), which makes it easier to prove the correctness of such a system. On top of it, different security services handle secure code-update, attestation, secure communication, secure measurement of the sensor, and secure storage of the sensor data. In parallel to the security relevant compartments, it is possible to run common WSAN node operating systems (e.g., a para-virtualised Linux, eCos, or TinyOS).