Securing the “Things”: The Story Behind Our IoT Cybersecurity Framework

The Internet of Things (IoT) is no longer a future concept. It is already part of our everyday lives and industrial operations—from smart sensors and automation systems to critical infrastructure and connected services. While teaching and working closely with industry, I began to notice a worrying pattern: IoT devices were being deployed rapidly, but their security, especially after deployment, was often overlooked.

As an academic deeply involved in both teaching emerging technologies and supporting industry solutions, this gap concerned me. Many organisations were excited about automation and Industrial IoT (IIoT), yet few had a clear strategy for keeping these devices secure over time. This is what triggered our research: a simple but important question—how do we securely update IoT devices once they are already in operation?

The motivation was reinforced by recent studies and real-world incidents showing that IoT devices are now one of the weakest links in cybersecurity, second only to human factors. Devices are often left unpatched, outdated, or exposed, creating serious risks. Despite growing awareness, there was still no practical, integrated way to manage secure updates across diverse IoT environments.

This research emerged from the intersection of teaching, research, and real-world problem-solving. Through my IoT and cybersecurity classes, I could see students grappling with the same challenges faced by industry: limited device capacity, lack of standardisation, and the complexity of managing security at scale. The work was carried out in collaboration with Mr Wail Al Thohli, a highly motivated student ( graduate now) with a strong interest in IoT deployment. Our discussions and experimentation helped shape the prototype and ensured that the solution remained practical and grounded.

One of the biggest challenges we faced was the sheer variety of IoT devices. Unlike traditional IT systems, IoT ecosystems include devices with different hardware capabilities, operating systems, and communication methods. Many have limited processing power and memory, making common security techniques such as continuous encryption or VPN-based updates unsuitable. Applying heavy security controls often affected device performance or reliability—something organisations cannot afford in operational environments.

Existing solutions only partially address this problem. Some consumer devices, such as smartphones or smart TVs, can update themselves directly from vendors. However, many industrial and embedded IoT devices lack such mechanisms. Exposing them to the internet increases risk, while adding complex security layers can reduce performance. For managers and policymakers, this creates a difficult trade-off between security and functionality.

Our work proposes a framework and prototype that aim to bridge this gap. Rather than treating updates as an afterthought, we focus on embedding cybersecurity throughout the IoT lifecycle, in a way that respects device limitations. The goal is not just stronger security, but usable and sustainable security.

This research is intended to benefit a wide audience: organisations deploying IoT systems, developers designing connected devices, and researchers exploring secure-by-design approaches. It also has the potential to inform policy discussions and future standards around IoT security, particularly in industrial and critical infrastructure contexts.

Looking ahead, this work forms part of a broader research agenda focused on practical cybersecurity for emerging technologies. It also feeds directly into teaching, helping students understand that security is not only about algorithms, but about real-world constraints and decisions.

On a personal level, this research reshaped how I think about cybersecurity. It reinforced the idea that effective security solutions must be realistic, inclusive, and context-aware. My advice to early-career researchers is simple: engage with real problems, listen to users, and design solutions that work in practice, not just on paper.