Project & Engagement Manager, IoT Security Foundation

Author Bio ▼

James Willison MA, is a recognised International leader in Security Convergence and Enterprise Security Risk Management. In 2020 IFSEC Global listed James #8 in the top 20 Cyber Security Thought Leaders across the world. Shortlisted in Security Serious Unsung Security Heroes Awards 2018, as a Security Leader/mentor. James is Co Chair, Smart Buildings Working Group, Internet of Things Security Foundation and a member of the ASIS International ESRM Steering Committee. He is founder of Unified Security Ltd, a Vidsys consultant, works with AXIS Communications on cyber security and advises on the IFSEC Converged Security Centre.James was awarded the Imbert Prize for an ‘outstanding contribution to the Security Industry in 2011’ for his work on convergence with ASIS Europe and the Information Security Awareness Forum. He has more than 20 years of management experience in the physical and information security industry, including posts as Advisor on Convergence to the Mitie TSM Board, Senior lecturer in Security Management at Loughborough University and Digital Security Expert with the European Union. He has co-authored three White Papers and a series of new articles with Sarb Sembhi, sponsored by AXIS Communications, on ESRM, GDPR and Smart Buildings and Cities’ Security.
June 7, 2022


State of Physical Access Trend Report 2024

IoT security

Is your home or small business built on secure foundations? Think again…

Did you know that the standard router relied upon in homes and by thousands of small businesses is the most frequently attacked IoT device? James Willison, Project and Engagement manager, IoT Security Foundation, explores the issue and reveals an ongoing initiative from the Foundation that is designed to better secure the devices.

Few of us realise that our internet connection relies on the strength of our router’s security. So much of what we depend on in our modern day lives comes into our homes and businesses via that box sitting near the front door. We pay attention to our front door and try and ensure it is locked and bolted but what about that box supplied by the broadband provider?

RouterIoTSecurity-PiotrAdamowicz-AlamyStock-22Well, I am sorry to warn you that it is the most targeted IoT device – if an attacker can control it, then it’s really game over for the rest of your home and small business. Software company Symantec has advised that 75% of all IoT attacks are on infected routers, with 15% against webcams, so that’s a concern to some of us too! Of course, everything comes through the trusty box at the front door.

So, while your house might be built on solid ground and the physical foundations are firm, it is unlikely that the internet connection is as strong as you think. There are people who are entering your home and you have opened it to them. In the words of the song, “Who are you? I really want to know!”

Our problem is that we don’t ask this question on a regular basis regarding our networks because we assume our broadband provider is looking after that for us. While they will of course be doing security at various levels, there is much on our networks which is simply not secure and should be of concern to us.

I have been aware of IoT security issues in the home, small business and the enterprise for some time, as I have worked closely with my good friend and colleague Sarb Sembhi for many years. It was when I met Dr. Nick Allott in November 2018 that I became more aware of the severity of the problem, as he explained that most of the home routers we use today are not secure and that the devices they manage have little or no security either. This is not to mention other complications like wireless extenders, smart speakers, and applications on your network to add to the mix.

Join the project to help protect home networks

The great news is that for over two years, Nick’s company NQuiring minds has led an Innovate UK consortium of partners including the University of Oxford Cyber Security Centre, CISCO, the IOT Security Foundation and recently BT to develop a range of solutions to improve the situation. The project is called ‘manysecured’ and its objectives are to detect and protect against IoT vulnerabilities on the router and the network. It is a truly international collaboration based on open-source software and has gained the interest of NIST and US Govt, CISA. I was privileged to join the project in March this year, and we are seeking to involve other professional stakeholders such as IoT manufacturers and security professionals.

I am confident that given the collaborative nature of the various solutions which comprise the manysecured project that the prototype will be launched at the IoT Security Foundation’s conference on 5 October.

In essence there are five functions within the project’s special interest group.

  • The first has produced a set of requirements for ISPs to ensure best practices for the router itself.
  • The second has proposed a secure user internet browser which will help when you log on and configure your router
  • The third seeks to identify devices on your network. This includes describing what they are. We are looking for IoT manufacturers to help us with this. Many of our readers have been actively seeking to develop the cyber security of physical security devices and systems and so we appeal to you to join us to ensure we get this right.
  • The fourth solution monitors the security events and raises alerts for the hub
  • The fifth controls the threats

Most importantly all these processes are interoperable such that the home network is protected. It seeks to address the principles of secure boot, storage, and secure processing. The place of AI is important because of the volume of data and the difficulty in knowing who and what is on your network. Hence concepts like ‘zero trust’, which Nick has helpfully defined as ‘multifactor continuous verification’ are foundational. Similarly, ‘cognitive security’ which he summarises as ‘AI based on human thought patterns to protect physical and digital devices and systems’ is a cornerstone of the project.

As security convergence is a response to IoT risk, an area for all of us to improve is the security of the physical devices and systems in the supply chain and the business. If we can get the router, the front end of so many of our homes and small businesses and therefore 90% of the environment, into a better state than it is right now then we will be on our way to rebuilding that wall which at the moment has a massive hole in it.

As J.R.R Tolkein wrote in The Lord of the Rings – “A gaping hole was blasted in the wall. A host of dark shapes poured in.” The response required an alliance of several large armies for victory to be achieved. The same is needed today if we are to secure our internet gateways and devices.

Please get in touch with me and the IoT Security Foundation to join our cause and make a difference. You can reach James Willison at the IoT Security Foundation or via his LinkedIn profile.


Subscribe to the IFSEC Insider weekly newsletters

Enjoy the latest fire and security news, updates and expert opinions sent straight to your inbox with IFSEC Insider's essential weekly newsletters. Subscribe today to make sure you're never left behind by the fast-evolving industry landscape.

Sign up now!

man reading a tablet, probably the IFSEC Global newsletter

Related Topics

Notify of
Inline Feedbacks
View all comments