Government moves to mandate IoT cyber security standards

The federal government has pledged to uphold minimum cyber security standards for consumer-grade IoT devices in law, replacing the voluntary guidelines that have been in place since late 2020.

Home Affairs Minister Karen Andrews made the election pledge this week, promising the new measures to protect IoT devices at a time when their use continues to grow in homes.

“The smart device market is growing rapidly but devices are not always secure,” Andrews said in a statement.

“Overseas hackers have been able to steal personal information by remotely accessing the very devices victims bought to protect their homes.”

According to an iTNews report, the government has decided against introducing a “mandatory expiry date label” that displays the length of time that security updates will be provided to a smart device. However, mandatory code of practice for IoT devices has been on the cards since July 2021, when the Department of Home Affairs first raised the prospect as part of a consultation.

The consultation followed a review that found device makers had trouble implementing “high-level principles” in the voluntary code and would prefer to meet an “internationally recognised standard”.

At the time, the department proposed adopting the internationally recognised ETSI consumer IoT security standard, known as ETSI EN 303 645, for its domestic framework.

“The whole of the ETSI standard could be mandated or we could follow the footsteps of the UK and mandate only its top three requirements,” the discussion paper states.

Andrews on Thursday said the minimum cyber security standards were expected to be aligned to those in the United Kingdom to “reduce the cost and regulatory burden on industry”.