IoT

Strengthening IoT Cyber Security: A Key Focus of Australia’s Cyber Security Act 2024

Table of Contents

Australia’s Cyber Security Act 2024 (the Act) represents a major milestone in addressing the ever-evolving challenges of cyber security in today’s digital landscape. By establishing measures such as mandatory ransomware reporting and the creation of a Cyber Security Incident Review Board, the Act underscores the nation’s commitment to enhancing cyber security. However, this article will focus on the section of the Act that addresses the establishment of security standards for smart devices, setting a new benchmark for Internet of Things (IoT) security.

A New Era for IoT Device Security

Under the new legislation, the Secretary of the Department of Home Affairs is empowered to commission independent audits to verify compliance with security standards. In cases of non-compliance, the Secretary can issue compliance notices, stop notices, or even recall notices, which may be made public to inform consumers and stakeholders.

This focus targets “relevant connectable products” within the IoT ecosystem. These products range from smart white goods such as connected fridges, network-enabled baby monitors and robot vacuum cleaners, to Industrial Internet of Things (IIoT) devices and systems installed in smart cities and industries, such as smart meters, smart traffic management systems and industrial robotics for precision tasks and manufacturing. 

In essence, any internet-connectable product sold in Australia – unless explicitly exempted – must adhere to these evolving security standards.

Key Compliance Requirements for Manufacturers and Suppliers

Manufacturers and suppliers of IoT devices must now meet security requirements when selling products in Australia. The legislation states that products sold in Australia must comply with applicable security standards and further include a statement confirming this compliance. If a product fails to meet these standards, it cannot be supplied in the country. Additionally, all entities must fulfill any extra requirements outlined in the relevant security standards.

With this, the IoT landscape undergoes a significant shift: devices must now comply with fundamental security standards, similar to the regulations upheld in industries for original equipment manufacturers (OEMs) like construction or automotive. This move ensures a baseline level of user safety while strengthening cyber security resilience across sectors.

This will directly impact Smart Industries (IIoT) and end user consumer product resellers, requiring them to source products that meet these security standards. Moving forward, suppliers may seek to include compliance warranties in their agreements with manufacturers and distributors to ensure adherence.

The IoT landscape undergoes a significant shift: devices must now comply with fundamental security standards, similar to the regulations upheld in industries for original equipment manufacturers (OEMs) like construction or automotive. This move ensures a baseline level of user safety while strengthening cyber security resilience across sectors.

Addressing Misconceptions About IoT Security

IoT devices are often misunderstood as being limited to the hardware layer (e.g. sensors and physical devices at the edge). However, they are part of a broader IoT ecosystem with interconnected pillars:

Management Layer

The web and mobile applications used by administrators or users for remote management.

Cloud Layer

The powerful platform where information processing and storage occur.                       

Communication Layer

The communication protocols and networks that enable these layers to interact seamlessly.

Sensor Layer

The hardware of the physical device itself.

Each of these pillars is integral to the functionality and security of IoT devices. Weaknesses in any layer can lead to vulnerabilities that compromise the entire ecosystem, particularly against the backdrop of rising AI, botnets and mobile-malware. Zscaler’s ThreatLabz has reported a 45% Year-over-Year jump in IoT malware transactions blocked by their cloud platform. A recent example would be the vulnerabilities in the OvrC cloud PaaS, used by businesses and consumers for remote IoT device management, which exposed an estimated 10 million IoT devices. This would enable attackers to execute code on devices connected to the OvrC cloud remotely. This demonstrates how a vulnerability in the Cloud/Management layer can impact the Sensor Layer, leading to potential remote code execution (RCE).

Looking Ahead: Preparing for New Standards

While the specific security requirements under the Act are still being developed, the time to prepare is now. Manufacturers and suppliers must evaluate their products and processes to ensure readiness for compliance when the standards are introduced.

At Sekuro, we understand the complexity of IoT ecosystems and the challenges of meeting emerging security regulations. Our team of experts is here to help you navigate the evolving landscape, to ensure your organisation is prepared to meet the forthcoming requirements and stay ahead in the market.

Ready to Secure Your IoT Ecosystem?

As Australia pioneers a new era of IoT cyber security, staying proactive is key. Reach out to Sekuro today to learn how we can support you in securing your IoT ecosystem. Together, we can make your business safer and more resilient in an interconnected world.

Strategy and Architecture

We review your IoT DevSecOps practices and develop a roadmap for improvement.

Assurance Services

We evaluate your organisation’s security posture from a holistic people, process and technology perspective across different frameworks, standards and regulations. For example, ISA 62443 Part 4-1 – Secure Product Development Lifecycle Requirements.

Technical IIoT / IoT Assessments

We test and evaluate the complete IoT stack (Cloud, Web/Mobile, Hardware, Communications)

More Articles

Sekuro's Latest Insights

Compliance & Standards

Contact Us

Discover the Smarter Way to Transform Your Organisational Security – Connect with Our Experts Today.

Complete the form and we will get in touch within 24 hours.