Australia’s Cyber Security Act 2024 (the Act) represents a major milestone in addressing the ever-evolving challenges of cyber security in today’s digital landscape. By establishing measures such as mandatory ransomware reporting and the creation of a Cyber Security Incident Review Board, the Act underscores the nation’s commitment to enhancing cyber security. However, this article will focus on the section of the Act that addresses the establishment of security standards for smart devices, setting a new benchmark for Internet of Things (IoT) security.
A New Era for IoT Device Security
Under the new legislation, the Secretary of the Department of Home Affairs is empowered to commission independent audits to verify compliance with security standards. In cases of non-compliance, the Secretary can issue compliance notices, stop notices, or even recall notices, which may be made public to inform consumers and stakeholders.
This focus targets “relevant connectable products” within the IoT ecosystem. These products range from smart white goods such as connected fridges, network-enabled baby monitors and robot vacuum cleaners, to Industrial Internet of Things (IIoT) devices and systems installed in smart cities and industries, such as smart meters, smart traffic management systems and industrial robotics for precision tasks and manufacturing.
In essence, any internet-connectable product sold in Australia – unless explicitly exempted – must adhere to these evolving security standards.
Key Compliance Requirements for Manufacturers and Suppliers
Manufacturers and suppliers of IoT devices must now meet security requirements when selling products in Australia. The legislation states that products sold in Australia must comply with applicable security standards and further include a statement confirming this compliance. If a product fails to meet these standards, it cannot be supplied in the country. Additionally, all entities must fulfill any extra requirements outlined in the relevant security standards.
With this, the IoT landscape undergoes a significant shift: devices must now comply with fundamental security standards, similar to the regulations upheld in industries for original equipment manufacturers (OEMs) like construction or automotive. This move ensures a baseline level of user safety while strengthening cyber security resilience across sectors.
This will directly impact Smart Industries (IIoT) and end user consumer product resellers, requiring them to source products that meet these security standards. Moving forward, suppliers may seek to include compliance warranties in their agreements with manufacturers and distributors to ensure adherence.
The IoT landscape undergoes a significant shift: devices must now comply with fundamental security standards, similar to the regulations upheld in industries for original equipment manufacturers (OEMs) like construction or automotive. This move ensures a baseline level of user safety while strengthening cyber security resilience across sectors.
Addressing Misconceptions About IoT Security
IoT devices are often misunderstood as being limited to the hardware layer (e.g. sensors and physical devices at the edge). However, they are part of a broader IoT ecosystem with interconnected pillars:
Management Layer
The web and mobile applications used by administrators or users for remote management.
Cloud Layer
The powerful platform where information processing and storage occur.
Communication Layer
Sensor Layer
Each of these pillars is integral to the functionality and security of IoT devices. Weaknesses in any layer can lead to vulnerabilities that compromise the entire ecosystem, particularly against the backdrop of rising AI, botnets and mobile-malware. Zscaler’s ThreatLabz has reported a 45% Year-over-Year jump in IoT malware transactions blocked by their cloud platform. A recent example would be the vulnerabilities in the OvrC cloud PaaS, used by businesses and consumers for remote IoT device management, which exposed an estimated 10 million IoT devices. This would enable attackers to execute code on devices connected to the OvrC cloud remotely. This demonstrates how a vulnerability in the Cloud/Management layer can impact the Sensor Layer, leading to potential remote code execution (RCE).
Looking Ahead: Preparing for New Standards
While the specific security requirements under the Act are still being developed, the time to prepare is now. Manufacturers and suppliers must evaluate their products and processes to ensure readiness for compliance when the standards are introduced.
At Sekuro, we understand the complexity of IoT ecosystems and the challenges of meeting emerging security regulations. Our team of experts is here to help you navigate the evolving landscape, to ensure your organisation is prepared to meet the forthcoming requirements and stay ahead in the market.
Ready to Secure Your IoT Ecosystem?
As Australia pioneers a new era of IoT cyber security, staying proactive is key. Reach out to Sekuro today to learn how we can support you in securing your IoT ecosystem. Together, we can make your business safer and more resilient in an interconnected world.
Strategy and Architecture
We review your IoT DevSecOps practices and develop a roadmap for improvement.
Assurance Services
We evaluate your organisation’s security posture from a holistic people, process and technology perspective across different frameworks, standards and regulations. For example, ISA 62443 Part 4-1 – Secure Product Development Lifecycle Requirements.
Technical IIoT / IoT Assessments
We test and evaluate the complete IoT stack (Cloud, Web/Mobile, Hardware, Communications)
Nicolas Brahim
Principal Consultant and OT Specialist, Sekuro
Nico leads Sekuro’s Cyber Resilience Program and Operational Technology (OT) cyber security, ensuring continuous support and effective program execution for our clients. With over a decade in the security industry, including the creation and leadership of several Security Programs for IT and OT across Australia, New Zealand, Argentina, Chile and the US, his core philosophy emphasises an equal balance of people, process, and technology in delivering actionable and simple solutions.