Gov pledges to mandate IoT cyber security standards

The federal government has pledged to enshrine minimum cyber security standards for consumer-grade IoT devices in law, replacing the voluntary guidelines that have been in place since late 2020.

But it has decided against introducing a “mandatory expiry date label” that displays the length of time that security updates will be provided to a smart device.

Home Affairs minister Karen Andrews made the election pledge this week, promising the new measures to protect IoT devices at a time when their use continues at grow in homes.

“The smart device market is growing rapidly but devices are not always secure,” she said in a statement on Thursday.

“Overseas hackers have been able to steal personal information by remotely accessing the very devices victims bought to protect their homes.”

A mandatory code of practice for IoT devices has been on the cards since July 2021, when the Department of Home Affairs first raised the prospect as part of a consultation.

The consultation followed a review that found device makers had trouble implementing “high-level principles” in the voluntary code and would prefer to meet an “internationally-recognised standard”.

At the time, the department proposed adopting the internationally recognised ETSI consumer IoT security standard, known as ETSI EN 303 645, for its domestic framework.

“The whole of the ETSI standard could be mandated or we could follow the footsteps of the UK and mandate only its top three requirements,” the discussion paper states.

Andrews on Thursday said the minimum cyber security standards were expected to be aligned to those in the United Kingdom to “reduce the cost and regulatory burden on industry”.

The voluntary labelling scheme, meanwhile, will be “co-developed with industry”, as other countries have done.

The department has previously said that any mandatory standards would need to be enshrined in new legislation.