Govt could make IoT security standards mandatory

The federal government has raised the prospect of a mandatory code of practice for securing consumer-grade IoT devices, nine months after putting a voluntary code in place.

In a discussion paper, the Department of Home Affairs said it is considering mandatory standards as part of suite of reforms aimed at strengthening Australia’s cyber security posture.

If adopted, the standards would “require [device] manufacturers to implement baseline cyber security requirements for smart devices”, replacing the country's voluntary guidelines that were introduced in September 2020.

The discussion paper cites a review of industry uptake of the voluntary scheme, which showed that device makers had trouble implementing "high-level principles" and would prefer to meet an "internationally-recognised standard".

The review also found that while major brands "had good intentions to implement strong cyber security", it was much harder to "engage manufacturers from the lower-cost end of the market ... which suggests that our voluntary guidance is likely to have had less impact on that part of the market.”

In light of the new research, the department has proposed that Australia consider adopting the internationally recognised ETSI consumer IoT security standard, known as ETSI EN 303 645, for its domestic framework.

“The whole of the ETSI standard could be mandated or we could follow the footsteps of the UK and mandate only its top three requirements,” the discussion paper states.

“The former would ensure that all aspects of cyber security are captured through the standard, while the latter would capture the highest priority principles but would place less burden on industry in the short-term.”

While the department has proposed that the mandatory standards cover smart devices as defined by the ETSI standard, it has not ruled out including smartphones in the code like in the UK.

Modelling by the UK shows that the “probability of attacks on smart devices could be reduced by between 20 and 70 percent through a basic mandatory standard for smart devices".

The department added that any mandatory standards would need to be enshrined in new legislation, as there is “no convenient way to implement a standard for smart devices under current Australian laws”.

Separately, the department is weighing up whether to introduce either a “voluntary star rating labelling scheme” or a “mandatory expiry date label” that displays the length of time that security updates will be provided to a smart device.

A voluntary labelling scheme has already been introduced in Singapore and Finland, while the UK is looking to require manufacturers of smart devices to inform consumers about the support period at the point-of-sale.

The department said that introducing any mandatory labelling scheme for devices in Australia would be a world-first.