Australia – new security standards for smart devices

Upon commencement of schedule 1 of the rules, manufacturers of products that can directly or indirectly connect to the internet (referred to as ‘relevant connectable products’) will be required to comply with the specified security standards if their products will be acquired by consumers in Australia. These standards include no universal default passwords, vulnerability reporting mechanisms and minimum security update periods. While the standards derived from the European Telecommunications Standards Institute (ETSI) aim to align Australia with international best practices for common security standards and secure-by-design principles, some obligations in the rules are more stringent, requiring more rigorous processes to ensure compliance.

The relevant connectable products subject to the rules are network or internet connectable devices which are either intended by the manufacturer to be used, or are of a kind likely to be used, for personal, domestic or household use or consumption that is not a desktop computer, laptop, tablet computer, smartphone, therapeutic good as defined by the Therapeutic Goods Act 1989, road vehicle as defined by the Road Vehicle Standards Act 2018, or road vehicle component as defined by the Road Vehicle Standards Act 2018.

The intended use can be determined based on data provided by the manufacturer, including labels, instructions for use, promotional or sales materials, or if the device is of a kind likely to be used for that purpose.

The manufacture must provide a statement of compliance in accordance with rules. A statement of compliance must be provided with the supply of the relevant product. A copy of the statement must be retained for a period of five years by the manufacture and supplier.

Who do the rules apply to?

The rules apply to ‘manufacturers’ of the relevant connectable product, broadly defined as anyone who:

1. grows, extracts, produces, processes, or assembles goods;
2. presents themselves to the public as the manufacturer;
3. allows their name, business name, brand, or mark to be applied to goods they supply;
4. permits another person to present them as the manufacturer in connection with the supply or promotion of goods; or
5. imports goods into Australia if they are not the manufacturer and the actual manufacturer does not have a business presence in Australia.

Given this expansive definition, importers or suppliers may also be subject to the standards established by the rules if the actual manufacturer cannot be identified or the manufacturer does not have a business presence in Australia.

What are the requirements?

The Security Standards

1. No universal default passwords:
   Relevant connectable devices must not have universal default passwords. Each device must have a unique password or allow the user to define their own password. This requirement is aimed at reducing the risk of unauthorised access due to easily guessable default passwords.
2. Vulnerability reporting mechanism:
   Manufacturers are required to implement a means to receive reports of security issues in those devices. This includes having a publicly available disclosure policy that provides contact information for reporting issues and outlines timelines for acknowledging receipt and providing status updates until the resolution of reported issues.
3. Minimum security update periods:
   Manufacturers must provide information on the support period for security updates for the product’s software or hardware if it is capable of receiving security updates. The period during which security updates will be provided must be published with a specified end date and be made accessible, clear, and transparent to users. The manufacturer cannot shorten this period once published but can extend it, in which case the new period must also be published.

A statement of compliance

Both suppliers and manufacturers are required to produce a statement of compliance for products which they manufacture or supply.

This statement of compliance must be prepared by the product's manufacturer in accordance with the rules, adhering to the specified requirements within that section. The rules do not explicitly obligate suppliers to produce their own statement of compliance, and a reasonable inference may be made that suppliers may rely on the statement of compliance provided by the manufacturer. If a statement is not provided to the supplier, they are required to produce their own to not be in breach of section 16(3) of the Act.

A copy of the statement must be retained for a period of five years by the manufacture and supplier.

What you can do to prepare:

• Entities seeking to adopt their current compliance processes utilized for ETSI should review and compare the obligations under both regimes to ensure that consideration is given to key differences under the requirements. For example, ensuring that the defined support period for security updates is published in an accessible, clear, and transparent manner. This includes specifying the period as a time frame with an end date and ensuring that this information is available without prior request, in English, and free of charge.
• Amend website disclosure pages to include relevant information (such as the defined support period) and also include a security vulnerability reporting capability and associated workflows to manage such disclosures in compliance with the legal requirements.
• Organizations should ensure that their retention policies are updated and consistent with this new requirement. The policy should identify the type of records that need to be maintained, the retention period (five years) and document the process for ensuring compliance. Regular audits and reviews of retention practices help ensure compliance and identify areas for improvement. Additionally, employee training and awareness programs are essential to ensure that staff understand and adhere to retention policies. Finally, leveraging technology such as automated retention management tools can streamline the process, reduce human error, and enhance overall efficiency.
• Manufacturers should ensure they have a robust process for managing and delivering security updates, including regular vulnerability assessments, patch development, and testing before deployment, is essential. Implementing a system to notify users of upcoming security updates and the end of the support period through email notifications, in-app messages, or push notifications is also important. If the support period is extended, the new period must be promptly published and communicated to users, maintaining transparency about the reasons for the extension and any additional benefits it provides.
• Review supply agreements to ensure clear delineation of responsibilities for compliance between manufacturers and importers, distributors or other customer parties.