In Brief
The smart-device standards under the Cyber Security Act 2024 lift the baseline for new connectable products entering Australia. They do not touch the cameras, sensors, controllers and access devices facilities teams and contractors already installed. Boards should treat the new floor as a prompt to confront the legacy estate, name an executive owner, and rewrite procurement specifications. Compliance is not a security posture when the riskiest devices entered the building before the rules existed.
The regulation lifts the floor, not the ceiling
Australia has moved smart-device security from voluntary guidance to a mandatory baseline. The standards that recently commenced under the Cyber Security Act 2024 track the international template set by ETSI EN 303 645 and the United Kingdom’s PSTI Act.
They require manufacturers, suppliers and importers of relevant connectable products to remove universal default passwords, publish a vulnerability-disclosure channel, and disclose the minimum period during which they will supply security updates. The duty spans the supply chain rather than resting on makers alone.
minimum security requirements set by the new baseline for connectable products entering the Australian market
Cyber Security Act 2024 smart-device standards, drawing on ETSI EN 303 645
That step is meaningful and overdue, but narrow. The duty attaches to the next device a manufacturer ships into Australia. The estate already deployed across enterprise, health, energy and property environments sits entirely outside the new framework.
The ASD ACSC Annual Cyber Threat Report 2023-24 records a self-reported cybercrime cost of $49,600 per incident for medium businesses, with insecure device configurations and unmanaged exposed services among the recurring root causes. Boards reading the announcement as evidence the smart-device problem is being solved will draw the wrong conclusion at the wrong moment.
The cheap device, which a facilities line item or fit-out contractor bought a decade ago, remains the expensive problem the new law does not reach. It also remains a Privacy Act 1988 exposure where it captures personal information. The OAIC’s Notifiable Data Breaches Report for July to December 2024 attributes 38 per cent of notifications to malicious or criminal attack, a category in which compromised network-edge devices and unmanaged operational technology repeatedly feature alongside more familiar phishing and credential vectors.
Where the legacy estate actually lives
Across most large Australian organisations, the riskiest connected devices never crossed the CIO’s desk. Facilities managers procured them through building-management upgrades, security teams replaced camera fleets, capital-project managers fitted out new floors, and managed-service providers shipped environmental monitors inside broader contracts. Each transaction looked small at the time, yet the aggregate footprint runs into thousands of devices per large enterprise, and almost nobody has counted the total.
Boards consistently encounter the same pattern across the legacy connectable estate: no complete inventory, no single executive accountable for patching and lifecycle, and a vendor security-support window that expires years before the device leaves the wall.
Consider an anonymised but typical case. An ASX-listed property operator commissioned a network review during the second quarter of FY24 for an unrelated reason, and the review surfaced roughly 1,800 building-management controllers, networked cameras and environmental sensors that fit-out contractors had installed across its portfolio over the preceding eight years. Approximately 40 per cent ran firmware versions the manufacturer had stopped supporting, sitting on a flat network segment alongside corporate workstations.
The operator had recorded no internal owner for the fleet, and the contractor rather than the operator retained the procurement records. Cameras and access readers also captured personal information that triggered Privacy Act 1988 obligations the CISO could not evidence. Management had drawn the technology-risk perimeter several years earlier around devices the IT function procured directly, and the review showed how thin that perimeter had become once facilities, fit-out and managed-service channels were considered together.
Nothing in that picture is unusual. The same conversation recurs in hospitals where biomedical and building systems share VLANs, in logistics operators where site-services contractors installed yard cameras, and in universities where a decade of capital works has accumulated networked controllers nobody has reconciled. Independent academic IoT research, including the work emerging from Macquarie University and CSIRO’s Data61 on consumer-grade device telemetry, consistently finds majority cohorts of deployed devices running outdated firmware or exposing default credentials in the field.
Compliance is not security
The temptation, once a regulatory baseline exists, is to treat it as the answer. The minimum requirements set a floor, not a security posture, and a device that clears that floor can still sit unmanaged and unpatched inside an enterprise, invisible to anyone who might secure it.
The buyer’s duty does not end at procurement, particularly for entities with overlapping obligations under SOCI Act risk-management programmes, the Essential Eight, APRA CPS 234 where financial services apply, and Privacy Act duties attached to cameras and access systems capturing personal information.
The new baseline versus an enterprise security posture
What the standard delivers
- No universal default passwords on new devices
- A published vulnerability-disclosure channel
- Transparency on minimum security-support period
- A common floor for new market entrants
What it does not deliver
- Coverage of the installed base
- Inventory of connected devices already deployed
- Network segmentation to isolate unpatchable legacy systems
- Retirement of devices past end-of-support
- Named ownership across facilities and contractors
Support-period disclosure is the part of the new framework most worth board attention, and it is the sleeper lever buried inside an otherwise modest reform. For the first time, manufacturers must put a number on how long they will ship security updates, and that number, once published, can flow into procurement specifications, contractor schedules and capital-project acceptance criteria.
It converts a previously invisible risk, security end-of-life arriving years before physical end-of-life, into a contractual specification a board can mandate today without waiting for further legislation or regulator guidance.
The procurement perimeter has to be redrawn
The structural problem is that the technology-risk perimeter inside most organisations sits around the IT function. Facilities, property, security, operations and major-project teams operate outside it, and they remain the channels through which most connected devices enter the building. Redrawing the perimeter is governance work rather than technical work, and it cannot be delegated to the CISO alone without commensurate authority over procurement, contractor terms and capital-project acceptance.
Board moves available now without further regulation
| Action | Owner | Timeline | Priority |
|---|---|---|---|
| Commission a connected-asset inventory across IT, facilities, security and capital projects | CIO with COO | 90 days | critical |
| Assign a single named executive owner for every device category in the inventory | CEO | 90 days | critical |
| Write security-support-period into all procurement specifications and contractor schedules | CPO with CISO | 120 days | high |
| Set a board-approved policy for isolating or retiring end-of-support devices | CISO with Risk Committee | 6 months | high |
| Bring contractor-procured technology inside the technology-risk perimeter through contract reform | General Counsel with CPO | 12 months | medium |
None of this requires waiting on the regulator. Each move is governance led, internally executed, and within the existing authority of the board’s risk and audit committees.
The Essential Eight controls organisations already attest against assume an inventory exists, SOCI-regulated entities owe duties of operational resilience the organisation cannot discharge without one, and IRAP-assessed environments handling government data face explicit asset-management requirements under the Information Security Manual. The new baseline simply makes the conversation easier to start with procurement and facilities counterparts.
What the board should expect to hear
Directors should treat with scepticism any management report that frames the new standards as substantially closing the smart-device exposure. They should ask for the inventory, the named owners, the support-period gap analysis, and the retirement plan for devices whose vendor support has already lapsed. They should expect the first answer to come back incomplete, and require management to deliver the second answer ninety days later, with quantified progress on coverage, ownership and end-of-support retirement.
The new baseline raises the floor for tomorrow’s purchases. The legacy estate, accumulated through facilities and contractors over a decade, remains the board’s problem to solve.
The legacy device bought through a facilities line item has always been a governance question dressed as a procurement detail, and the Cyber Security Act 2024 has handed boards the vocabulary and the prompt to address it. The practical next step is concrete: commission the inventory, name the executive owner, and set the retirement policy at the next board cycle.
Questions for Leadership
Who is the named executive accountable for every connected device on our premises, including devices facilities teams and contractors procured?
Unowned devices are unpatched devices. Without a single accountable executive, lifecycle, patching and retirement decisions fall through the cracks between IT, facilities and operations.
Do we have a complete connected-asset inventory that includes contractor-installed and capital-project devices, and when did we last reconcile it?
Most enterprises cannot produce a defensible inventory of connectable devices. Inventory is the precondition for segmentation, patching, monitoring and end-of-support retirement.
How many devices on our network sit past their vendor's security-support window, and what is the plan to isolate or retire them?
Security end-of-life routinely arrives years before physical end-of-life. Without a retirement policy, unsupported firmware accumulates silently across building, security and operational systems.
Have we written security-support-period disclosure into our procurement specifications and contractor terms?
The new baseline forces vendors to disclose support periods. Boards can convert that disclosure into a binding procurement specification immediately, without waiting for further regulation.
Which categories of contractor-procured technology currently sit outside our technology-risk perimeter?
Building-management, fit-out and managed-service contracts routinely deploy networked devices that never enter the CISO's view. Boards must redraw the perimeter around those procurement channels.
The Bottom Line
This regulation only sets a minimum for what you buy next. It does nothing for the cameras, sensors and controllers already on the network, which is where the real risk lies. Someone has to own that existing fleet, know what is on it, and retire whatever the vendor no longer supports. Start at the next board meeting.
Frequently Asked Questions
What exactly do the new smart-device security standards require?
The standards commenced under the Cyber Security Act 2024 track the established international baseline set by ETSI EN 303 645 and the UK PSTI Act. They require manufacturers, suppliers and importers of relevant connectable products to eliminate universal default passwords, publish a vulnerability-disclosure channel, and disclose the minimum period for which they will provide security updates. The obligations apply to new products entering the Australian market and do not retroactively cover devices already deployed across enterprise, health, property or industrial estates.
Does the new baseline cover the devices we already have installed?
No. The standards govern products entering the market, not the installed base. Cameras, sensors, building-management controllers, environmental monitors and access devices that facilities teams, capital-project managers and contractors procured over the past decade remain outside scope. Boards cannot rely on the regulation to address legacy exposure. The legacy estate requires an internal programme covering inventory, ownership, patching cadence and retirement of devices whose vendor security support has already lapsed or will lapse before physical end-of-life.
Why is support-period disclosure described as the sleeper governance lever?
Support-period disclosure forces visibility on the gap between a device's physical service life and its security-supported life. A camera installed for ten years of physical use may receive only three years of firmware updates. Once disclosure becomes mandatory, boards convert it into a procurement specification: no device enters the estate without a documented support period and a planned retirement date. That single clause reshapes purchasing behaviour across facilities, capital projects and managed-service arrangements.
Is a compliant device a secure device?
No. The minimum requirements set a floor, not a security posture. A device meeting the baseline can still sit unpatched on the network long after the team that installed it has moved on. Compliance addresses the manufacturer's duty at point of sale. Security depends on inventory, network segmentation, patching discipline, monitoring and lifecycle retirement inside the buyer's organisation. Boards should resist any narrative that conflates the two; the regulation is a starting line for the supply side, not a finish line for the operator.
Where should a board start if the connected-asset inventory does not exist?
Start with the procurement channels rather than the network. Ask facilities, property, security, operations and major-project teams to list every category of networked device they have specified, installed or accepted from contractors over the past decade. Reconcile that against network discovery output. The gap is the shadow estate. Assign a named executive owner before commissioning any technical remediation. Ownership precedes inventory; inventory precedes segmentation; segmentation precedes a credible patching and retirement policy.