91³ÉÈ˰涶Òô

The Internet of Things (IoT) is revolutionising the way we live and work, connecting everything from household appliances to critical infrastructure systems. However, the rapid proliferation of IoT devices introduces serious cyber security risks. Many devices lack basic security protections, making them vulnerable to cyber threats, including botnets, data breaches, and system takeovers.

A well-documented example is the 2016 Mirai botnet attack, which exploited insecure IoT devices to launch a Distributed Denial of Service (DDoS) attack, disrupting major online services. These incidents highlight the urgent need for robust IoT security measures.

Current regulatory landscape

The Australian Government has taken steps to address IoT security, including the , which mandates manufacturers to provide a statement of compliance outlining device security measures.

However, enforcing compliance remains a challenge. Without strong enforcement mechanisms, manufacturers may prioritise cost savings over security, leaving businesses and consumers vulnerable.

The Manufacturer Usage Description (MUD) Standard 

The MUD standard, developed by the Internet Engineering Task Force (IETF), requires manufacturers to declare the expected behaviour of their devices. This allows network operators to enforce policies that limit unnecessary or potentially harmful device communications.

Key Benefits of MUD:

• Locks down authorised communications by restricting devices to expected network behaviours.

• Reduces attack surfaces by preventing unspecified connections.

• Minimises security costs by shifting protection to network operators instead of manufacturers.

Implementation of MUD Policies:

• For Large Organisations (e.g., government agencies and infrastructure operators): Network administrators can configure switches and routers to enforce security policies based on known MUD profiles.

• For 91³ÉÈ˰涶Òô Networks: Internet Service Providers (ISPs) can offer managed security services, applying MUD-based protections at home network gateways.

This approach does not require modifications to devices, making it a low-cost, high-impact solution. That said, device-level protections can complement network-level approaches, further enhancing overall security.

Case study: Enhancing IoT security with MUD

Consider a government department deploying 7,000 security cameras across its facilities. With MUD implementation:

• The expected behaviour of each camera is defined, enforced, and monitored.

• Any anomalous activity (e.g., receiving commands or sending data to servers outside Australia) triggers an alert, enabling rapid threat mitigation.

• Network policies automatically block any unauthorised communication.

This model ensures security without requiring costly modifications to individual cameras.

Implementation and enforcement strategy

To achieve widespread adoption of network-level security, a phased enforcement strategy is recommended:

1. Stage 1 (2025-2026): Awareness and education for manufacturers and network operators.

2. Stage 2 (2026-2027): Voluntary adoption of MUD, with government incentives (e.g., procurement preferences for compliant manufacturers).

3. Stage 3 (2027-2028): Regulatory enforcement requiring IoT manufacturers to comply with published security expectations.

Additionally, third-party certification bodies could verify manufacturer compliance, similar to existing testing frameworks for telecommunications and mobile devices.

Conclusion

IoT security is a pressing challenge that demands proactive policy measures. While device-level security is costly and difficult to enforce, network-level security offers a viable, scalable alternative. By mandating MUD adoption, the Australian Government can:

• Enhance IoT security in public and private sectors.

• Protect national infrastructure from escalating cyber threats.

• Position Australia as a global leader in cyber security policy.

A secure IoT ecosystem will strengthen national resilience, safeguard businesses and consumers, and set a benchmark for international best practices.

Recommended reading

For further insight into IoT security and regulatory frameworks, we recommend the following documents:

•  – A technical overview of the MUD standard and its practical applications.
•  – Policy recommendations and regulatory insights for improving national cyber security.
• ).Ìý

Glossary

2016 Mirai Botnet Attack

The 2016 Mirai botnet attack was a large-scale cyber attack that leveraged vulnerabilities in Internet of Things (IoT) devices to create a botnet. The botnet, known as Mirai, infected thousands of IoT devices with weak security settings, such as default passwords and open ports, and used them to launch a Distributed Denial of Service (DDoS) attack against major websites and online services. The attack disrupted services such as Twitter, Netflix, and Reddit, highlighting the risks of unsecured IoT ecosystems.