IoT Security: Protecting the Connected Enterprise

New security standards for smart devices are now in force and for many organisations across Australia, the clock is already ticking.

The Cyber Security (Security Standards for Smart Device) Rules 2025 commenced on 4 March 2026 – following a 12-month transition period – and regulates that most smart devices intended for personal, domestic or household use, must now meet new minimum cyber security requirements.

Under the new rules, manufacturers and suppliers must meet clear, practical obligations that uplift the baseline cyber security of smart devices.

These include:

• No universal default passwords.

• Manufacturers publish a means to report security issues.

• Manufacturers publish information about how long the device will be supported for.

At the same time, the convergence of operational technology (OT) and IT is accelerating across manufacturing plants and utility networks. Sensors, edge devices, control systems and cloud platforms are no longer siloed – they are interconnected, data-driven and increasingly mission-critical.

This creates a clear opportunity: smarter operations, real-time visibility and improved efficiency. But it also introduces a growing attack surface – one that traditional IT security models were never designed to handle.

In manufacturing and utilities – where uptime, safety and compliance are non-negotiable – unsecured IoT environments are no longer just a technical risk but now also a business risk.

New IoT regulation is here, act now

With IoT security standards now enforceable, organisations that haven’t prepared will be forced into reactive and costly remediation.

Three factors are driving urgency:

1. Expanding attack surface: Every connected device – from industrial sensors to smart meters – is a potential entry point. Many lack built-in security or are difficult to patch at scale.

2. OT/IT convergence risk: As IT and OT environments integrate, threats can move laterally from enterprise systems into critical infrastructure. What was once isolated is now exposed.

3. Regulatory pressure: Upcoming standards will formalise expectations around device security, identity, access control and lifecycle management. Non-compliance will carry financial and operational consequences.

The organisations getting ahead now are no longer treating IoT security as a bolt-on, they are designing it into the architecture from day one.

How to secure the connected edge

A secure IoT deployment in a manufacturing plant or utility environment is built on three principles: visibility, control and resilience.

1. Full asset visibility: Businesses cannot secure what they cannot see. Start with a comprehensive inventory of all connected devices across OT and IT environments – including legacy systems. This forms the foundation for risk assessment and policy enforcement.

2. Zero-trust access at the edge: Every device, user and system interaction should be authenticated and authorised. Default credentials, open ports and flat networks are no longer acceptable. Network segmentation – particularly between IT and OT – is critical to limit lateral movement.

3. Secure-by-design device strategy: Procurement decisions must prioritise security. This includes device identity, firmware integrity, encryption standards and vendor support for ongoing patching. Retrofitting security after deployment is significantly harder.

4. Continuous monitoring and response: IoT environments do not operate 9-5. Threat detection and response must be always-on. Integrating IoT telemetry into broader security operations – including managed detection and response (MDR) – ensures anomalies are identified early.

5. Lifecycle management and compliance alignment: From deployment to decommissioning, devices must be managed securely. This includes regular patching, configuration management and alignment with emerging regulatory standards.

Understand exposure and act with urgency

The goal is not simply to meet a mandate, rather to build a connected enterprise that is secure, resilient and fit for scale.

For utilities and manufacturers, this means protecting critical infrastructure, maintaining operational continuity and enabling innovation without introducing unacceptable risk.

But most organisations underestimate their IoT risk profile.

A structured IoT security audit provides clarity – identifying vulnerabilities across devices, networks and architectures, while mapping a practical path to compliance and resilience.

Contact us here