Consumer energy resources: Cyber security

Tell me in a minute  

Cyber security considerations are increasingly critical in the management of consumer energy resources (CER). Technological changes to CER and their increasing integration into Australia’s evolving energy system have contributed to increasing decarbonisation and lowering aggregate energy costs. These changes can, however, also introduce various cyber security vulnerabilities that have the potential to seriously disrupt our energy sources.

In this article, we discuss the cyber security vulnerabilities inherent in CER networks and offer insights into how to mitigate the legal risks associated with internet-connected CER, CER supply chains and CER infrastructure. We consider the existing standards and regulatory regimes that apply to CER and draw on case studies to provide practical insights and lessons that have been learned from cyber security incidents in the energy sector.

This is the fourth article in our five-part series on CER, which collectively explore the emerging opportunities and challenges associated with the uptake of CER in Australia from a tech law perspective.

Our first article of the series is available here. You can read more about the associated data and privacy risks here and the AI and automation risks here.

CER participation is rising… and so are cyber security risks

AEMO expects that around 50% of consumers, including large businesses, will use some form of CER to participate in the demand side of the National Electricity Market by 2030.^[1] While CER represent a positive advancement for electricity and clean energy systems, technological advancements and the growing interconnectivity of CER systems with the electricity grid have expanded the potential for cyberattacks to impact electricity networks.

Malicious cyberattacks pose an increasing risk to Australia’s security. Cyberattacks are a growing industry, and  according to the Australian Signals Directorate, the most frequently reported critical infrastructure sectors facing cyber security incidents are electricity, gas, water and waste services (30%), and malicious cyber activity against critical infrastructure systems is persistent.

The consequences of a cyberattack in the sector are meaningful

According to Distributed Network Service Provider (DNSP) Ausgrid, in its submissions to the federal government’s Cyber Security Strategy 2023-2030 Discussion Paper, the influx of CER connecting to electricity networks ‘potentially provide[s] millions of entry points for cyber threats to infiltrate electricity networks and disrupt the supply of energy to customers’. In the event of a cyberattack, Ausgrid estimates that the economic impact could be over 2.9 billion dollars per day.^[2]

Unlike cyberattacks that make IT systems vulnerable, a cyberattack on a CER has physical consequences, including power outages and fires, presenting threats to national security, economic prosperity and to life.

The technological advancement of CER has increased the cyber risks

Technological advancements and the growing interconnectivity of CER systems with the internet and electricity grid have expanded the potential for cyberattacks to impact electricity networks.

Historically, CER were not connected to the internet and therefore posed a relatively lower cyber security risk. However, now most CER are connected to the internet for monitoring and control purposes. Most solar inverters now, for example, are connected to the internet, which enables users to access real-time data about how their solar panels are performing via an app, but also exposes them to increased cyber threats.

The key cyber security risks associated with CER are:^[3]

• unauthorised access and control of CER;
• data breaches;
• malware (where a threat actor introduces malicious software to gain unauthorised access to a system, including embedding code into a CER device that can spread malware into connected power systems^[4]) and ransomware attacks (exploiting vulnerabilities in software, firmware or network infrastructure);
• communication network vulnerabilities leading to attacks such as denial-of-service and man-in-the-middle (if the communication infrastructure is not secure);
• supply chain compromise (discussed below);
• lack of standardisation and patch management (resulting in security gaps and challenges in applying patches and updates across diverse systems); and
• device (physical layer) vulnerabilities.

Case studies of cyber security risks in the CER sector 

Supply chain and infrastructure vulnerabilities

There are several supply chain and infrastructure vulnerabilities resulting from increasingly interconnected systems. For example:^[7]

AEMO’s systems rely on real-time data on the status of critical power system components, outputs from generators, power flows on transmission networks and voltages across the NEM [National Electricity Market] network. AEMO’s systems depend on highly reliable and secure communication networks. AEMO also uses internet connectivity for lower security purposes, which increases its vulnerability.

Supervisory control and data acquisition (SCADA) systems previously used dedicated networks to transmit control signals to generators. However, some modern SCADA systems are using the internet for that purpose, which makes them vulnerable to cyber attacks.

….

Smart grids, smart meters and smart appliances use software-based components and are connected to open networks for communication and control.

Energy service providers, vendors and electricity users are less likely to have stringent cyber security protocols on their corporate systems. They can be easy targets because they provide an entry point to other control networks and access to sensitive information.

Source: Independent Review into the Future Security of the National Electricity Market (Figure 2.2: Basic representation of the key dimensions in cyber security relevant to the electricity system)

Cyber security standards for CER in Australia are currently being developed, but there are resources available in the interim

Standards Australia has mapped various existing standards that are relevant to the cyber security risks of CER.^[8] While some standards (such as the IEC 62443 series relating to cyber security for industrial automation and control) may have some applications to CER, Standards Australia concluded the Australian CER market lacks technical specifications that provide targeted guidance for CER in Australia, and that the Australian market would likely benefit from certain international standards being adapted or modified for use in Australia. We are expecting:

• Standards Australia to release technical specifications for CER cyber security that are specific to Australian technologies and markets in 2026;^[9]
• voluntary standards that the AEMC reports will be available in 2027;^[10]
• standards for CER cyber security to be delivered under the 2023-2030 Australian Cyber Security Strategy and Action Plan to be delivered by 2030.^[11]

While we wait for these standards, one key resource already available to participants in the Australian CER market is AEMO’s Australian Energy Sector Cyber Security Framework (AESCSF): a tailored cyber security framework for the Australian energy sector developed through a collaboration between AEMO, industry and government stakeholders. The AESCSF aims to assist energy participants across the electricity, gas and liquid fuels sub-sectors to assess, evaluate, prioritise, and improve their cyber security capability and maturity, and comprises a set of security practices that align with existing Australian policies and guidelines, including the Australian Privacy Principles and the Security of Critical Infrastructure Act 2018 (SOCI Act). An AESCSF Version 2 Lite has been co-developed with the Australian Signals Directorate and the energy sector to provide guidance to the CER community.^[12]

While the AESCSF is a cyber security framework aimed at the broader energy sector, its principles and guidelines are relevant to CER that play a larger, more critical role in the energy market through their integration into the electricity grid. As the AESCSF is not prescriptive in methodology – focusing on what an organisation should strive to achieve rather than how to achieve it – operators of large-scale CER will need to independently assess themselves against the AESCSF and implement the appropriate organisational and technical measures to achieve the AESCSF’s cyber security outcomes. Australian energy sector organisations can also participate in the AESCSF Annual Program of Assessment, which is designed to give participants clarity over their organisation’s areas of cyber-related strength and weaknesses. The program’s focus for 2025 is on CER.^[13]

Mitigating cyber security risks associated with CER

The cyber security threat landscape and case studies together demonstrate the increasing importance of implementing and maintaining appropriate up-to-date technical and organisational measures, including:

• proactively implementing cyber security preventative measures, including adopting a cyber security framework tailored to the specific risks associated with CER, and conducting regular vulnerability assessments and penetration testing;
• factoring cyber security capabilities and qualifications into third party procurement;
• having adequate resourcing to perform business continuity management and training employees with cyber security responsibilities;
• reviewing the security of physical CER devices and implementing stronger authentication controls for high-risk access (e.g. multi-factor authentication);
• separating critical networks from corporate and external networks to limit attackers’ access; and
• timely and actionable cyber security intelligence sharing with AEMO and other regulatory bodies, to help facilitate early detection of cyber security threats and enable pre-emptive measures to mitigate the risk of compromise.

Organisations should remain up to date with the latest cyber security guidelines, standards and regulatory regimes that either directly or indirectly apply to CER.

In particular, we recommend that organisations in the CER ecosystem proactively self-assess against the AESCSF and any other applicable frameworks and standards as they emerge to ascertain any critical security gaps or vulnerabilities in their existing cyber security systems. 

The final article in this series:

In the final article in this series, we will be discussing CER and contracting:

Please reach out if you have any questions about CER in the meantime.