Written by Leon Poggioli, ANZ Regional Director at Claroty.
The proposed new cyber legislation and Australia’s cyber security strategy of 2030 sets a clear objective for making Australia a leader in cyber safety.
Of particular significance is the increased focus on (1) Systems of National Significance and (2) Mandatory minimum standards for consumer smart devices.
While these two areas may seem very separate, there is one key intersection that we believe warrants special attention: Smart home devices, which are controlled by electricity distributors for power grid stability.
The clearest example of this is in South Australia, where new home solar panel installations have required connectivity to SA Power Networks in order to remotely disconnect home solar systems in a case where grid supply outstrips demand.
As Australia’s National Electricity Market (NEM) continues to move towards increased use of renewable energy, it is anticipated that more remote grid operations will be required to balance supply and demand.
These solar inverters are typically considered to be smart home devices, but they are actually playing a vital role in Australia’s decarbonised energy future. In 2023, 38.6% of energy supplied by Australia’s NEM was from renewable sources (up from 26.6% in 2020), and this is expected to continue to grow, as new renewable energy sources are constructed and legacy power stations are retired.
The risk Claroty sees to devices like home solar inverters is that they are often many years old, and not front of mind for consumers to keep updated in the case of security vulnerabilities, which may be discovered by attackers in future and allow them to control thousands of similar devices and cause mass disruption to the power grid. Additionally, if the manufacturers of these devices go out of business, it will become difficult to ensure the ongoing support, maintenance, and security updates for the devices themselves, potentially leaving a void in the safeguarding mechanisms necessary to protect against emerging cyber threats.
This underscores the urgency of incorporating contingency plans and regulatory measures that account for the lifecycle of these devices, guaranteeing their resilience even in the face of unforeseen challenges such as corporate closures.
The solution Claroty proposes is for all smart devices involved in power generation to be included in the scope of critical infrastructure, so that any cyber risks can be identified and mitigated, most likely at the DNSP level. By addressing this risk, Australia will be able to progress towards a less carbon-intensive energy future without increasing the risk of a cyberattack impacting grid stability.
