The threat of cyber attacks on Australia’s energy industry and infrastructure is rising, a new report has found, with the sector breaking into the top 10 most attacked rankings in 2022.
According to the annual threat report from cyber spy outfit the Australian Signals Directorate, there was a cluster of strikes on energy companies and infrastructure in 2022, in amongst the major cyber attacks on Medibank, Optus and others that dominated news headlines.
Energy Australia outed itself in October, AGL in December, and the Australian Signals Directorate (ASD) says an unnamed energy provider was also attacked but its existing security worked as intended.
The hacking risk to Australia’s evolving energy infrastructure is growing, experts say. Indeed, the electricity sector broke into the top 10 most attacked industries for the first time in 2021-22, according to the ASD.
But to date the widening array of technologies from virtual power plants to Internet of things sensors haven’t been the security risk long feared – even in the US people who want to bring down the grid are preferring physical over cyber attacks.
And yet the risk is real and, as major corporations found last year, ignoring that risk can lead to catastrophic outcomes.
“The cybersecurity of older energy technologies and infrastructure in Australia is a growing concern. Many of these technologies were not designed with cybersecurity in mind, and they lack the modern security features that are built into newer systems,” says Doris Spielthenner, managing director of solar company SMA Australia.
Some companies are taking the threat seriously: Origin Energy went public with its bug bounty program in June last year, while suppliers such as Siemens are offering bespoke security software platforms that can handle distributed energy technologies.
The risky business areas
There are four key areas that could be vulnerable to cyber attacks, shows an Energy Networks report: the grid itself and the components in it such as substations, the systems used to control it, the increasing volumes of sensitive data companies are gleaning from customers, and the integration of distributed technologies.
Spielthenner says security by design and default combined with good usability will be the baseline security measures in future.
“There is a trend that newer technologies come with more security features. That said, the newer infrastructure has a lot more IOT devices linked to a larger energy or asset management system and is more heterogeneous, where it becomes harder to understand which devices come with security features,” she told RenewEconomy.
“Installer training sessions will additionally help to get a good baseline and to ensure PV and network communication systems are correctly configured. We also need to raise awareness of the potential threat. Consumers, households or businesses should be aware of potential risks.”
New forms of decentralised technologies such as virtual power plants would be an “interesting” vector for an attack, or distributed attacks on assets such as solar PV inverters owned by residential and business solar customers.
Cloud services that haven’t been properly secured and a reliance on outside vendors and contractors for both IT services and operational technology, such as smart meters and gateway controllers, are potential weak points if those third parties’ security isn’t up to scratch.
But it is delayed upgrades to security systems that has brought Australia closest to a worst-case cyber attack on energy infrastructure.
In 2021, Russian ransomware group Conti hit state-owned CS Energy in Queensland.
The attack came close to affecting CS Energy’s network operations because the company had not yet physically separated its corporate and operational systems, something it should have done years earlier, said cyber security firm Langer CEO Ralph Langer in a statement at the time.
Heading attackers off with regulation
The proliferation of distributed energy resources is set to leave Australia’s power sector further exposed to cyber risk, but the government is moving to force or otherwise encourage the energy sector to shore up its defences.
The main piece of legislation is the 2018 Security of Critical Infrastructure Act (SOCI), which imposes cyber security obligations on the owners of said critical infrastructure.
For energy, that means generators with installed capacity of at least 30 megawatts (MW) and are connected into the National Energy Market. Both the operator and owners with more than a 10 per cent interest in that generator have “registration obligations” under SOCI, says Matt Baumgurtel, the new energy lead at law firm Hamilton Locke.
A SOCI amendment last year means “enhanced” cyber security obligations include developing incident response plans to prepare for a cyber security incident; running exercises to prepare for attacks; doing vulnerability assessments to find weak points; and providing system information to develop and maintain a near-real time threat picture.
But if the cost of compliance is registering an asset as critical infrastructure and setting up a risk management plan, there is a cost for non-compliance.
“The penalties imposed on the responsible entity or direct interest holder of a Critical Electricity Asset differs depending on the nature of the non-compliance. This ranges from a penalty $13,750 for failing to provide information under sections 23 and 24, to $55,000 for, amongst others, not adopting, complying or maintaining the necessary risk management programs,” Baumgurtel told RenewEconomy.
Other fines include a penalty up to $222,000 for companies for not adopting and maintaining a risk-management program.
“The biggest risk of cyberattacks are likely to critical infrastructure, such as transport, telecommunication and energy. It therefore makes sense that the SOCI Act is drafted to secure these types of assets. This sector is undergoing rapid development and we are expecting to see additional compliance requirements in the next couple of years,” he says.
Spielthenner thinks the next step is to target the likes of retailers and virtual power plants in order to lift security standards from the ground up.
“We urgently need a national harmonisation of general energy regulations, creating homogeneity among DNSP and IOT devices or cloud-based solutions being introduced, for example as part of the dynamic export regulations,” she says.
