No one likes to say it, but China is the cybersecurity elephant in the renewable energy room

People in Australia’s renewable energy industry are only too happy to chat about their Chinese supply chain, until the subject turns to cybersecurity and then it becomes a game of “guess who”.

China is the dominant supplier of solar panels, inverters and batteries to the Australia market of every size, and controls the manufacturing of much of what goes into wind turbines as well. 

Panelists in a sparsely-attended discussion about cybersecurity at the Australian Clean Energy summit last week danced around the He Who Must Not Be Named, but just as in the Harry Potter series it was clear who they were referring to.

One attendee confirmed that China’s dominance of the supply chain meant that it was also seen as the principal source of cybersecurity risk. But they only said that on the proviso they not be named.

“We know that foreign, hostile actors see Australia’s energy system as a good target,” Home Affairs assistant secretary for cyber security Sophie Pearce told the small, afternoon-on-the-last-day audience.

“We know that cyber vector is the most likely means of disrupting our energy ecosystem, and I think that the energy transition raises the stakes even further. Where we’re reliant on foreign investment and foreign supply chains, lots of opportunity there, obviously.

“When there’s a dependency on jurisdictions that might require or can compel access to data or access to systems, that increases the risks.”

The Australian Energy Market Operator (AEMO) is also aware of the risk created by a concentrated supply chain. 

Pearce Courtney handles cyber coordination for energy markets at AEMO, and while he says it’s maintaining visibility over the whole structure that keeps the organisation “up at night”, technology concentration risk is on the radar. 

“The other one… that’s the concentration on our technology,” Courtney said at the summit. 

“In terms of the technology and the devices and where we’re buying our supply chain. That’s probably the other challenge that doesn’t keep us up at night, that’s a significant, complex challenge.”

China controls 80 per cent of the global supply chain for all the manufacturing stages of solar panels, according to an International Energy Agency (IEA) report from 2022. A similar study from 2024 shows China has almost 85 per cent of global battery cell production capacity.

Australia has one solar panel maker in Tindo Solar, albeit with a goal to increase this with the Future Made in Australia plan, and a smattering of local battery makers such as Empower which manufactures at home and in Malaysia.

The call is coming from inside the house

Big wind, solar, storage and transmission projects are all potential attack sites, particularly because the length of time between design and construction could see radical changes in cybersecurity needs which may not be part of the original budget.

But the call may increasingly be coming from inside the house, thanks to Australians’ enthusiastic embrace of rooftop solar, home batteries and all things electric.

A combination of state- and regulator-mandated access points with woefully insecure small devices are building an open door for cyber attackers, says Darren Gladman, regulator manager for major equipment supplier SMA Australia.

“My god, small scale. We’ve just introduced an emergency backstop mechanism to turn everything off. If you wanted to make a hacker’s life easy, how could you have made it any easier?” he said during the panel session at ACES.

“The battery rebate, it’s great. However, it’s led to a lot of battery suppliers, a flood of batteries coming in. Some of these companies, when you look at their structure, they might be two or three people in Australia. They’re not thinking about cybersecurity. They’re trying to survive in a really competitive, cutthroat industry. 

“And then you’ve got on top of the backstop mechanism. You’ve got virtual power plants. You’ve got this space that lends itself to manipulation so easily, an industry that’s so competitive and so under-resourced that this is seen as a complete luxury, until you’re told that it’s not, and no one’s been told that it’s not.”

The federal battery rebate requires that all home batteries bought with the subsidy be VPP-enabled, and in Western Australia they must be connected to one. 

Energy projects bigger than 30 megawatts (MW) are required under the 2018 Security of Critical Infrastructure Act to have cybersecurity plans in place which must be passed down through the supply chain.  

This doesn’t always happen and it leaves a huge regulatory gap for the sub-30 MW end of the market and a “parallel universe” at the small scale end, Gladman says.

Attack on solar inverters an imminent threat

An attack on Australia’s distributed energy resources wouldn’t need to control many devices to disrupt the National Energy Market’s (NEM) 50 hertz frequency to create a Spain-like problem, a study partly funded by CSIRO this year said.

But to pull off such an audacious attack that actor would need to have the capacity for careful planning, orchestration, and an understanding of energy markets.

The researchers, two from CSIRO’s specialist digital arm Data61, looked at the risk of a cyber attack on Australia’s wifi-connected household solar inverters.

They said an attack is becoming an “imminent threat”.

“The long lifespan of inverter devices, users’ oblivion of cybersecurity compliance, and the lack of cyber regulatory frameworks exacerbate the prospect of cyberattacks on smart inverters,” the four co-authors wrote. 

“As a result, this raises a question – do cyberattacks on smart inverters, if orchestrated on a large scale, pose a genuine threat of wide-scale instability to the power grid and energy market?”

The most likely target would be disrupting the National Energy Market’s (NEM) frequency which needs to stay at 50 hertz to avoid damaging any device connected to a power supply and large-scale blackouts, the paper found.

In the year to 3 August, rooftop solar provided 12.8 per cent of electricity on the National Energy Market (NEM), or about the same amount as brown coal and wind, according to Open Electricity. 

For the SWIS in Western Australia, it was 20.1 per cent. 

And on a mid-winter day, it’s still a big contributor: in the 24 hours from 11am on Sunday, rooftop solar contributed 9.8 per cent of the electricity on the NEM, and 6 per cent in the SWIS from Saturday. 

“Digital asbestos”

Deloitte partner David Owen calls the plethora of cheap, insecure devices flooding into Australian homes “digital asbestos”, which one day someone will have to pay to remove.

Who will do that is the big question as consumers are unlikely to make a big investment in a new inverter if their now-vulnerable one still works. 

“Brother printers had this thing recently where they said there’s a whole range of vulnerabilities in Brother printers and the only real recommendation was to replace the printer,” he said. 

“My question would be, that’s great. Whose decision is it? Who pays? Because the consumer may say, well, actually, it still works so I’m not going to pay for it. So I think those are really interesting questions about who’s the root risk owner in that space.”

If a consumer may be unwilling to replace a piece of their home kit, then the responsibility for patching vulnerabilities is equally murky given how many entities now have access to, for example, a single rooftop solar system. 

The manufacturer likely has an API through which it can access the device, in most NEM states AEMO has or will have access as part of emergency blackstop rules, and it might have a connection to a VPP. 

But just as a homeowner or landlord is likely to baulk at forking out for a new inverter, owners of big generators, batteries and transmission infrastructure are unlikely to be moved either to replace a piece of equipment costing hundreds of thousands of dollars and coming with a lengthy supply timeline.