The energy transition is changing the way we generate, store, transmit and distribute energy across Australia, leading to new concerns around energy security and stability. Adversaries continue to rise as a strategic threat, as both criminals and nation states leverage cyber vectors for financial gain or to cause disruption. So, how does this change the risk landscape?
The energy transition is reshaping the asset mix as renewables, like solar, wind, hydro and battery storage, come online to replace legacy assets such as coal-fired power stations. Billions of dollars have already been invested in generation, storage and firming assets, with a committed pipeline of 106 generation and 33 battery-storage projects1 underway, totalling over $28bn of capital investment. In addition to grid scale projects are domestic solar systems which are installed on approximately one third of Australian households, equating to 3.2m systems2 . The scale of assets and their locations present a far more complex system than contemplated by original grid architecture models.
From a cyber perspective, this transition presents an emerging landscape that has more assets to protect, with many more interfaces and points of attack. As we move towards 2030, the increasingly uncompetitive economics of operating a coal-fired plant (caused by the influx of renewables) is driving an earlier than anticipated decommissioning of legacy assets that is also accelerating, leaving a landscape of a growing dependency on a diverse population of renewable assets for energy security.
In the past decade, cyber has moved from being a fringe concern to a strategic threat, which the Australian Institute of Company Directors (AICD) now indicates is one of the top risks on the minds of boards3.
For energy and other critical infrastructure sectors, a catastrophic cyber incident has the potential to have a material societal impact. In one major ransomware incident where Deloitte was called in for support, it took over four weeks to restore core IT systems (e.g. asset management, maintenance, spares inventory), which started to present challenges to the continued operation of generating assets within their license conditions, illustrating the nuanced dependencies between core IT systems and operational processes.
For the energy sector, cyber threats primarily arise from:
One of most difficult aspects in managing nation state risk is the insidiousness or indirectness of the hazard, and the level of capability. Nation states have focused on infiltrating technology stacks and supply chains of industrials in a manner which is covert and latent by design. The widely reported Solarwinds and Log4j vulnerabilities are both examples of attackers (linked to nation states5) deliberately compromising the underlying code-base of widely used software as a vehicle to then infiltrate the organisations which use this software.
In the energy sector, it is common for Australian organisations to use non-sovereign technologies for generating, transmission, firming and distribution assets, which typically have a requirement for remote services, diagnostics and support that will sometimes involve direct offshore access by suppliers to core systems. Threat actors have responded to this by targeting organisations through their common suppliers.
The targeting of these suppliers is now clearly recognised by regulators as a potential attack path for accessing core infrastructure, and in our experience, presents a systemic risk to industry. In an illustration of this, it was noted as a key factor in the withdrawal of cyber insurance covering nation state attacks in policy renewals in 20236. Boards of energy organisations are now presented the question of how they must reasonably act to identify and mitigate risks that an insurer is no longer prepared to cover.
The shift from a smaller number of traditional energy resources (e.g. large power stations) to a landscape of thousands of renewable energy assets (and millions of consumer distributed energy resources) creates a profoundly different landscape for cyber risk, protection and regulation. Some examples include:
In the last 5 years, we’ve seen the emergence of cyber-related regulation such as the Australian Energy Sector Cyber Security Framework (AESCSF) and the reforms under the Security of Critical Infrastructure (SOCI) Act, which considers cyber as one of the four fundamental hazard vectors (the others being physical, human and supply-chain).
However, the growth in smaller renewable assets presents similar tensions around the ‘right’ model for regulating a landscape that will increasingly be shaped by many smaller entities. Today, in the renewables space, many of the assets (e.g. a wind, solar, hydrogen) sit within smaller legal entities than those of traditional power organisations. We routinely see generating entities that own a renewable asset with one to five dedicated employees, a diverse range of architectures, and a high reliance on outsourced service providers to run their assets in steady-state on behalf of passive investors like sovereign wealth and pension/superannuation funds.
Whilst this model might be considered ‘fine’ for an investment asset like a commercial office building, these entities have historically not budgeted or planned for operational cyber practices like AESCSF SP-1 (88 practices) or the Essential 8. These entities also tend to lack a standardised architecture that fully meets the cyber architectural requirements, or an operating model and responsibility model that enables effective cyber risk decisions outside of the service provider (who cannot ‘own’ the risk).
For example, if we have 500 identified cyber vulnerabilities in our Operational Technology landscape (quite common if it was deployed a few years ago), that might need planned downtime and regression testing in order to apply a fix (not at all uncommon); what then is the process for accountable risk-based decision making around the trade-offs between operational uptime (which is linked to revenue) and planned downtime for cyber risk mitigation? An outsourced service provider can have a conflict of interest here, given some of these activities can add to their costs (e.g. testing of patches, planning for roll-back), but their contract with the customer can be silent on these aspects.
Australia has a diverse energy ecosystem that consists of hundreds of renewable assets, where the introduction and enhancement of regulations and security profiles (under both AESCSF and SOCI) is helping to uplift the cyber capabilities and oversight of critical infrastructure organisations around the inherent risks they face.
However, the urgency to build renewable assets and their displacement of legacy assets means we are entering a period where potentially hundreds of individual in-flight projects are underway, without a comprehensive understanding of the risks and commensurate mitigations that should be a fundamental part of their development and operations.
This wave of capital investment will challenge how we achieve the ‘right’ approach for cyber risk management, governance and regulation. Given these are capital assets, it can be expensive to retrofit cyber controls if the risks are only considered after commissioning, or late in the project.
Through our work for multiple renewable entities, we’ve recognised that security and resilience can be achieved more consistently and effectively through standardised architectures and operating models that have cyber capabilities and operational controls, like 24x7 Cyber Detection and Response, integrated from the outset.
Using a repeatable, risk-based approach like this won’t magically fix cyber risk, but does move organisations towards a model that has less inherent complexity, lower regulatory burden, and a greater ability to understand and manage the aggregate level of cyber risk in a rapidly changing ecosystem.
To start a conversation on Cyber in Renewables, including 24x7 Cyber Detection and Response that’s pre-packaged for AESCSF in smaller scale assets, email Simon Gribble.
1. Project Tracker (March 2023)
2. Solar Energy Systems on households have more than doubled since 2018
3. Focus areas for AGM season
4. Dr Michael McGuire in Nation States, Cyberconflict and the Web of Profit, University of Surrey, 8th April 2021
5. Russian hackers behind SolarWinds
6. Lloyd’s to Exclude Catastrophic Nation
7. Global PV inverter market share