The energy transition is reshaping the asset mix as renewables, like solar, wind, hydro and battery storage, come online to replace legacy assets such as coal-fired power stations. Billions of dollars have already been invested in generation, storage and firming assets, with a committed pipeline of 106 generation and 33 battery-storage projects¹  underway, totalling over $28bn of capital investment. In addition to grid scale projects are domestic solar systems which are installed on approximately one third of Australian households, equating to 3.2m systems² . The scale of assets and their locations present a far more complex system than contemplated by original grid architecture models.

Interested to join our future events?

In the past decade, cyber has moved from being a fringe concern to a strategic threat, which the Australian Institute of Company Directors (AICD) now indicates is one of the top risks on the minds of boards³.  

For energy and other critical infrastructure sectors, a catastrophic cyber incident has the potential to have a material societal impact. In one major ransomware incident where Deloitte was called in for support, it took over four weeks to restore core IT systems (e.g. asset management, maintenance, spares inventory), which started to present challenges to the continued operation of generating assets within their license conditions, illustrating the nuanced dependencies between core IT systems and operational processes.

For the energy sector, cyber threats primarily arise from:

• Criminal groups with a particular focus on ransomware-based campaigns that can cause unplanned downtime in energy organisations and infrastructure such as pipelines – primarily as leverage to obtain financial gain.
• Nation states actively pursuing cyber-initiatives for financial gain or as part of a multidimensional response to geopolitical tension, including hybridised strategies, where cyber-vulnerabilities may be created or used in conjunction with, or in preparation for, more conventional aggression⁴

One of most difficult aspects in managing nation state risk is the insidiousness or indirectness of the hazard, and the level of capability. Nation states have focused on infiltrating technology stacks and supply chains of industrials in a manner which is covert and latent by design. The widely reported Solarwinds and Log4j vulnerabilities are both examples of attackers (linked to nation states⁵) deliberately compromising the underlying code-base of widely used software as a vehicle to then infiltrate the organisations which use this software.
 
In the energy sector, it is common for Australian organisations to use non-sovereign technologies for generating, transmission, firming and distribution assets, which typically have a requirement for remote services, diagnostics and support that will sometimes involve direct offshore access by suppliers to core systems. Threat actors have responded to this by targeting organisations through their common suppliers.
 
The targeting of these suppliers is now clearly recognised by regulators as a potential attack path for accessing core infrastructure, and in our experience, presents a systemic risk to industry.  In an illustration of this, it was noted as a key factor in the withdrawal of cyber insurance covering nation state attacks in policy renewals in 2023⁶. Boards of energy organisations are now presented the question of how they must reasonably act to identify and mitigate risks that an insurer is no longer prepared to cover. 

The shift from a smaller number of traditional energy resources (e.g. large power stations) to a landscape of thousands of renewable energy assets (and millions of consumer distributed energy resources) creates a profoundly different landscape for cyber risk, protection and regulation. Some examples include:

1. Extreme complexity is hard to model and protect. Historically it was simpler to model the cyber risks around a small number of large industrial assets like power stations, which typically have older systems, a level of isolation, known interfaces and a boundary fence. However, a landscape of many generating and consuming assets (that still need to be orchestrated in balancing the grid) presents a complex environment to map out and understand the risks of, especially given a large number of new and emerging potential attack paths (including entry-points through suppliers).
2. Aggregation risk. In this fragmented landscape of smaller capacity distributed energy resources and assets, the failure of an individual resource is likely to be lower impact in isolation. However, given that some vendors in the domestic solar market have more than 20% market share⁷ with inverters already connected to ‘cloud’ platforms for consumer metric visualisation; mandatory enablement of dynamic export limits; and emerging Virtual Power Plants (VPP), some forms of aggregation risks are already present and could potentially allow an attacker to control these resources at scale. 
3. The total cost of protecting a fragmented landscape is high. Conventionally, we’ve kept sensitive information and technology systems in a small number of places – not least because achieving a high standard of cyber maturity can become expensive to apply in a distributed model. In the new world, we face a vast and diverse landscape, with many individual systems and interfaces to protect, and open questions about how key cyber controls (e.g. vulnerability management, privileged access management, 24x7 detection and response) should be performed across a large number of assets and the question of which entity in the energy ecosystem is responsible for the operational governance of the risk. This increases the chances of ‘orphan’ assets which are neither protected or governed.

In the last 5 years, we’ve seen the emergence of cyber-related regulation such as the Australian Energy Sector Cyber Security Framework (AESCSF) and the reforms under the Security of Critical Infrastructure (SOCI) Act, which considers cyber as one of the four fundamental hazard vectors (the others being physical, human and supply-chain).
 
However, the growth in smaller renewable assets presents similar tensions around the ‘right’ model for regulating a landscape that will increasingly be shaped by many smaller entities. Today, in the renewables space, many of the assets (e.g. a wind, solar, hydrogen) sit within smaller legal entities than those of traditional power organisations. We routinely see generating entities that own a renewable asset with one to five dedicated employees, a diverse range of architectures, and a high reliance on outsourced service providers to run their assets in steady-state on behalf of passive investors like sovereign wealth and pension/superannuation funds.
 
Whilst this model might be considered ‘fine’ for an investment asset like a commercial office building, these entities have historically not budgeted or planned for operational cyber practices like AESCSF SP-1 (88 practices) or the Essential 8. These entities also tend to lack a standardised architecture that fully meets the cyber architectural requirements, or an operating model and responsibility model that enables effective cyber risk decisions outside of the service provider (who cannot ‘own’ the risk).
 
For example, if we have 500 identified cyber vulnerabilities in our Operational Technology landscape (quite common if it was deployed a few years ago), that might need planned downtime and regression testing in order to apply a fix (not at all uncommon); what then is the process for accountable risk-based decision making around the trade-offs between operational uptime (which is linked to revenue) and planned downtime for cyber risk mitigation? An outsourced service provider can have a conflict of interest here, given some of these activities can add to their costs (e.g. testing of patches, planning for roll-back), but their contract with the customer can be silent on these aspects.

Australia has a diverse energy ecosystem that consists of hundreds of renewable assets, where the introduction and enhancement of regulations and security profiles (under both AESCSF and SOCI) is helping to uplift the cyber capabilities and oversight of critical infrastructure organisations around the inherent risks they face.
 
However, the urgency to build renewable assets and their displacement of legacy assets means we are entering a period where potentially hundreds of individual in-flight projects are underway, without a comprehensive understanding of the risks and commensurate mitigations that should be a fundamental part of their development and operations.
 
This wave of capital investment will challenge how we achieve the ‘right’ approach for cyber risk management, governance and regulation. Given these are capital assets, it can be expensive to retrofit cyber controls if the risks are only considered after commissioning, or late in the project.
Through our work for multiple renewable entities, we’ve recognised that security and resilience can be achieved more consistently and effectively through standardised architectures and operating models that have cyber capabilities and operational controls, like 24x7 Cyber Detection and Response, integrated from the outset.