Australian energy sector caught in security catch-22

Australia’s electricity companies are caught in a cyber security catch-22 situation.

Although power suppliers are relying more on household rooftop solar panels connected to their information systems over the internet, they are constrained in how much they can charge consumers, making it harder to raise prices to pay for improved security.

And with regulators unwilling to accept investments required in cyber security that would lead to higher tariffs, there is a chance that Australia’s National Energy Market (NEM) could face higher cyber security risks.

Speaking at a recent roundtable discussion about cyber security in Australia’s energy and utilities sector, Giovanni Polizzi, energy solutions manager for Indra Australia, noted that if hackers can control a tenth of the power, the NEM could be destabilised.

Ivan Fernandez, industry director at Frost & Sullivan, said besides the cyber threat posed by insecure internet of things (IoT) connections to rooftop solar systems, the increasing complexity of the power sector made cyber security a critical issue.

“In 2017, more than 700MW of renewable energy had been brought on stream, and seven times that amount will be available by the end of the year,” he said.

Added to that is the forecast that by 2027, 40% of large enterprises will have on-site electricity distribution facilities, with 3.3 million smart meters slated to be deployed in Australia. This greatly increases the attack surface associated with electricity supply, as well as the amount of data available to cyber crooks.

Fernandez said security had been identified as the top challenge facing the energy and utilities sector in Frost & Sullivan’s 2017 industry survey.

He forecast that there would be a rising number of cyber attacks directed at supervisory control and data acquisition (Scada) systems, and the growing chasm between the cyber preparedness of IT and operational technology teams.

Carsten Rudolph, associate professor at Monash University and director of the Oceania Cyber Security Centre, said the rich data now being collected in the electricity sector was ripe for malicious manipulation for financial gain.

Monash and Indra are working together working on distributed security systems that include using encryption so that even exfiltrated information could not be easily exploited. They are also exploring how micro-grids can be developed and deployed.

However, Rudolph acknowledged that, for now, cyber attackers have the upper hand.

Phil Kernick, co-founder and CTO of CQR Consulting, expressed frustration at the lack of progress in terms of securing Australia’s electricity network and called for the need for urgent regulation, as the continued connection of consumer rooftop solar panels could make the grid unstable.

Polizzi added that “plug and play is coming at the cost of security”, though he acknowledged that the cost associated with industrial-grade solar panels could be unpalatable.

But as Kernick warned several times during the roundtable discussion, the issue is not going to disappear any time soon – and the already ageing technology infrastructure in the electricity network may not be fully replaced for decades. This made it essential for electricity companies “to acknowledge and manage the risk”.