Energy system cybersecurity for an uncertain world
By Dor Son Tan dstan@energynetworks.com.au
As the world increasingly turns towards renewable energy sources, the deployment of distributed energy resources (DERs) such as solar panels, electric vehicles (EVs), and energy storage will become more common.
While these systems offer many benefits, they also present unique cybersecurity challenges as the amount of DER rises and makes up a greater proportion of our generation. By becoming more interconnected with each other and the grid, they in turn become more vulnerable to cyberattacks.
In this article, we will explore the importance of cybersecurity for DER and discuss some of the efforts being undertaken to ensure the safety and security of our grid.
Cyber threats are on the rise.
Australia has recently seen a wave of cybersecurity breaches which have hit some of our biggest corporates, affecting millions of consumers. Whether by state-actors, criminal organisations or bored kids, the estimated cost of global cybercrime is measured in the trillions of dollars and growing.
As illustrated in the movie Live Free or Die Hard, attacks on the electricity grid are not a new idea. In fact, back in 2016 we saw this play out in real life as the Ukrainian power grid fell victim to a sophisticated cyber-attack that left 225,000 people without power.
What’s being done to protect the Australian grid?
This then begs the question; what should we do in Australia to ensure we don’t end up in the same situation?
Firstly, and perhaps most importantly, the government has really stepped– up activity in this space, by introducing the Security of Critical Infrastructure Act 2018 (SOCI Act).
This new legislation applies to a broad range of sectors, everything from hospitals to food distribution, to payment systems, which the Federal Government has deemed to be “critical infrastructure”. It places practical obligations on identified organisations, such as reporting incidents to the Federal Government and adhering to different security and resilience standards for assets and personnel.
This legislation is also supported by a wide variety of government organisations such as:
- AusCheck
- Australian Cyber Security Centre (ACSC)
- Australian Signals Directorate (ASD)
- Australian Energy Market Operator (AEMO)
- Cyber Infrastructure Security Centre (CISC)
Secondly, electricity utilities have had a lot of experience making sure their internal systems are protected from the non-state actors on a day-to-day basis. There are literally hundreds of thousands of attempts to access their systems (via email phishing, bot attacks etc.), but the industry has so far been very lucky (luck being a combination of preparation and fate) and we’ve not experienced a huge disruption to our power system.
But what about securing customer-owned DER?
However the future is changing, with a larger proportion of the power system being supplied by local, wi-fi-connected DER, such as solar PV, batteries and even EVs this dramatically increases the “threat surface area” and likelihood of system-level disruptions. A great article from 2018 on this topic can be found here.
Before you panic from all the doomsaying, some of the easiest solutions could be simply securing your wi-fi network and setting strong passwords. Some of the more sophisticated solutions include Public Key Infrastructure (PKI), Two-factor Authentication (2FA) or other forms of Zero Trust Architecture.
If we don’t start seriously thinking about these issues now the onus of security gets passed down to the many households that will own these devices who, unlike large organisations, don’t have the benefit of a corporate cybersecurity team and are ill-equipped to make these types of decisions for themselves or for the wider system.
How this distributed threat to a whole range of customer (and privately owned) devices is safeguarded, who is best placed to act and other questions still remain unclear, but it is critical that governments and industry (networks, original equipment manufacturers and others) work together to relieve the burden from consumers.