Energy’s Net-Zero Cybersecurity Challenge

Australia’s commitment to an emissions reduction target of 43% by 2030 must be matched by an undertaking to put cybersecurity at the center of its sustainability goals.

There has never been a greater focus on climate change and the race to net-zero emissions than now. Against a backdrop of escalating fuel prices in Australia and around the world, an uplift in government policy and investment is being channeled into electric vehicles (EVs), charging infrastructure, and renewable energy such as solar. 

Australia’s newly elected Labor government under Prime Minister Anthony Albanese has introduced a renewed emissions reduction target of 43% by 2030, plus new EV tax incentives and infrastructure. Part of its goal is to generate 80% of Australia’s energy from renewable sources by 2030. 

To achieve this, it has been reported that Australia will need to double the pace of its renewable energy uptake, even without an increase in demand. As this race commences, cybersecurity experts have warned about the vulnerability of Australia’s national electricity grid to the influx of Internet of Things (IoT) endpoints. 

In the wake of the global COVID-19 pandemic, and in the midst of the war in Ukraine, most nations – including the Quad and Five Eyes alliances – are on high alert in an unsteady geopolitical environment, anticipating cyberattacks on critical infrastructure. This includes a threat to the IT supply chain via managed service providers (MSPs).

Renewable Risk: Cyber Concerns

As Australia makes plans to modernize its electricity grid, and businesses and individuals rapidly adopt connected, energy-efficient solar panels, air-conditioners, and vehicles, it must be emphasized that cybersecurity goes hand-in-hand with sustainability. 

The explosion of connected endpoints introduced by a next-generation energy plan will deliver welcome efficiencies to help meet those targets, but will also further expose Australia’s infrastructure and organizations to threat actors today and into the future – especially “long-life” devices and systems, such as smart cities and vehicles, which are potentially vulnerable to the cyber threat of Y2Q, quantum computing’s Y2K equivalent. 

Australia has already made some encouraging strides in strengthening national security and cyber resilience, with amendments to the Critical Infrastructure Act, Ransomware Action Plan, and the new REDSPICE initiative. However, legislation alone won’t address the complexity and vulnerabilities in sectors such as energy, where the IoT cybersecurity threat is impacting both new and older legacy environments.

Throughout 2021, the world witnessed an alarming series of cyberattacks against critical infrastructure targets such as water treatment plants and pipelines. Rachel Noble, director-general of the Australian Signals Directorate (ASD) recently stated “threat levels are picking up,” with the ASD receiving cyber incident reports every eight minutes on average. She added that 25% of incidents are carried out against critical infrastructure or essential services such as health and food distribution. 

The convergence of operational technology (OT) and information technology (IT) in such industries – let’s call it the physical and digital – is a clear and present danger. As new hardware, software, and legacy systems connect, more vulnerabilities are exposed. 

If preventative steps are not taken, such as the use of artificial intelligence (AI) to predict attacks, threat actors will find any exploit to enter connected networks, with potentially dire consequences.

The Human Factor

Let’s look at solar as an example. Australia has the largest uptake of solar in the world, with more than three million rooftop solar PV systems installed nationwide. While this is pleasing, most people are unaware of cyber risks. 

Inverters are connected to panels, which are connected to the energy grid network. In many cases, these panels are also internet-enabled so usage can be easily tracked and monitored from phone or tablet apps. If just one of these solar panels has a software vulnerability, attackers could exploit it as a foothold to attack the wider electricity network. 

Another looming threat is EV chargers. Concerned about the growing complexity of interactions between the cyber and physical layers in the energy sector, Yury Dvorkin, an assistant professor of electrical and computer engineering at NYU Tandon School of Engineering, in New York, published research on the potential for public EV charging stations to become a cyberattack vector for the U.S. energy grid. 

With Australia readying its plans for national EV charging infrastructure – and many people installing them in homes and businesses – cybersecurity must be top of mind in its design. The IT supply chain will only become increasingly globally interconnected, and any point of the chain can be a weak link. With power grids, hospitals and transportation, cyber incidents can result in physical harm and environmental destruction – far beyond data theft and business disruption. 

U.S. technological research and consulting firm Gartner has predicted that by 2025, cyber attackers will have weaponized operational technology environments to successfully harm or kill humans. The company also predicts that the financial impact of attacks on cyber-physical systems (CPS) resulting in fatal casualties will surpass US$50 billion by 2023. Liability for CPS security incidents will pierce the corporate veil to personal liability for 75% of CEOs by 2024. 

When you consider key Australian industries – such as mining and energy, agriculture, health care and transport – the stakes are now even higher for board members.

What Can Be Done to Prevent Such Cyberattacks?

As more industries continue to embrace net-zero initiatives and invest in smart, sustainable devices and infrastructure, how can Australia protect these physical devices, such as solar panels and the networks they are connected to? 

It is no longer enough to simply meet basic security standards or implement post-incident reporting obligations. A prevention-first approach must be considered to ensure intelligent security from the operating system to the endpoint. This includes: 

• Embedding security-by-design, leveraging safety-certified software at a control systems level.
• Protecting the software supply chain. Manufacturers now have access to software composition analysis tools to detect vulnerabilities throughout the software supply chain. 
• Leveraging AI and machine-learning tools to achieve a prevention-first cybersecurity posture for endpoints and networks.
• Addressing a lack of skills and “alert fatigue” – supplementing IT teams with managed services offering access to skilled cybersecurity threat hunters and analysts.
• Using critical emergency management – intelligent alert technology that offers trusted communications through a secure network to keep people safe. 

As we strive for a better planet, it is just as important to strive for the safety of all data, things, and people. Therefore, it is critical for the public and private sectors – locally and internationally – to band together to ensure green energy innovation can be trusted. 

By putting cybersecurity at the center of sustainability, Australia can help to achieve “security by design” at every layer and prepare for the IoT perils of net-zero.