The proliferation of grid-connected household solar PV/inverter systems poses a potential cyber-security risk, electricity providers have warned the federal government. Ausgrid has raised the spectre of multi-billion daily costs in the event of a serious cyber attack on its infrastructure.
Last week, the Department of Home Affairs made public more than 200 submissions to the federal government’s Cyber Security Strategy 2023-2030 Discussion Paper, revealing the security concerns of the energy sector.
The Australian Energy Market Operator summarised the problem in this submission (pdf):
“End-use consumer uptake of digitally connected devices that are expected to play a critical role in energy security and reliability, introduce additional cyber security risks into the supply chain.
“The risk of contagion from a cyber security event within a sector and across sectors needs to be continually assessed given its evolving nature.”
In this submission (pdf), DNSP1 Ausgrid laid out a stark warning of the cost, in the event that the worst happened.
“A cyber-attack on our network, even for a few hours, would severely disrupt lives and livelihoods.
“In the worst possible case, the economic impact from a complete shutdown of our infrastructure may be as high as $120 million per hour or over $2.9 billion per day.”
Ausgrid noted it is currently seeking Australian Energy Regulator approval to expand its cyber security spend.
“We would also welcome further engagement with the Board and the Department about our plans to invest $91 million in strengthening our cyber security protections over a five-year period beginning in FY25.”
One of the risks, Ausgrid said, is the “influx of customer-owned energy devices connecting to electricity networks”.
“These devices potentially provide millions of entry points for cyber threats to infiltrate electricity networks and disrupt the supply of energy to customers,” the submission stated.
Ausgrid said it would support a government-endorsed list of approved devices or appliances, as “an independent source for verifying the suitability of devices and appliances.”
Related: Are Chinese Solar Inverters A Security Risk?
About Richard Chirgwin
RSS - Posts
All it would take is the hack of a major brand name like Sungrow, Huawei, SMA or Fronius with a large market share, infect the host, push a software update to all connected devices.
One in three households have solar, there would be a large amount of PV systems connected to the internet.
There is a definite risk, but also its not just PV and Battery Systems.
Any connected device could technically be an access point.
Probably doesn’t help that the electrical infrastructure is a bit notorious for being vulnerable as long as someone gets a vector into the system i.e a substation would probably be good enough.
Though my knowledge is a bit out of date they don’t tend to change things like that unless they have to.
I remember a video by pentesters “not in Australia though”
That were disturbed how easy they got full access as soon as they had a access point in a low security sub station.
The Federal Government must get on with mandating modern DER management and contrel standards such as IEEE2030.5 ( AKA. CSIP-Aus)
A lot of serious cyber-security work has gone in to securing this protocol suite.