The electricity grid is considered a prime target for criminal or rogue state hackers.(ABC News: Andrew O'Connor)
The widespread adoption of rooftop solar panels and smart appliances is increasing the risks of cyber attacks on Australia's electricity grid.
Russia's invasion of Ukraine has heightened fears Moscow could take the war into cyberspace as it seeks to retaliate against the West over massive and unprecedented economic sanctions.
Two of Australia's top cyber security advisors said the electricity networks of Russia's adversaries would be firmly in sight as part of any attack and Australia was not immune.
Their comments came amid warnings that Australia's embrace of rooftop solar and technologies that communicate with the grid through the internet could make the country more vulnerable to hackers.
One of Australia's leading energy regulators acknowledged the need for electricity networks to boost spending on cyber security to help safeguard the grid.
Alastair MacGibbon, the chief strategy officer at consultancy CyberCX and a former cyber security advisor to the federal government, said the risks were growing as the electricity system became more complex.
Cyber risks to grid 'catastrophic'
"The more connected you are the more important cyber security is," Mr MacGibbon said.
Mr MacGibbon is a former national cyber security advisor to the federal government who says the implications of not implementing correct cyber security measures was "potentially life-threatening".(ABC News: Matt Roberts)
"We rely upon those connected devices that make up our society to function to the point now where there would literally be potential loss of life, potential catastrophic, cascading effects on the very functioning of society if we don't get cyber security right.
"That sounds like a sky-is-falling type of statement.
"But it's just a reality when our transport, our power, our water, our banking, the way we communicate with each other, literally the way everything functions, relies on a connected device."
Last year, Queensland electricity generator CS Energy was almost brought to its knees after criminal Russian hackers hit the company with a devastating ransomware attack.
Such attacks involve hackers infiltrating a company's computer systems and threatening to destroy or withhold critical information unless the victims pay a ransom.
Frequency of attacks 'astonishing'
Cyber Security Cooperative Research Centre chief executive Rachael Falk said the CS Energy attack was a serious incident that almost disabled electricity provision in one of Australia's biggest states.
But she said it was far from isolated.
"It is a common story," Ms Falk said.
"Ransomware is one of the biggest threats we have at the moment to our organisations and we know that particularly electricity and industrial companies are a main target.
"It's the equivalent of having a tsunami through your business — it's ruined everything, there is nothing left untouched, it's devastating."
According to Ms Falk, one of the most common ways for hackers to get into a company's systems was through "phishing" emails, which might be disguised as bills or notifications.
Ms Falk says cyber attacks can be like tsunamis for affected organisations.(ABC News)
She said cyber criminals were becoming increasingly sophisticated in their design of phishing emails.
They were also becoming more nimble.
"Cyber criminals are very adaptable," Ms Falk said.
"During COVID, we saw a quick spike in mimicking official government emails, say about JobKeeper or JobSeeker.
"Within hours they had pivoted to mimic, and very convincingly mimic, official government emails with lures … in order to dupe people."
Spending to go under microscope
In Western Australia, the issue of cyber security is set to be put to a critical regulatory test.
The state's economic watchdog, the Economic Regulation Authority (ERA), is poised to assess the latest five-year spending plans of Western Power, which services more than two million people.
ERA chairman Steve Edwell said the need for increased cyber security spending by electricity firms was "inarguable" given the obvious and elevated risks of attacks.
The cybersphere is an increasingly contested space between rival states.(Unsplash: Taskin Ashiq)
Mr Edwell, the inaugural chairman of the Australian Energy Regulator, said most people would be "gobsmacked" to know how often electricity networks were hit by cyber strikes.
And he noted legislation currently before the Federal Parliament was set to formalise requirements for power providers to beef up their cyber defences.
"I'd seriously doubt there's a board anywhere or a network business in the country that doesn't rate cyber security among its top risks.
"And the network businesses that I know have been on this for a number of years.
"Quite apart from that legislation, the cyber risk for electricity network businesses as I see it is a clear and present danger.
"What's happening now with the energy transformation is really taking the dimension of cyber risk to another level.
"Anyone who has any business conducted electronically — and let's face it, just about every modern business does — is subject to cyber-attack."
Households are unwitting targets
Mr Edwell said the rapid uptake of solar and smart appliances, such as internet-enabled fridges and air conditioners, had been a boon for consumers, lowering bills and giving them greater autonomy over their needs.
Nevertheless, he said there were downsides from a security point of view, noting that households had potentially become entry points through which hackers could infiltrate the network.
"So, here in WA … we've got [one] third of households now with solar [photovoltaic cells]," he said.
"You have these two-way flows of generation back into the system.
"The challenge that network businesses have now is much greater than in the past.
"And the way they do that is to digitalise, automate.
"The more you have of that, the more your system is open to cyber-attack.
"We now have inverters in … households in Perth and surrounds all ultimately talking to the network business.
"That's where the risk comes in."
Power bills 'needn't increase'
With electricity distribution and transmission accounting for about 40 per cent of the typical bill, Mr Edwell said he was acutely aware of the cost implications of increased cyber security spending.
But he argued it was imperative to guard against the potential security risks from new technologies while also allowing for the full benefits of cheap solar power and smart devices.
"The issue for us is the timing of it and whether it's a prudent spend," he said.
"It doesn't necessarily follow that if there's big expenditure across the nation that electricity consumers will pay for all this expenditure.
"One of the benefits of the transformation system is it's providing network businesses with the opportunity to replace traditional poles and wires with smarter and lower cost technology substitutes."
Mr MacGibbon agreed and said it was no longer tenable for cyber security to be an afterthought.
"If there are people who don't believe cyber security is a risk, they are, unfortunately these days, just dreaming," he said.
