Friday exclusive: Energy politicking leaves Australia vulnerable to cyber attack
'Trust in government to lead has dropped'
Security of Australia’s energy grid marred by ‘cyber-incompetence’
By Alex Liddington-Cox
Australia’s Energy Security Board is remaining tight-lipped about the preparedness of the National Energy Market for a cyber-attack ahead of its first annual report on the issue.
Experts say the pace of cybersecurity reform has slowed, in part due to political upheaval in Canberra. The industry is under-resourced and there’s ongoing confusion about how Australia responds to an attack.
The annual energy-cyber preparedness report, which is being conducted with the Australian Cyber Security Centre and the Secretary of the Commonwealth Department of the Environment and Energy, was among the recommendations of the Finkel Review. It’s due before the end of the year.
The report is set to assess the cyber maturity of energy market participants and understand vulnerabilities and conduct a stocktake of current regulatory procedures. Western Australia, which falls outside the NEM, understands the report will include an assessment of its energy market participants as well.
Additionally, the report will provide an assessment of the Australian Energy Market Operator’s cyber security capabilities and third-party testing, as well as provide an update from all market participants on how they undertake routine testing and assessment of cybersecurity awareness and detection.
The ESB and AEMO, which provides administrative support to the ESB, both initially expressed interest in providing a spokesperson to Australian Energy Daily to comment on the progress of the report.
However, both organisations backed out. In response to written questions, AEMO could only produce a tightly written statement that simply repeated Finkel’s outline of the energy-cyber report.
Enjoying Australian Energy Daily’s introductory newsletter? Please help us spread the word by forwarding this email to your colleagues.
Fast world, slow progress
“This government has actually slowed the pace of its reforms in the cybersecurity area since announcing them in April 2016,” says Professor Greg Austin of the University of New South Wales, where he serves as deputy director of Canberra Cyber.
The energy-cyber report is set to land after responsibility for both areas changing hands twice at a ministerial level since it was announced just 17 months ago.
Current Treasurer Josh Frydenberg, who assumed responsibility for energy a month after the Finkel Review, has since handed the reins to Angus Taylor. Mr Taylor inherited the ‘special post for cybersecurity’ from Dan Tehan in December, which is now being handled by Home Affairs Minister Peter Dutton.
Under Mr Taylor, the then-Turnbull government missed the annual review deadline for the Cyber Security Strategy. This was separate to the energy-cyber report.
Oscar Omegna is co-founder and chief executive of Melbourne’s SavviBI, which helps companies cut their energy costs with data and analytics. Omegna says this instability in Canberra is hurting the energy industry’s ability to share information.
“There's a complete lack of understanding of what cyber is, so everyone's doing it privately,” said Omegna. “Trust in government to lead industry has dropped and everyone is looking at the problem isolated from one another.”
Secret spending
Hard-data on cybersecurity attacks and spending levels specific to energy is scant.
Readily available cybersecurity reports generally under-report energy cyber-attacks. It’s widely known among security experts that nation-states do their best to keep attacks on critical infrastructure quiet.
The most famous cyber-attack on a country’s electricity infrastructure is that of Ukraine in 2015. Russian hackers compromised the information systems of three electricity distribution companies sending down 30 substations and power to 225,000 customers. The Finkel report specifically cited this attack when outlining the need for an annual energy-cyber report.
Meanwhile, last month UK press reported that British military forces have practiced a cyberattack to shut down Moscow’s entire power grid as a counter attack if Russia used military force.
Here in Australia, east coast distributor AusGrid, jointly owned by the NSW government and a consortium of super funds, has budgeted A$20 million for cybersecurity in the 2019-24 period.
Origin Energy told Australian Energy Daily it spends between 5-7% of its IT budget on cyber, which is an “industry benchmark”.
EnergyAustralia, owned by China’s CLP Group, says it uses a cybersecurity assessment framework rolled out by AEMO in September. The company declined to give any guidance on its cyber budget, but did say it includes recruitment for its cybersecurity team and training of all personnel among its priorities. AGL declined to comment.
AEMO itself plans to spend around A$10 million on its cybersecurity program.
‘Cyber-incompetence’
According to a report by AustCyber, a government-funded industry growth centre, Australia’s cyber industry is set to triple in size to A$6 billion and needs 18,000 more people by 2026.
Professor Austin says the South Australian blackouts in 2016, caused by a storm, hold lessons for the Australian energy industry when it comes to cybersecurity because the event revealed a level of “cyber-incompetence”.
“Very few people understood how the volt settings on the wind turbines had been set to respond in instances of high wind,” Austin said. “Nobody had mapped those very detailed software settings for the wind turbines.”
The kind of failure of interconnected systems is what nation-states seek to induce when conducting a cyber-attack on critical infrastructure. Many experts believe the chances of this kind of cascading failure of systems becomes more likely as technology makes our economies more interconnected.
Who’s responsible?
The US Department of Energy released its latest cybersecurity strategy in June. In it, the DoE showed its maturity by talking about information sharing “in near-real time” in the event of an attack.
“In the US, and United Kingdom, there’s very clear policy that private sector operators of critical infrastructure protection in the event of a major crisis are both legally and morally responsible for their own defence,” Austin said.
He says Australian governments have repeatedly described critical infrastructure protections as a shared responsibility but have so far failed to spell out what that means in practice during a crisis.
“It’s pretty clear that Australia as a country is not prepared for a serious, state-led, multi-vector, multi-wave cyber-attack.”
Alex Liddington-Cox has covered business, economics, politics and human rights in Australia, North America and the Middle East, including a stint covering cybersecurity for Technology Spectator.