Australian energy security in a connected world
Politics aside, the future of Australian energy networks is looking exciting, with digitalisation and a greater mix of cheaper energy sources coming online — but we mustn’t ignore the elephant in the room: cybersecurity risk.
Unless you have been living in another country it would have been near impossible to be unaware of the debate over energy security. But then again, with a Prime Minister who has sloganised “engineering and economics” as the Coalition approach to energy security, and the constant Canberra political blame game, it would be no surprise if you have switched off. As with the climate change ‘debate’ before it, it is mainly only the politicians and commentators that we tend to hear from regarding energy, and very little is heard from real experts. That’s not to say that expert opinion is not sought: it’s just that it seems to only be of interest to politicians when the advice given fits in with their current political agenda.
Nevertheless, engineers and scientists need to keep on finding real scientific and engineering solutions to the problem of energy security, as they have always done, regardless of the political melodrama.
There are many elements to the energy security debate, and to the work going on in the background, whether it be the ‘economics and engineering’ of fossil fuels versus renewables, or energy storage and energy demand — and of course solving the problem of the reliability and resilience of the distribution network. One such, perhaps more esoteric, element of energy security is cybersecurity: a subject that doesn’t seem to make it into the mass media as a talking point.
Cybersecurity: the third aspect of energy security
Energy security, as presented in the media, tends to revolve around two aspects:
- Ensuring there is sufficient generation to meet demand when it is at its peak.
- Ensuring that the energy grid can deal with contingencies like faults or generation failures.
The achieving of these two goals is obvious and fundamental to achieving a reliable energy supply. In the public media debate we only hear discussions of energy prices for consumers and arguments about resurrecting ageing coal-fired power stations — arguments dumbed down and simplified for mass public consumption.
But we live in a highly connected and digital world. Achieving maximum control of the grid in today’s world necessarily implies greater digitalisation and networking: the best results and the greatest efficiency will be achieved by leveraging modern digital technologies such as the Industrial Internet of Things (IIoT). Enhanced grid intelligence through digitalisation and data sharing will make the grid more responsive to changes in electricity demand and better at integrating new sources of generation.
Leveraging digitalisation introduces a greater need to focus on cybersecurity. In the past, energy grids were based on centralised generation, and energy distribution was managed by a proprietary SCADA network disconnected from the internet and business networks. Modern connectivity, which enables greater data sharing, has the side effect of introducing new cyber hazards.
Reports and recommendations
In the Australian Government’s 2016 Threat Report, released by the government’s Australian Cyber Security Centre (ACSC), the energy sector was identified as the sector with the highest number of reported incidents or near-incidents relating to critical infrastructure. The report stated that between July 2015 and June 2016, CERT Australia responded to 14,804 cybersecurity incidents affecting Australian businesses, 418 of which involved systems of national interest and critical infrastructure.1
The famous Finkel review ‘Blueprint for the Future’3, discussed the need for strong cybersecurity measures and recommended that an “annual report into the cyber security preparedness of the National Electricity Market should be developed by the Energy Security Board, in consultation with the Australian Cyber Security Centre and the Secretary of the Commonwealth Department of the Environment and Energy”.
Cybersecurity has become a key strategic priority for energy networks in the past two years, with energy network businesses using advanced cybersecurity strategies to deter, detect and respond to threats. With the increase in cybersecurity risks, networks have strengthened collaborative approaches in the past 12 months to heighten the capacity of the sector to identify hazards and respond quickly.4
For obvious reasons, efforts and initiatives to manage cybersecurity risk to protect the safety and security of Australians are not discussed openly. However, the recent publication by Energy Networks Australia, ‘Cyber Security and Energy Networks’5, provides an overview of the areas where Australian energy network providers believe that cybersecurity must be managed.
In some ways we have been here before
Adapting to the management of cybersecurity is not dissimilar to other procedural and technological changes that industry has adapted to in the past: occupational health and safety (OHS) and plant safety systems. The standardised management of OHS is now an integral part of every business, although it was some years in the development of comprehensive procedures and policies. Businesses have learned from the OHS journey and are increasing the priority placed on cybersecurity in terms of engagement with employees, contractors and suppliers.
Similarly, the methodologies of cybersecurity threat and risk assessment, and subsequent risk mitigation strategies, should be generally familiar to organisations that have done the same in the development of plant safety systems. The main difference for energy networks, however, is the distributed nature of the potential ‘attack surface’.
New technologies, new attack vectors
A major problem for energy networks in recent years has been the adoption of renewable energy sources, which create network management challenges due to their variable supply characteristics. Better utilisation of modern digitalisation technologies and the IoT will help to manage these variable energy sources, while ever these systems are under the control of the energy networks.
However, energy systems around the world are also experiencing the rapid adoption of other types of distributed energy resources, such as smart meters, smart inverters, electric vehicles, rooftop solar photovoltaics, battery storage and home energy management systems. Many of these technologies are connected through the Internet of Things (IoT) and are creating a fast-growing relationship between millions of ‘uncontrolled’ IoT devices and the energy networks themselves. On one hand, this IoT ecosystem is very useful for energy networks to help with real-time system balancing and to support the reliability, safety and quality of energy supply. On the other hand, the increased interaction between the grid and the customer introduces a plethora of devices connected to the internet that could potentially present a threat to the integrity of the system.
The careful management of interfaces, strong communication protocols and the setting of safe operating parameters are essential to manage risks that IoT devices may present to network components and control systems.
Collaboration and standardisation
The Australian Government is engaging in ongoing discussion with all stakeholders, utilising available resources such as CERT Australia and the Attorney-General’s Trusted Information Sharing Network (TISN).
CERT is a major contributor to the ACSC and provides services such as advice and assistance on how to deal with cybersecurity incidents, the latest information on trends, and participation in company training programs and incident response exercises. The Australian Signals Directorate (ASD) is also a member of the ACSC, and provides strategies to mitigate the risk of cybersecurity incidents.
Energy Networks Australia, in collaboration with CSIRO, has also released its ‘Electricity Network Transformation Roadmap’7 for the electricity network industry in the coming decade, in which cybersecurity is a core focus. In an energy system that utilises digitalisation and decentralised technologies, a strategic focus on cybersecurity will be an essential priority.
The roadmap identifies a gap in the standards required to enable effective cybersecurity and proposes an upcoming IEC standard on automation cybersecurity (IEC 62443)8 should be reviewed with a view to its application in Australia.
For their own part, energy network operators have put in place a number of measures to prepare and respond to cybersecurity risk. They have established a cybersecurity forum dedicated to electricity and gas networks, consisting of IT and OT cybersecurity specialists, as well as information risk sharing protocols and alerts between members. A new initiative has also been started with Standards Australia to directly adopt existing relevant international cybersecurity standards, and members are collaborating with the Australian Energy Market Operator (AEMO) to review data communications security standards.
When we put all the politics aside (and the media doom and gloom), the future for energy networks in Australia is looking very exciting. Digitalisation and IoT technologies will help us find the way to a new world of more efficient, cleaner and cheaper energy for all Australians, if we play our cards right. But like all new advances, there will be teething problems, and new problems to be faced.
Looking at it on the positive side, new problems lead to new solutions, and that is how progress occurs. Now if we can just get the politicians out of the way…
- Australian Cyber Security Centre 2016, Threat Report 2016, Australian Government, <https://www.acsc.gov.au/publications/ACSC_Threat_Report_2016.pdf>
- ibid., p15.
- Finkel A, Moses K, Munro C, Effeney T, O’Kane M 2017, Independent Review into the Future Security of the National Electricity Market, Australian Government, Department of the Environment and Energy, <https://www.environment.gov.au/system/files/resources/1d6b0464-6162-4223-ac08-3395a6b1c7fa/files/electricity-market-review-final-report.pdf>
- Johnston S 2017, You don’t know the power of the Dark Side, Energy Networks Australia, <http://www.energynetworks.com.au/news/energy-insider/you-dont-know-power-dark-side>
- Energy Networks Australia 2017, Cyber Security and Energy Networks, <http://www.energynetworks.com.au/sites/default/files/16022017_cyber_security_and_energy_networks_a4.pdf>
- Finkel et al, op. cit., p68.
- Energy Networks Australia, CSIRO 2016, Electricity Network Transformation Roadmap: 2017-27 - Key Concepts Report, <http://www.energynetworks.com.au/sites/default/files/key_concepts_report_2016_final.pdf>
- IEC Technical Committee 65, IEC62443: Security for industrial automation and control systems, International Electrotechnical Commission.
Politics aside, the future of Australian energy networks is looking exciting, with digitalisation...
Industrial companies are faced with an increasingly competitive business environment and control...
Operators in modern plants are tasked with numerous activities, making it difficult for them to...