From smart to vulnerable: The hidden costs of the digitalisation of utilities

For Australia’s critical infrastructure sectors proactive investment in cybersecurity is no longer optional

The control systems of Australia’s critical infrastructure utilities are becoming increasingly digitalised. While the aim is to improve efficiency and reliability, increasing digitalisation and connectivity also introduces significant cybersecurity vulnerabilities. Such critical infrastructure — our water, wastewater, and energy utilities — underpins the health, security, and economic prosperity of the nation, making cybersecurity vulnerabilities a risk to the community.

A major wakeup call occurred in 2020, when the Australian Government issued a warning of sustained cyberattacks on Australian networks, attributed to a “sophisticated state-based actor”, which it said “represents the most significant, coordinated cyber-targeting against Australian institutions the Australian Government has ever observed.”¹ Since then, Australia has introduced and passed amendments to the Security of Critical Infrastructure (SOCI) Act, which now mandates increased security obligations for entities in these sectors².

Cybersecurity a multi-faceted challenge

The rising threat landscape: nation-state and criminal activity

The cyberthreat landscape is evolving rapidly. Nation-state actors, cybercriminal groups, and hacktivists are increasingly targeting critical infrastructure, raising a number of challenges for critical infrastructure organisations.

In 2021, the Colonial Pipeline ransomware attack in the US reverberated globally, highlighting how vulnerable energy infrastructure can impact fuel distribution and economic stability. Closer to home, Australian utility providers have also faced real-world incidents. In October 2022, EnergyAustralia confirmed that attackers accessed customer accounts using compromised credentials, though no operational impact was reported³. In another case, South East Water disclosed efforts to increase cybersecurity protections following heightened threat activity⁴.

State-sponsored actors often perform reconnaissance within critical infrastructure systems, prepositioning malware that can be activated during times of conflict⁵. The Australian Signals Directorate (ASD) has warned that geopolitical tensions in the Indo-Pacific may elevate the risk of disruptive cyber operations targeting Australia's critical services.

The IIoT and smart infrastructure: a double-edged sword

As utilities modernise to improve services and reduce emissions, the IIoT is helping to transform how utilities operate. Smart meters and intelligent energy distribution devices enable better demand management and cost control. However, they also expand the attack surface considerably; poorly secured IIoT devices are often deployed without strong authentication or firmware validation. In some cases, vendors use hard-coded passwords or leave services open to the internet. Once compromised, these devices can serve as entry points into larger OT networks or even be harnessed into botnets.

The Australian Energy Market Operator (AEMO) has also highlighted growing concerns about cybersecurity in distributed energy resources (DER), such as home solar systems and battery storage, which are increasingly interfaced with grid management platforms⁶. Recent revelations⁷ that Chinese-made solar inverters, batteries and other related technologies have been compromised by ‘rogue’ communications technologies also raises questions about just how pervasive the threat is among technologies being added to the distributed electricity grid.

Supply chain and third-party risks

Utility operators rely heavily on contractors, service providers, and third-party vendors for software, hardware, and maintenance. Each third-party connection introduces a potential point of compromise.

According to the ACSC, Australian utilities need to adopt stronger procurement practices, such as vendor security assessments, contractual obligations for incident disclosure, and mandatory multi-factor authentication for contractor access⁸.

The problem of aging infrastructure

Australia’s utility providers often rely on legacy operational technology (OT), such as SCADA systems and PLCs, which were designed decades ago with minimal consideration for cybersecurity. The designers and operators of such systems assumed that physical isolation (air gapping) was a sufficient defence.

However, modernisation efforts, including remote monitoring, predictive maintenance, and integration with enterprise IT networks – as well as the Industrial Internet of Things (IIoT) — have introduced new pathways for cyber threats. Many legacy ICS environments now operate with ‘bolted-on’ rather than ‘built-in’ security features, which are often poorly configured due to resource constraints. For example, remote water treatment facilities in regional areas may rely on 4G connections with weak or default credentials, making these systems susceptible to basic cyberattacks such as credential stuffing or port scanning.

Resource gaps and skill shortages

Another persistent challenge for many Australian utilities, especially in rural and regional areas, is the lack of in-house cybersecurity expertise. Smaller utilities often do not have dedicated security teams and may outsource IT functions entirely. This leads to inconsistent patching practices, limited threat detection capabilities, and slower incident response times.

According to the ACSC's Annual Cyber Threat Report (2023)⁹, there were over 1100 cyber incidents affecting critical infrastructure sectors in the previous year, yet only a fraction of these were reported in a timely manner. Meanwhile the cybersecurity workforce gap in Australia is increasing, with high competition for skilled OT security professionals. Additionally, many field technicians and engineers who manage ICS environments may be unfamiliar with cybersecurity best practices, increasing the risk of social engineering attacks such as phishing or USB baiting.

Detection and incident response gaps

It is well known in the process control and automation industries that traditional IT security tools often do not work well in OT environments: a routine virus scan or update may inadvertently cause a PLC to reboot, halting operations. This means many ICS environments operate with limited visibility into real-time threats.

Most small and mid-sized utilities in Australia also do not have Security Operations Centres (SOCs) or Security Information and Event Management (SIEM) systems tailored for ICS protocols. Tools like intrusion detection systems (IDS) must be calibrated for Modbus, DNP3, or IEC 61850, yet these solutions are costly and require skilled personnel to operate.

Incident response planning can also often tend to be underdeveloped. Utilities may not conduct regular tabletop exercises or have coordinated response agreements with local law enforcement or emergency services.

Addressing the challenge

The SOCI Act and mandatory reporting

To address growing threats, Australia has strengthened its regulatory approach. The SOCI Act now applies to 22 asset classes over 11 sectors, including water and energy, and imposes obligations in four key areas:

• Asset registration
• Incident reporting
• Risk management programs
• Government intervention powers
   

Failure to comply with the requirements of The SOCI Act can result in significant penalties, including fines or enforcement actions. Understanding these compliance requirements is crucial for organisations to effectively navigate their cybersecurity and supply chain obligations. In addition, the regulatory landscape is evolving and it is incumbent on critical infrastructure organisations to keep abreast of any future amendments.

The Cyber and Infrastructure Security Centre (cisc.gov.au) provides guidance and sector-specific templates to assist.

Recommendations for strengthening resilience

To address the multifaceted cybersecurity challenges faced by today’s utilities, a layered and collaborative approach is necessary. Cybersecurity experts tend to list the following recommendations as a guide:

• Maintain asset visibility: Keep detailed, continuously updated inventories of hardware and software in ICS environments.
• Utilise network segmentation: Use firewalls and VLANs to separate IT from OT systems and limit lateral movement in the event of a breach.
• Enforce strict access controls: Enforce multi-factor authentication (MFA) for all remote access, especially to SCADA systems.
• Provide staff training: Regular cybersecurity awareness training should be given to engineers, plant operators and IT personnel.
• Work diligently on patch management: Develop procedures to test and apply updates in ICS environments without disrupting operations.
• Adopt recommended frameworks: Align with international standards such as the NIST Cybersecurity Framework, IEC 62443, and ISA/IEC 99 for industrial security.
• Government partnerships: Engage with government agencies for threat intelligence and best practices.
• Invest in monitoring: Deploy OT-aware detection and response tools to identify anomalies early and reduce incident response time.

Quantum computing: the cybersecurity threat on the horizon

As if the existing cybersecurity challenges for utilities were not enough, we now see another cybersecurity threat looming over the horizon: quantum computing.

Research into quantum computing is progressing rapidly — with companies like Google and Microsoft having already announced they have developed quantum computing chips — and while this new technology is still in its developmental phase, it promises to revolutionise many aspects of computing. However, one of the most disruptive effects will be its ability to break current cryptographic standards, particularly public-key encryption methods such as RSA, DSA, and ECC. These encryption methods underpin everything from secure logins and VPNs to the authentication of industrial control system communications.

The implications for critical infrastructure are profound. Most SCADA and ICS systems use asymmetric encryption to secure communication and firmware updates. A sufficiently powerful quantum computer could decrypt sensitive configuration files, forge updates, or impersonate legitimate controllers, potentially allowing an attacker to manipulate operations remotely. Utilities also depend on digital certificates to authenticate devices and users, and quantum computing could render these certificates useless unless post-quantum cryptographic algorithms are adopted.

It may be quite some time until the average criminal hacker can acquire quantum computing to crack encryption, leaving nation-state actors the only one who may be able to afford such technology. However, as geopolitical tensions rise in the Indo-Pacific, nation-state adversaries are expected to prioritise quantum readiness. Water and energy utilities, often the soft underbelly of national infrastructure, may be targeted to cause mass disruption without triggering military escalation.

Quantum-powered cyberattacks, when they arrive, are likely to be selective and strategic — targeting authentication systems, secure firmware channels, or encrypted remote telemetry links used in water pumping stations and electrical substations.

Australia’s SOCI Act is expected to evolve further to include guidance or mandates on post-quantum cryptography (PQC) in the years ahead. International frameworks (such as the US NIST Post-Quantum Cryptography project) are developing new standards, and Australian utilities will need to align to maintain international interoperability and compliance.

However near or far in the future these developments may be, the time to be concerned is actually the present. Even today, attackers may harvest encrypted data and traffic with the intent to decrypt it in the future using quantum computers (the ‘store now, decrypt later’ strategy). Sensitive operational data, intellectual property and SCADA configurations therefore need to be protected from harvesting now, making current cybersecurity measures all the more important.

While large-scale, practical quantum computers may still be several years away, the threat is not theoretical. For Australia's water, wastewater, and energy utilities — sectors already under constant cyber threat — quantum computing represents a new paradigm of risk.

Recommendations for utility operators

While the cybersecurity risks posed by quantum computing are still a future threat, steps need to be taken now to mitigate the future risk. The following steps should be under consideration:

• Inventory cryptographic assets and assess where quantum-vulnerable algorithms are used, especially in remote sensing and control devices.
• Begin planning for crypto-agile architectures — systems that can adapt to future algorithm changes without complete hardware replacement.
• Work closely with government agencies like the Australian Cyber Security Centre (ACSC) and Australian Signals Directorate (ASD) to align with national quantum-readiness strategies.
• Encourage vendor accountability by requiring post-quantum readiness in new product procurements.

Conclusion

Australia’s critical infrastructure sectors are facing a cybersecurity crossroads. As the digitalisation of water and energy utilities accelerates, so too does their exposure to sophisticated cyber threats. With aging assets, tight budgets and increasing regulatory complexity, proactive investment in cybersecurity is no longer optional — it is essential.

<sup>1. Australian Cyber Security Centre 2020, Advisory 2020-008: Copy-Paste Compromises - tactics, techniques and procedures used to target multiple Australian networks, <<https://www.cyber.gov.au/sites/default/files/2023-02/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf >>
2. Department of Home Affairs 2022, Security Legislation Amendment (Critical Infrastructure Protection) Act 2022, <<https://www.homeaffairs.gov.au/reports-and-publications/submissions-and-discussion-papers/slacip-bill-2022>>
3. Energy Source & Distribution 2022, Customer details exposed in EnergyAustralia cyberattack, <<https://esdnews.com.au/customer-details-exposed-in-energyaustralia-cyberattack/>>
4. Castlepoint Systems 2021, South East Water: PII discovery project defends against increased cyber threats, <<https://www.castlepoint.systems/success-stories/south-east-water-pii-discovery-project-defends-against-increased-cyber-threats>>
5. Australian Cyber Security Centre 2023, ASD Cyber Threat Report 2022-2023, <<https://www.cyber.gov.au/sites/default/files/2023-11/asd-cyber-threat-report-2023.pdf>>
6. Australian Energy Market Operator 2022, Australian Energy Sector Cyber Security Framework (AESCSF) Overview, <<https://aemo.com.au/-/media/files/initiatives/cyber-security/aescsf/aescsf-framework-overview.pdf>>
7. McFarlane S 2025, Rogue communication devices found in Chinese solar power inverters, Reuters, <<https://www.reuters.com/sustainability/climate-energy/ghost-machine-rogue-communication-devices-found-chinese-inverters-2025-05-14/>>
8. Australian Cyber Security Centre 2025, Guidelines for procurement and outsourcing, <<https://www.cyber.gov.au/resources-business-and-government/essential-cybersecurity/ism/cybersecurity-guidelines/guidelines-procurement-and-outsourcing>>
9. Australian Cyber Security Centre 2023 (n 5)</sup>

Image credit: iStock.com/hxdyl