An independent review into the future of Australia’s National Electricity Market has recommended a heightened emphasis on cyber security.
Among the recommendations of the review (PDF) led by Australia’s chief scientist, Dr Alan Finkel, is that an annual report be released on the cyber security preparedness of the National Electricity Market (NEM).
The report would be developed an Energy Security Board: A body that would drive the implementation of the new blueprint for the NEM outlined by the Finkel Review. The ESB would co-ordinate whole-of-system monitoring of security, reliability and planning.
The ESB would work with the Australian Cyber Security Centre and the Secretary of the Commonwealth Department of the Environment and Energy to develop the report.
The report would include assessing the cyber maturity of organisations that participate in the energy market; a stocktake of current regulatory procedures to ensure they are sufficient to deal with any potential “cyber incidents”; an assessment of the cyber security capabilties of the Australian Energy Market Operator, including third-party testing; and an “update from all energy market participants on how they undertake routine testing and assessment of cyber security awareness and detection, including requirements for employee training before accessing key systems”.
The first annual report should be completed by the end of 2018, the Finkel Review recommended.
“Strong cyber security measures for the NEM will be essential for maintaining Australia’s growth and prosperity in an increasingly global economy,” the review states.
“Most digital technologies are dependent on the internet. While this will continue to create new opportunities for innovation, there will be an increased need to work together to build resilience to cyber security threats. Gaining a better understanding of cyber security risks and preventing the electricity sector from becoming a target for cyber crime is important.”
The review outlines a range of previous attacks on power grids, including a 2015 attack on Ukraine power companies, which involved the use of malware to get access to utilities’ networks as well as denial-of-service attacks on phone systems.
“The growing integration of ICT and connectivity with open networks with the NEM systems increases the cyber vulnerabilities of electricity market participants,” the review states.
The review notes that AEMO’s systems rely on real-time data to assess the status of the grid and that some modern SCADA systems deployed by utilities are connected to the Internet. Smart grids, smart meters and smart appliances rely on software and are generally connected to open networks, the review states.
“Energy service providers, vendors and electricity users are less likely to have stringent cyber security protocols on their corporate systems,” it adds. “They can be easy targets because they provide an entry point to other control networks and access to sensitive information.”
The government should accelerate the development of and publication of voluntary good practice guidelines and industry specific standards, the review argues. It also needs to work to improve threat sharing among industry and the government, as well as energy companies overseas.
There is currently a “critical gap” when it comes to understanding where the cyber vulnerabilities and real risks are for the National Electricity Market.
“While the NEM has not suffered a successful cyber-attack, there is a growing concern about the cyber security of Australia’s critical infrastructure,” the Finkel Review argues.
“Going forward, there is a need for greater identification and monitoring of potential malicious threats to the NEM that would significantly impact government, business and the community.”