Securing the smart grid: cybersecurity challenges in Australia’s distributed energy future

Part I: The digitised grid

Introduction

In recent years, Australia has become a world leader in distributed energy resources (DER) and consumer energy resources (CER)[1], with many households and small businesses generating power through rooftop solar, battery storage and electric vehicles.[2]

At the same time, the growing number of connected devices has expanded the potential entry points for cyberattacks.[3] As operational technology (OT) and information technology (IT) become more integrated, the grid faces increased exposure to cyberwarfare and ransomware. Hackers may target the grid for financial gain, disruption of critical infrastructure or to access sensitive information. Breaches could interrupt electricity supply, cause widespread blackouts and destabilise essential services such as telecommunications, transport and water systems.

Protecting the grid is therefore a priority. Australia must implement robust IT and OT security measures, enhance its regulatory frameworks, ensure vendors maintain full visibility and control of connected systems and foster cooperation between government, industry and cybersecurity experts to safeguard critical infrastructure.[4]

How has Australia’s grid become more digitised?

Across Australia, the energy landscape is undergoing rapid change. Projections indicate that by 2050 almost half of all households and businesses will operate rooftop solar systems, with approximately 61% – 84% of rooftop solar systems expected to be coupled with a battery as uptake increases.[5]

Integrating these variable energy sources into the grid is challenging and can result in grid constraints and power inefficiencies if not done effectively.[6]

Grid digitisation involves integrating information and communication technologies (ICT) and advanced data analytics into the electricity network to improve efficiency, reliability and security.[7]

Notably, Australia’s renewable energy industry has been transformed by:

1. The ‘Internet of Things’ (IoT): In the renewable energy context, is a network of interconnected devices (such as smart meters, solar inverters, wind turbine sensors, batteries and electric vehicle chargers) that collect and exchange real-time data to optimise energy production, storage and use. IoT enables operators to monitor equipment performance, forecast generation, balance supply and demand and detect faults early. At the household level, IoT supports ‘smart’ energy use by automatically running appliances based on solar output or off-peak times, forming the foundation for technologies like smart grids and energy management systems.[8]
2. Smart grid technology: A digitised network that uses data analytics, sensors and automated control systems to manage electricity flows in real-time.[9] This allows the grid to respond dynamically to fluctuations in supply and demand, integrate DER more effectively and provide greater visibility for both operators and consumers.
3. Energy management software (EMS): Cloud-based systems that monitor and control DER to optimise energy use.[10] In homes, EMS platforms decide when to charge or discharge batteries or draw from the grid to minimise costs.[11] In commercial settings, they provide centralised, real-time oversight of energy performance across sites, often integrating with building management systems to manage temperature, ventilation, and lighting.

However, whilst these innovations help bridge the gap between OT and IT, the increased connectivity of devices and systems (which were previously more isolated)[12] also brings new vulnerabilities, fuelling an increase in concerns around data protection and cybersecurity.

 

The harm with digitisation

How digitisation increases risk

As society’s dependence on digitally connected renewable energy infrastructure grows and more automation is introduced to manage the grid’s increasing complexities, vulnerability to cyberattacks rises. Each new connection introduces potential weaknesses, increasing the risk of compromised security and large-scale disruption.[13]

The rapid uptake of solar and smart energy appliances in homes and businesses has expanded potential entry points for cyberattacks, [14] with connected devices varying widely in their levels of security. [15]

Because the renewable energy sector underpins both national infrastructure and the broader economy, a single cyber incident or technical failure could disrupt electricity supply, compromise critical infrastructure, weaken grid stability and (in severe cases) destabilise entire regions. [16]

Cybersecurity experts warn that as systems become more interconnected, cybersecurity becomes even more critical.[17] Our energy networks, and by extension, modern life, depend on secure, uninterrupted access to power.[18]

Consequently, cybersecurity is not just about protecting digital assets but about safeguarding the stability of the national energy system itself.^[19] Continuous monitoring, validation, and authentication across all devices and users are essential to maintaining that security.[20]

 

Types of threats hackers can carry out

Over the past year, cyberattacks on the energy, transport and telecommunications sector have increased by 30%.[21] In 2023 alone, 90% of the world’s largest energy companies suffered a cybersecurity breach.[22]

There are various types of threats to DERs and that may be carried out by hackers, including:

1. Social engineering attacks: Hackers use phishing emails, fake websites, or messages to trick employees, installers, or consumers into revealing passwords or system access credentials, potentially allowing unauthorised control of solar inverters, batteries, or management platforms.[23]
2. Malware-based attacks: Malicious software such as ransomware or trojans can infiltrate energy management systems or IoT devices, disrupting operations, encrypting control data, or remotely manipulating device settings to destabilise local grids or virtual power plants.[24]
3. Supply chain compromises: Attackers may target trusted vendors, installers, or software providers, injecting malware into firmware updates or compromising third-party integrations, to gain indirect access to multiple DER systems simultaneously.[25]

An example of how these threats could affect DER is through smart meters or home energy management systems. If an attacker manipulates DER telemetry or control signals (such as coordinating rapid, periodic changes in battery charge/discharge or photovoltaic output) it could mimic an oscillation attack, destabilising local voltage or frequency. Grid protection systems may then trip automatically, potentially causing localised blackouts or disrupting aggregated DER services like virtual power plants.[26]

As security systems strengthen, cybercriminals are becoming increasingly sophisticated,[27] exploiting gaps between IT and OT (with the latter historically being less developed and protected). With IT and OT now more integrated, companies are adopting software solutions to properly safeguard OT, identify grid bottlenecks and mitigate these emerging cyber risks. [28]

Part II: Cyber resilience and regulation

Current regulatory landscape

Regulatory frameworks and gaps

Australia’s current protections for DER are delivered through a combination of the below key sector-led guidance and legislative frameworks.

Two new legal frameworks were recently passed that focus specifically on CERs. Whilst CERs form a substantial component of DERs, the two are not identical, with DERs being broader in scope. Not all measures and protections that apply to CERs will extend to DERs more generally.

2. Cyber Security Act 2024 (Cth) (Cyber Act):[29]
   Enacted on 29 November 2024, the Cyber Act strengthens CER protections by requiring smart energy devices, including inverters and battery systems, to meet minimum cybersecurity standards. It also mandates reporting ransom or extortion incidents within 72 hours and establishes a Cyber Incident Review Board to assess major incidents and issue sector-wide recommendations. These reforms directly target vulnerabilities at the device level and are expected to influence the broader DER ecosystem as smart devices proliferate.
3. Cyber Security (Security Standards for Smart Devices) Rules 2025 (Cyber Rules):[30]
   Effective 4 March 2026, the Cyber Rules set a mandatory baseline for consumer-grade internet-connected devices, including CER. Requirements include unique passwords, security contact points, and defined update periods. By addressing these common vulnerabilities like default passwords and inconsistent updates, the Cyber Rules enhance CER security, privacy, and reliability while indirectly strengthening protections for the wider energy network into which DERs integrate.

The above CER-specific frameworks sit alongside the following broader DER-relevant mechanisms:

1. Updates to the National Electricity Rules (NER)
   In December 2024, the Australian Energy Market Commission introduced a rule clarifying the Australian Energy market Operator’s (AEMO) cybersecurity role, formalising four functions: coordinating incidents, supporting preparedness via AESCSF and exercises, advising government and industry on risks, and sharing critical cybersecurity information with market participants.[31]
2. Australian Energy Sector Cyber Security Framework (AESCSF)
   The AESCSF is a cybersecurity framework developed and tailored to the Australian energy sector, enabling market and non-market participants (including DER participants), to assess, evaluate, prioritise, and improve their cybersecurity capability and maturity.[32]The AESCSF Lite Framework provides a customised approach for smaller, emerging, or resource-constrained organisations, including those operating within the DER ecosystem.[33] These organisations play a vital role in the broader energy landscape and are increasingly interconnected with critical energy systems. The framework is deliberately designed to be agnostic to organisational size, scale, or maturity, making it more suited for DER participants that may lack dedicated cybersecurity teams or fully developed security programmes.[34]
3. Security of Critical Infrastructure Act 2018 (SOCI Act)
   The amended SOCI Act broadened its scope to include the energy sector, introducing stringent cybersecurity standards and incident reporting obligations for energy providers. Under the SOCI Act, owners and operators of ‘critical infrastructure’ face fines and penalties if they fail to meet prescribed security requirements.[35]

However, despite these frameworks, DER presents unique vulnerabilities. Except for the Cyber Act and Cyber Rules (which are more relevant for CERs), most of the above frameworks[36] largely focus on aggregated or centrally registered assets, leaving gaps for behind-the-meter DER. Key observations made by industry stakeholders include:

1. The SOCI Act excludes generators with a capacity under 30 MW and lacks a clear classification for DER aggregators (which may control capacities above this threshold), creating uncertainty about which obligations apply to original equipment manufacturers (OEMs).[37]
2. Some distribution network service providers (DNSPs) have introduced their own guidelines for how SOCI Act requirements apply to DER and OEMs, but SMA and the Smart Energy Council note this can lead to inconsistencies and potential misunderstandings across jurisdictions.[38]
3. The AESCSF does not cover device-level standards for products such as inverters, and the new NER, which formalised AEMO’s cybersecurity role, does not give AEMO authority to mandate participation, leaving OEMs guided by generators’ requirements, which may include SOCI Act obligations.^[39]

Although cyber regulation and policies exist, it can be difficult for consumers to find out how these requirements are enforced and reported.[40] Stakeholders have called for a national, DER cybersecurity strategy, clearer guidance from market bodies and governments on DER security, and the introduction of mandatory standards for DER systems.[41] Whilst stakeholders have welcomed the emerging CER-specific protections, it is noted that these measures are still in early stages[42] and further clarity is needed from market bodies and governments on the practical application of these requirements.[43]

 

Current technology and gaps

Australia’s DER systems employ multiple layers of cybersecurity to protect renewable energy assets.[44]

At a high level, operators use encrypted communications, multi-factor authentication, network segmentation, automated threat detection, and AI driven anomaly monitoring, often supported by 24/7 Security Operations Centres. Frameworks such as the AESCSF help DER providers conduct risk checks, vet vendors, and plan incident responses.[45] Device-level systems, such as microgrid controllers and inverters, use layered security including firewalls, encryption, and intrusion detection.[46] Initiatives like South Australia’s Virtual Power Plant security framework provide real-time monitoring and active protection across DER networks.[47]

Despite these measures, DER systems remain vulnerable to attack. Internet-connected inverters, batteries, and other DER devices are still exposed to data attacks, operational disruption, or grid instability,[48] increasing the volume of sensitive data at risk.[49] Diverse technologies, multiple stakeholders, and mixed old and new systems makes consistent protection challenging.[50] Stand-alone security solutions often fail to detect risks across interconnected DER assets, while operators and utilities may lack access to sufficient operational data to respond quickly, leaving gaps similar to those seen in consumer-grade smart devices.

 

Future directions for DER cybersecurity

Preventing attacks is not the responsibility of a single group. Close cooperation between all industry players is essential to building a robust defence,[51] ensuring the responsibility for protection does not fall entirely on households and small businesses. For owners of DER, practical steps such as maintaining a secure home Wi-Fi network and using strong, unique passwords can provide an added layer of protection.[52]

The industry should consider the following initiatives to strengthen DER cybersecurity:

1. Close regulatory gaps and harmonise frameworks: Address the SOCI Act’s 30 MW threshold and implement a national strategy to align requirements across jurisdictions and DNSPs.[53]
2. Introduce mandatory device-level standards across all DERs: Require mandatory security standards across all DERs (rather than only focusing on regulation at the CER level and relying on voluntary frameworks for broader DERs) for inverters, smart meters, and communications gateways, including proactive safeguards, vulnerability testing,[54] secure procurement, multi-factor authentication, network segmentation, and timely intelligence sharing with AEMO and regulators.[55]
3. Ensure supply chain accountability: Provide clear guidance on how cybersecurity obligations flow through the DER supply chain, from OEMs to service providers to end users, recognising that overall security is only as strong as the weakest link, with IoT and AI creating additional risks.[56]
4. Enhance AEMO resourcing and preparedness: Expand AEMO’s role in risk assessment, threat intelligence dissemination, and proactive guidance to improve DER resilience.[57]
5. Adopt a prescriptive regulatory approach: Stronger and more integrated regulatory measures are needed to address the current fragmented framework and better safeguard Australia’s evolving energy ecosystem.[58]

 

Conclusion

Australia’s shift to a decentralised, digitally connected energy grid has made it a global leader in DER, delivering sustainability, efficiency, and energy independence. However, increased IT/OT integration has expanded the cyberattack surface, where vulnerabilities in one area can have widespread effects.

Mitigating these risks requires a coordinated approach: strengthening IT and OT protections, maintaining visibility and control over infrastructure, and regularly testing and updating cybersecurity measures. Collaboration between government, industry, specialists, and consumers ensures shared responsibility. By combining technological safeguards with coordinated policy and active risk management, Australia can grow its clean energy capabilities while protecting critical infrastructure from emerging cyber threats.

 

---

The Hamilton Locke team advises across the energy project life cycle – from project development, grid connection, financing, and construction, including the buying and selling of development and operating projects. For more information, please contact Matt Baumgurtel.

---

 

[1] CERs are a subset of DERs and specifically refer to the consumer-owned technologies which generate, store or manage electricity. The primary focus of this article is on DERs.

[2] Michael Rothschild, ‘Combating the cyber threat to Australia’s distributed solar grid ambitions’ Australian Information Security Association (Web Page) .

[3] Daniel Mercer, ‘Australia’s electricity grid increasingly vulnerable to hackers via solar panels, smart devices’, ABC News (online, 14 March 2022) .

[4] Rothschild (n 2).

[5] Green Energy Markets, Projections for distributed energy resources – solar PV and stationary energy battery systems (Report, December 2024) 14 chrome-extension://efaidnbmnnnibpcajpcglclefindmkaj/https://www.aemo.com.au/-/media/files/major-publications/isp/2025/GEM-2024-Solar-PV-and-Battery-Projections-Report.pdf>.  

[6] ‘Role of Smart Grids in Australia’s Path to Energy Independence’ Smart Lifestyle Australia  (Web Page, 11 February 2025) .

[7]Power Circle, Digitalization of the Grid (White Paper, November 2022) 2 .

[8] Jasmin Jessen, ‘Top 10 Uses of IoT in Energy’, Energy Digital (Web Page, 12 March 2025) ; Tanveer Ahmad and Dongdong Zhang, ‘Using the internet of things in smart energy systems and networks’ (2021) 68 Sustainable Cities and Society.

[9] Warren, Smart Grid Technology: Powering Australia’s Renewable Energy Future’ Sustainable Future Australia (Web Page, 2 April 2025) .

[10] ‘How cyber attacks can threaten the energy transition’, Twoday (Web Page, 1 September 2025) .

[11] ‘Home Energy Management System’, Evergen (Web Page) <https://evergen.energy/home-energy-management-systems/>.

[12] Warren (n 9).

[13] Mercer (n 3).

[14] Warren, ‘Renewable Energy’s Achilles Heel: Why Cybersecurity is Critical for Australia’s Green Grid’, Sustainable Future Australia (Web Page, 3 April 2025). .

[15] Mercer (n 3)

[16] Warren (n 14).

[17] Mercer (n 3).

[18] Mercer (n 3).

[19] Warren (n 14).

[20] Richard Bergman, Tony Martin and Emma Hawthorne, ‘How cyber security can keep pace with the energy transition’, EY (Web Page, 9 October 2023). .

[21] The Transformation Group, Safeguarding the grid: Cyber Threats in Energy Infrastructure (Report) 2 .

[22] ‘Securing Renewable Data: Green Energy Sector Cybersecurity Challenges’ Beetroot (Web Page, 3 May 2025) < https://beetroot.co/business/securing-renewable-data-green-energy-sector-cybersecurity-challenges/#:~:text=Renewable%20energy%20systems%2C%20from%20wind,millions%20of%20customer%20data%20records.>.

[23] ‘Cybersecurity Challenges in the Renewable Energy Sector’, EC-Council University (Web Page, 10 February 2025) .

[24] See ibid.

[25] Twoday (n 10).

[26] Falah Alanazi, Jinsub Kim and Eduardo Cotilla-Sanchez, ‘Load Oscillating Attacks of Smart Grids: Vulnerability Analysis’ (2023) 11 IEEE Access 36538, 36538-36539.

[27] CrowdStrike, 2025 Global Threat Report (Report) 2-3 .

[28] Tom Kline, Unlocking Australia’s Green Future: The Critical Rols of New Grid Technology’, Climate Tech Partners (Web Page, 28 October 2025) .

[29] Department of Home Affairs, ‘Cyber Security (Security Standards for Smart Devices) Explanatory Document’ (Explanatory Document, 2024) .

[30] See Ibid.

[31] Australian Energy Market Commission, ‘National Electricity Amendment (Cyber security roles and responsibilities) Rule 2024 (Final Determination, December 2024) 32 .

[32] Australian Energy Market Operator, ‘AESCSF 2025 Distributed & Consumer Energy Resources Guidance’ (Guidance Material, 2025) 4 .

[33] See Ibid 5-7.

[34] Australian Energy Market Operator (n 32) 7.

[35] Australian Energy Market Commission (n 31).

[36] Department of Climate Change, Energy, the Environment and Water, ‘National Consumer Energy Resources Roadmap’ (Report, July 2024) .

[37] Australian Energy Market Operator (n 32).

[38] Australian Energy Market Operator (n 32).

[39] Australian Energy Market Operator (n 32).

[40] SolarEdge, ‘Submission to the 2023-2030 Australian Cyber Security Strategy’ (Submission, 29 August 2025) 2 .

[41] Department of Climate Change, Energy, the Environment and Water (n 36).

[42] SolarEdge (n 40).

[43] Department of Climate Change, Energy, the Environment and Water, ‘National Consumer Energy Resources (CER) Roadmap Implementation Plan Update’ (Report, August 2025) 20 .

[44] Warren (n 14).

[45] Warren (n 14).

[46] Juanwei Chen et al,’ Cybersecurity of distributed energy resource systems in the smart grid: A survey’ (2025) 383 Applied Energy.

[47] Warren (n 14).

[48] Juanwei Chen et al (n 46).

[49] Juanwei Chen et al (n 46).

[50] Juanwei Chen et al (n 46).

[51] ‘OT Security: Recent Attacks Expose Risks for Australia’s Critical Infrastructure‘ KineticIt, (Web Page, 15 October 2024) .

[52] Dor Son Tan, ‘Energy System Cybersecurity for an Uncertain World’, Energy Networks Australia (Web Page, 20 April 2023) .

[53] Australian Energy Market Commission (n 31).

[54] Bella Peacock, ”Really Serious’ Problems Cybersecurity Breaches Pose in Australia’s DER Future’, PV Magazine Australia (Webpage, 27 June 2023) .

[55] Australian Energy Market Commission (n 31).

[56] Australian Energy Market Commission (n 31).

[57] Australian Energy Market Commission (n 31).

[58] Australian Energy Market Commission (n 31).