Category: 3. Business

How strong is economic growth?

Economic growth is forecast to reach 2.4% in early 2026, a rate that’s slightly above the pace the economy can comfortably sustain, sometimes called its “speed limit.”

Households are a major driver of this strength, helped by earlier interest rate cuts, recent tax changes and steady job and income gains. Investment in data centres and renewable energy projects is also adding momentum as are improvement in housing investment and support from public demand.

What could this mean for borrowers?

The expected February rate rise would be a fine-tuning move, not the start of a large run-up in interest rates. The RBA is aiming to nudge inflation back toward target rather than cool the economy sharply.

However, if household spending or business investment turns out even stronger than expected, the RBA may need to raise rates more than once. In contrast, coolness in the labour market or a faster fall in inflation could deter the RBA.

The bottom line

Australia enters 2026 in solid shape, but its strength is keeping inflation higher than the RBA would like. A modest rate rise in February looks likely as the central bank works to keep price pressures in check while supporting a steady, sustainable pace of growth.

“We expect inflation to gradually return toward the midpoint of the target band by late 2027. A small rate rise next year would help set the foundation for a steady, sustainable period of growth,” said Allen.

Read Belinda Allen and the Australian Economic team’s full analysis: The Australian economy in 2026 – prepare for higher interest rates

Link to photos (Courtesy Office of the Lieutenant Governor)

HONOLULU – In anticipation of the busy holiday travel season, state leaders provided updates on various technology enhancements at Hawai‘i’s airports to help improve the travel experience for residents. They also provided an update on the state’s digitized agriculture declaration form, Akamai Arrival, which is now live on all domestic flights to Hawai‘i.

With holiday travel expected to surge in the coming weeks, Lieutenant Governor Sylvia Luke, who led the launch of Akamai Arrival, reminded residents returning home that they will now complete the agriculture declaration form digitally, meaning no more hard copies and no need for a pen. The form can be filled out online either in-flight or up to five days before traveling.

“Modernizing our systems is about making life easier for our residents while strengthening the protections that keep Hawai‘i special. With the agriculture form now fully digital on all domestic flights, we want to remind residents of this new change — especially for those seeing it for the first time this holiday season,” said Lt. Gov. Luke. “After decades of digging through your bag or borrowing a pen from the person next to you, we finally have a simpler, more efficient solution that supports our state’s biosecurity efforts and protects Hawai‘i’s natural environment.”

The digital agriculture form first launched as a pilot in February 2025 and has since been fully adopted by all domestic airline partners flying to Hawaiʻi. Early data show compliance increased from an average of 60% with the paper form to 85% with the digital form, supporting the Hawai‘i Department of Agriculture and Biosecurity and the state’s broader commitment to protecting Hawai‘i’s natural resources.

The state is also continuing to make progress in implementing improvements throughout Hawai‘i’s airports to increase efficiency, safety and comfort for travelers. The Hawai‘i Department of Transportation (HDOT) has launched various online tools and technology to provide important information about the airports and help travelers get through check-in and security procedures before they board their flight.

“Traveling, especially during the busy holidays can be stressful, which is why HDOT is always looking for ways to help guide travelers through the required airport procedures, as well as provide different tools that can enhance their overall experience at the airport,” said HDOT Director Ed Sniffen.

HDOT now offers free airport wayfinding apps to help travelers better plan their time at the airport, including navigating the terminals, checking airport flight information and finding restaurants, shops and other amenities and services. HDOT is working to add a link on the apps to the Akamai Arrival form. The HNL Airport app for the Daniel K. Inouye International Airport and LIH Airport App for the Lῑhuʻe Airport can be downloaded from Google Play and Apple Store.

Apps for Maui and Hawai‘i Island airports will be launched over the next three months. The OGG Airport app for Kahului Airport is expected to be available to the public on January 20, 2026. The KOA Airport app for the Ellison Onizuka International Airport at Keāhole is planned for February 2, 2026. An app for Hilo International Airport is currently being developed and expected to be ready by March 30, 2026.

Large electronic display signs installed earlier this year in Terminal 1 of HNL allow travelers to view anticipated wait times at security checkpoints. Checkpoint status displays will be added in Terminal 2 upon completion of renovations to Checkpoint 3, which is expected in late 2026.

Travelers departing from the Honolulu and Kona airports can check the estimated available parking counts (refreshed every 10 minutes) via the HNL and KOA websites, respectively. The estimated parking count for HNL can also be accessed via the HNL Airport app.

HDOT offers the following tips for air travelers:

• Prior to going to the airport, check with your airline on the status of your flight, including any delays and gate assignments, as well as baggage claim area if you’re picking up arriving passengers.
• Remember to bring your REAL ID-compliant driver’s license, state ID, passport, or other acceptable form of identification to avoid delays at security checkpoints.
• Plan to arrive at the airport at least two hours prior to your scheduled flight departure for mainland or international flights, or 90 minutes early for interisland flights, to allow sufficient time to complete every step of the travel process including finding a place to park, checking luggage and getting through security.
• If possible, get dropped off or use public transportation to get to the airport. On O‘ahu, travelers can take advantage of the city’s Skyline rail service to get to and from the Daniel K. Inouye International Airport, thus avoiding traffic and parking fees.
• Hawai‘i airport parking lots fill up quickly over the holidays, particularly at the Līhu‘e and Hilo Airports, so it’s recommended that passengers plan accordingly.
• Travelers are reminded to lock their vehicle and not leave keys, valuables, or the parking ticket in the vehicle while parked in an airport lot.
• When going through security screening, families traveling with children can use the Transportation Security Administration’s (TSA) dedicated family lane located in Terminal 2, Checkpoint 4.
• TSA has created a series of videos to help travelers before they go through security checkpoints. See https://airports.hawaii.gov/hnl/flights/tsa-travel-tips/ for the collection of videos and a link to additional TSA resources.

###

Women across Britain will be better supported to enter, stay and lead in the UK’s tech sector as Technology Secretary Liz Kendall launches the Women in Tech Taskforce.

The UK’s tech sector is thriving, but it isn’t working for everyone. Every year, the economy loses an estimated £2 – £3.5 billion because women leave the tech sector or change jobs due to barriers that should not exist.

Secretary of State for Science, Innovation and Technology, Liz Kendall is taking decisive action to change that, convening the first meeting of the flagship Women in Tech Taskforce at the British Science Association yesterday (Monday 15 December). 

The taskforce is bringing together leading industry figures and experts from across the tech ecosystem. This first-of-its-kind initiative will advise government on how to better support diversity in tech and ensure the UK accesses the full talent pool, market opportunities, and innovation capacity needed for economic growth.

The need for change is clear. Men outnumber women 4 to 1 in computer science degrees. Women are less likely to enter tech, stay in the sector, or rise to leadership, not because they are less capable, but because systemic barriers hold them back. A 2023 Fawcett Society study found 20% of men in tech believe women are inherently less suited for these roles.

At the current pace, it will take 283 years for women to achieve equal representation in tech and female-founded startups receive 5.9x less funding than male-founded ones, despite delivering 35% higher returns on investment.

The Women in Tech Taskforce will identify and dismantle barriers to education, training, and career progression. It will develop practical solutions for government and industry to implement side by side, shape policy that encourages diversity and levels the playing field, and drive sustainable and inclusive economic growth by expanding opportunities for women across the UK.

Technology Secretary, Liz Kendall said:

Technology should work for everyone, that is why I have established the Women in Tech Taskforce, to break down the barriers that still hold too many people back, and to partner with industry on practical solutions that make a real difference.

This matters deeply to me. When women are inspired to take on a role in tech and have a seat at the table, the sector can make more representative decisions, build products that serve everyone, and unlock the innovation and growth our economy needs.

In one of the first moves to establish the taskforce Anne-Marie Imafidon, founder of the STEMETTES, has been appointed as the Women in Tech Envoy and in this role will lead the taskforce alongside Secretary of State.

The taskforce will look to replicate the success of outstanding women-led UK tech companies, including Ivee, Starling Bank, Peanut, and Koru Kids, and will complement major DSIT initiatives designed to develop and support tech talent in the UK, such as the £187m TechFirst skills programme and the Regional Tech Booster programme.

Encouraging more women into tech careers starts in the classroom – and that’s why the government is standing up the landmark TechFirst skills programme to help more girls develop tech skills and consider a future career in tech. 

This comes as the government has announced the new curriculum will ensure every young person learns essential digital and AI skills – equipping them with the capabilities needed to open the doors to careers in tech. With the government’s wider support of the STEM Ambassadors Programme and the National Centre for Computing Education’s ‘I Belong’ programme, showing girls across the country the potential careers they could have in tech. The taskforce will build on these measures with plans to boost representation in the tech workforce.

• UK’s largest car plant transformed with launch of new generation EV, supporting 6,000 jobs and boosting economic growth.
• Industry Minister Chris McDonald will visit site and hail the new LEAF as major step forward for the auto sector’s EV transition and green economy.
• Start of production comes as government’s modern Industrial Strategy is delivering £4 billion into the automotive sector – the biggest investment into the car industry since the post-war era.

In a huge boost to the UK economy and auto industry, car manufacturing giant Nissan has begun production of the next generation LEAF in Sunderland – making it the first new high volume electric car to be produced in the UK since 2020. 

Nissan has invested more than £450 million into manufacturing the new LEAF at their Wearside plant – including over £300 million directly into the firm’s UK operations – supporting 6,000 jobs and thousands more in the supply chain. 

Today [16 December], Industry Minister Chris McDonald will attend the launch in Sunderland, where he will hail the start of production as a major boost to both the North East and the automotive sector, a step which underlines the UK’s position at the forefront of manufacturing green technologies.  

This latest development builds on the biggest government investment into the UK’s car industry of the post-war era, with £4 billion of funding from the modern Industrial Strategy going towards accelerating the electrification of vehicle plants and investment in batteries, electric motors and power electronics. 

Business and Trade Secretary Peter Kyle said: 

Sunderland is the beating heart of the UK’s automotive industry, and Nissan’s investment is a major commitment to the North East and a huge vote of confidence in our economy. 

Through this government’s modern Industrial Strategy, we’re delivering £4 billion into our world leading auto sector – the biggest investment into the car industry since the post-war era – driving growth, innovation and jobs across the country.

Government has worked closely with Nissan and their partners to transform Sunderland into an EV manufacturing hub, strengthening the nation’s domestic EV manufacturing capabilities and boosting economic growth. 

Industry Minister Chris McDonald said: 

We’re proud of our historic car industry, so I’m delighted that Nissan is producing the new LEAF in Sunderland. This will strengthen the UK’s position as a global leader for manufacturing and as the destination of choice for investment. 

This government has taken decisive action to back the automotive sector through our modern Industrial Strategy, securing new trade deals and creating export opportunities, supporting UK manufacturers to safeguard jobs and helping to secure the future of the sector for decades to come.

Through the Industrial Strategy, the government plans to cluster EV manufacturing across growth areas. Along with the introduction of the new LEAF, the government is announcing the launch of two new regional EV supply chain pilots in partnership with the North East and West Midlands Metro Mayors.  

Implemented under DRIVE35, these programmes will strategically boost growth, enhance UK supply chain resilience and increase domestic production in the transition to zero emission technologies. 

Just over the road from the plant, AESC has opened a new 12 GWh gigafactory which will supply batteries for Nissan, showcasing the power of investment in boosting the supply chain through new jobs and opportunities in the region.  

Adam Pennick, Vice President, Manufacturing, at Nissan Sunderland Plant said:  

Nissan has invested into our state-of-the-art plant to build the EVs of the future and there is huge pride and excitement in our team to be building this brilliant car in Sunderland. 

The skills, expertise and team-work of our people have powered Sunderland’s success, and the transformation of our plant for new LEAF demonstrates our leadership in the journey to electrification.

Drivers can save £3,750 off the new Nissan LEAF thanks to the government’s Electric Car Grant which is putting thousands of pounds back in families’ pockets when they decide to make the switch. The scheme is backing the UK’s automotive industry, a key sector identified in the UK’s modern Industrial Strategy, which supports 133,000 jobs in the UK, and a further 320,000 jobs in the wider economy.

This moment follows the government launching both the Industrial and Trade Strategies and securing three trade deals with the US, India and EU – supporting the auto sector by reducing tariffs and creating new export opportunities – whilst cementing the UK’s position as a top investment destination.  

Notes to editors: 

• Through the government’s modern Industrial Strategy’s £2.5 billion DRIVE35 programme, an additional £1.5 billion investment was announced in the Budget, bringing total capital support to an unprecedented £4 billion until 2035.
• The ECG was launched earlier this year and is making it cheaper and easier to own an electric vehicle, with over 40,000 people benefiting from the grant so far.

The ACCC has commenced separate proceedings in the Federal Court against home meal delivery providers Grocery Delivery E-Services Australia Pty Ltd (trading as HelloFresh) and Youfoodz Pty Ltd for allegedly misleading consumers over subscriptions.

The ACCC alleges that HelloFresh and Youfoodz, which are both owned by HelloFresh SE, breached the Australian Consumer Law by advertising on their websites and apps that new customers could easily cancel subscriptions through their online account settings as long as they did so before a specified cut-off time. In fact, when many consumers tried to cancel their subscription online prior to the first delivery cut-off time, they were still charged for and received the first order.

Despite being able to sign up easily through the websites and apps, consumers were only able to cancel the first delivery if they spoke with a customer service representative.

HelloFresh allegedly carried out this conduct between 1 January 2023 and 14 March 2025, and Youfoodz between 1 October 2022 and 22 November 2024. During these periods, 62,061 HelloFresh customers and 39,408 Youfoodz customers were charged a fee despite cancelling their subscription before the specified cut-off time for the first order.

“We’ve brought these two cases because we allege that HelloFresh’s and Youfoodz’s conduct involved a suite of confusing and unclear subscription practices in breach Australia’s consumer laws,” ACCC Commissioner Luke Woodward said. 

“Despite what HelloFresh and Youfoodz represented to new Australian subscribers, tens of thousands of consumers were charged for their first order, even though they cancelled their subscription before the cut-off date.”

The ACCC also alleges that HelloFresh required consumers to provide payment details to view and select meals from the full menu but represented to them in the sign-up process that they would not be charged unless they selected meals from the menu. In fact, when consumers clicked the button to progress to the meal selection screens, they were entered into an ongoing subscription and charged for the first delivery.

Many HelloFresh consumers were not even aware that they had been signed up to an ongoing subscription until they received a delivery or payment notification.

The ACCC also alleges that Youfoodz communicated to consumers who had taken steps to cancel their subscription in their online account settings that the first delivery was cancelled and they would not be charged, when in fact the first delivery could not be cancelled this way and they were still charged.

“In the case of HelloFresh, many consumers had not even selected meals but were unknowingly subscribed and charged regardless,” Mr Woodward said.

“Traders must clearly communicate when consumers are signing up for a subscription, as well as how they are able to cancel and avoid being charged.”

“Businesses using confusing and complicated subscription cancellation policies is a matter of significant public concern and, where there is evidence of breaches of the Australian Consumer Law and consumer harm, the ACCC will take enforcement action when appropriate,” Mr Woodward said.

“We are also urging consumers who are purchasing gifts this festive season to carefully review the contract terms before paying for any subscriptions.”

Consumer and fair trading issues in the digital economy and in the supermarket and retail sectors are among the ACCC’s current 2025-26 Enforcement Priorities.

The ACCC is seeking compensation orders for affected consumers, penalties, declarations, publication orders, the implementation of a compliance program and costs.

Individual consumer experiences

In one example, a consumer accessed the HelloFresh website on their phone and entered their payment details to view the menu, but after viewing it, decided not to proceed with a subscription. They did not realise that by saving their payment details, they were already subscribed. They later received a notification via PayPal that they had been charged and found it difficult to contact HelloFresh regarding the payment at a time when they were experiencing financial distress.

In another case, a consumer signed up for a Youfoodz subscription, which they cancelled online within minutes of viewing the menu. They later received a text stating their delivery would arrive the following day and they had been charged. They called Youfoodz multiple times to request a refund and were eventually offered a 50 per cent refund.

Background

HelloFresh and Youfoodz are both owned by the German-based parent company HelloFresh SE. HelloFresh offers weekly meal kits, whereas Youfoodz offers weekly ready-made meals.  

Consumers can sign up for HelloFresh’s or Youfoodz’s services through their websites or their smartphone applications.

The ACCC commenced its investigation into HelloFresh and Youfoodz in October 2024 after receiving a large number of consumer complaints.

Concise statements

ACCC v HelloFresh Concise Statement 16 December 2025

( PDF 534.99 KB )

ACCC v Youfoodz Concise Statement 16 December 2025

( PDF 538.64 KB )

Part I: The digitised grid

Introduction

In recent years, Australia has become a world leader in distributed energy resources (DER) and consumer energy resources (CER)[1], with many households and small businesses generating power through rooftop solar, battery storage and electric vehicles.[2]

At the same time, the growing number of connected devices has expanded the potential entry points for cyberattacks.[3] As operational technology (OT) and information technology (IT) become more integrated, the grid faces increased exposure to cyberwarfare and ransomware. Hackers may target the grid for financial gain, disruption of critical infrastructure or to access sensitive information. Breaches could interrupt electricity supply, cause widespread blackouts and destabilise essential services such as telecommunications, transport and water systems.

Protecting the grid is therefore a priority. Australia must implement robust IT and OT security measures, enhance its regulatory frameworks, ensure vendors maintain full visibility and control of connected systems and foster cooperation between government, industry and cybersecurity experts to safeguard critical infrastructure.[4]

How has Australia’s grid become more digitised?

Across Australia, the energy landscape is undergoing rapid change. Projections indicate that by 2050 almost half of all households and businesses will operate rooftop solar systems, with approximately 61% – 84% of rooftop solar systems expected to be coupled with a battery as uptake increases.[5]

Integrating these variable energy sources into the grid is challenging and can result in grid constraints and power inefficiencies if not done effectively.[6]

Grid digitisation involves integrating information and communication technologies (ICT) and advanced data analytics into the electricity network to improve efficiency, reliability and security.[7]

Notably, Australia’s renewable energy industry has been transformed by:

1. The ‘Internet of Things’ (IoT): In the renewable energy context, is a network of interconnected devices (such as smart meters, solar inverters, wind turbine sensors, batteries and electric vehicle chargers) that collect and exchange real-time data to optimise energy production, storage and use. IoT enables operators to monitor equipment performance, forecast generation, balance supply and demand and detect faults early. At the household level, IoT supports ‘smart’ energy use by automatically running appliances based on solar output or off-peak times, forming the foundation for technologies like smart grids and energy management systems.[8]
2. Smart grid technology: A digitised network that uses data analytics, sensors and automated control systems to manage electricity flows in real-time.[9] This allows the grid to respond dynamically to fluctuations in supply and demand, integrate DER more effectively and provide greater visibility for both operators and consumers.
3. Energy management software (EMS): Cloud-based systems that monitor and control DER to optimise energy use.[10] In homes, EMS platforms decide when to charge or discharge batteries or draw from the grid to minimise costs.[11] In commercial settings, they provide centralised, real-time oversight of energy performance across sites, often integrating with building management systems to manage temperature, ventilation, and lighting.

However, whilst these innovations help bridge the gap between OT and IT, the increased connectivity of devices and systems (which were previously more isolated)[12] also brings new vulnerabilities, fuelling an increase in concerns around data protection and cybersecurity.

 

The harm with digitisation

How digitisation increases risk

As society’s dependence on digitally connected renewable energy infrastructure grows and more automation is introduced to manage the grid’s increasing complexities, vulnerability to cyberattacks rises. Each new connection introduces potential weaknesses, increasing the risk of compromised security and large-scale disruption.[13]

The rapid uptake of solar and smart energy appliances in homes and businesses has expanded potential entry points for cyberattacks, [14] with connected devices varying widely in their levels of security. [15]

Because the renewable energy sector underpins both national infrastructure and the broader economy, a single cyber incident or technical failure could disrupt electricity supply, compromise critical infrastructure, weaken grid stability and (in severe cases) destabilise entire regions. [16]

Cybersecurity experts warn that as systems become more interconnected, cybersecurity becomes even more critical.[17] Our energy networks, and by extension, modern life, depend on secure, uninterrupted access to power.[18]

Consequently, cybersecurity is not just about protecting digital assets but about safeguarding the stability of the national energy system itself.^[19] Continuous monitoring, validation, and authentication across all devices and users are essential to maintaining that security.[20]

 

Types of threats hackers can carry out

Over the past year, cyberattacks on the energy, transport and telecommunications sector have increased by 30%.[21] In 2023 alone, 90% of the world’s largest energy companies suffered a cybersecurity breach.[22]

There are various types of threats to DERs and that may be carried out by hackers, including:

1. Social engineering attacks: Hackers use phishing emails, fake websites, or messages to trick employees, installers, or consumers into revealing passwords or system access credentials, potentially allowing unauthorised control of solar inverters, batteries, or management platforms.[23]
2. Malware-based attacks: Malicious software such as ransomware or trojans can infiltrate energy management systems or IoT devices, disrupting operations, encrypting control data, or remotely manipulating device settings to destabilise local grids or virtual power plants.[24]
3. Supply chain compromises: Attackers may target trusted vendors, installers, or software providers, injecting malware into firmware updates or compromising third-party integrations, to gain indirect access to multiple DER systems simultaneously.[25]

An example of how these threats could affect DER is through smart meters or home energy management systems. If an attacker manipulates DER telemetry or control signals (such as coordinating rapid, periodic changes in battery charge/discharge or photovoltaic output) it could mimic an oscillation attack, destabilising local voltage or frequency. Grid protection systems may then trip automatically, potentially causing localised blackouts or disrupting aggregated DER services like virtual power plants.[26]

As security systems strengthen, cybercriminals are becoming increasingly sophisticated,[27] exploiting gaps between IT and OT (with the latter historically being less developed and protected). With IT and OT now more integrated, companies are adopting software solutions to properly safeguard OT, identify grid bottlenecks and mitigate these emerging cyber risks. [28]

Part II: Cyber resilience and regulation

Current regulatory landscape

Regulatory frameworks and gaps

Australia’s current protections for DER are delivered through a combination of the below key sector-led guidance and legislative frameworks.

Two new legal frameworks were recently passed that focus specifically on CERs. Whilst CERs form a substantial component of DERs, the two are not identical, with DERs being broader in scope. Not all measures and protections that apply to CERs will extend to DERs more generally.

2. Cyber Security Act 2024 (Cth) (Cyber Act):[29]
   Enacted on 29 November 2024, the Cyber Act strengthens CER protections by requiring smart energy devices, including inverters and battery systems, to meet minimum cybersecurity standards. It also mandates reporting ransom or extortion incidents within 72 hours and establishes a Cyber Incident Review Board to assess major incidents and issue sector-wide recommendations. These reforms directly target vulnerabilities at the device level and are expected to influence the broader DER ecosystem as smart devices proliferate.
3. Cyber Security (Security Standards for Smart Devices) Rules 2025 (Cyber Rules):[30]
   Effective 4 March 2026, the Cyber Rules set a mandatory baseline for consumer-grade internet-connected devices, including CER. Requirements include unique passwords, security contact points, and defined update periods. By addressing these common vulnerabilities like default passwords and inconsistent updates, the Cyber Rules enhance CER security, privacy, and reliability while indirectly strengthening protections for the wider energy network into which DERs integrate.

The above CER-specific frameworks sit alongside the following broader DER-relevant mechanisms:

1. Updates to the National Electricity Rules (NER)
   In December 2024, the Australian Energy Market Commission introduced a rule clarifying the Australian Energy market Operator’s (AEMO) cybersecurity role, formalising four functions: coordinating incidents, supporting preparedness via AESCSF and exercises, advising government and industry on risks, and sharing critical cybersecurity information with market participants.[31]
2. Australian Energy Sector Cyber Security Framework (AESCSF)
   The AESCSF is a cybersecurity framework developed and tailored to the Australian energy sector, enabling market and non-market participants (including DER participants), to assess, evaluate, prioritise, and improve their cybersecurity capability and maturity.[32]The AESCSF Lite Framework provides a customised approach for smaller, emerging, or resource-constrained organisations, including those operating within the DER ecosystem.[33] These organisations play a vital role in the broader energy landscape and are increasingly interconnected with critical energy systems. The framework is deliberately designed to be agnostic to organisational size, scale, or maturity, making it more suited for DER participants that may lack dedicated cybersecurity teams or fully developed security programmes.[34]
3. Security of Critical Infrastructure Act 2018 (SOCI Act)
   The amended SOCI Act broadened its scope to include the energy sector, introducing stringent cybersecurity standards and incident reporting obligations for energy providers. Under the SOCI Act, owners and operators of ‘critical infrastructure’ face fines and penalties if they fail to meet prescribed security requirements.[35]

However, despite these frameworks, DER presents unique vulnerabilities. Except for the Cyber Act and Cyber Rules (which are more relevant for CERs), most of the above frameworks[36] largely focus on aggregated or centrally registered assets, leaving gaps for behind-the-meter DER. Key observations made by industry stakeholders include:

1. The SOCI Act excludes generators with a capacity under 30 MW and lacks a clear classification for DER aggregators (which may control capacities above this threshold), creating uncertainty about which obligations apply to original equipment manufacturers (OEMs).[37]
2. Some distribution network service providers (DNSPs) have introduced their own guidelines for how SOCI Act requirements apply to DER and OEMs, but SMA and the Smart Energy Council note this can lead to inconsistencies and potential misunderstandings across jurisdictions.[38]
3. The AESCSF does not cover device-level standards for products such as inverters, and the new NER, which formalised AEMO’s cybersecurity role, does not give AEMO authority to mandate participation, leaving OEMs guided by generators’ requirements, which may include SOCI Act obligations.^[39]

Although cyber regulation and policies exist, it can be difficult for consumers to find out how these requirements are enforced and reported.[40] Stakeholders have called for a national, DER cybersecurity strategy, clearer guidance from market bodies and governments on DER security, and the introduction of mandatory standards for DER systems.[41] Whilst stakeholders have welcomed the emerging CER-specific protections, it is noted that these measures are still in early stages[42] and further clarity is needed from market bodies and governments on the practical application of these requirements.[43]

 

Current technology and gaps

Australia’s DER systems employ multiple layers of cybersecurity to protect renewable energy assets.[44]

At a high level, operators use encrypted communications, multi-factor authentication, network segmentation, automated threat detection, and AI driven anomaly monitoring, often supported by 24/7 Security Operations Centres. Frameworks such as the AESCSF help DER providers conduct risk checks, vet vendors, and plan incident responses.[45] Device-level systems, such as microgrid controllers and inverters, use layered security including firewalls, encryption, and intrusion detection.[46] Initiatives like South Australia’s Virtual Power Plant security framework provide real-time monitoring and active protection across DER networks.[47]

Despite these measures, DER systems remain vulnerable to attack. Internet-connected inverters, batteries, and other DER devices are still exposed to data attacks, operational disruption, or grid instability,[48] increasing the volume of sensitive data at risk.[49] Diverse technologies, multiple stakeholders, and mixed old and new systems makes consistent protection challenging.[50] Stand-alone security solutions often fail to detect risks across interconnected DER assets, while operators and utilities may lack access to sufficient operational data to respond quickly, leaving gaps similar to those seen in consumer-grade smart devices.

 

Future directions for DER cybersecurity

Preventing attacks is not the responsibility of a single group. Close cooperation between all industry players is essential to building a robust defence,[51] ensuring the responsibility for protection does not fall entirely on households and small businesses. For owners of DER, practical steps such as maintaining a secure home Wi-Fi network and using strong, unique passwords can provide an added layer of protection.[52]

The industry should consider the following initiatives to strengthen DER cybersecurity:

1. Close regulatory gaps and harmonise frameworks: Address the SOCI Act’s 30 MW threshold and implement a national strategy to align requirements across jurisdictions and DNSPs.[53]
2. Introduce mandatory device-level standards across all DERs: Require mandatory security standards across all DERs (rather than only focusing on regulation at the CER level and relying on voluntary frameworks for broader DERs) for inverters, smart meters, and communications gateways, including proactive safeguards, vulnerability testing,[54] secure procurement, multi-factor authentication, network segmentation, and timely intelligence sharing with AEMO and regulators.[55]
3. Ensure supply chain accountability: Provide clear guidance on how cybersecurity obligations flow through the DER supply chain, from OEMs to service providers to end users, recognising that overall security is only as strong as the weakest link, with IoT and AI creating additional risks.[56]
4. Enhance AEMO resourcing and preparedness: Expand AEMO’s role in risk assessment, threat intelligence dissemination, and proactive guidance to improve DER resilience.[57]
5. Adopt a prescriptive regulatory approach: Stronger and more integrated regulatory measures are needed to address the current fragmented framework and better safeguard Australia’s evolving energy ecosystem.[58]

 

Conclusion

Australia’s shift to a decentralised, digitally connected energy grid has made it a global leader in DER, delivering sustainability, efficiency, and energy independence. However, increased IT/OT integration has expanded the cyberattack surface, where vulnerabilities in one area can have widespread effects.

Mitigating these risks requires a coordinated approach: strengthening IT and OT protections, maintaining visibility and control over infrastructure, and regularly testing and updating cybersecurity measures. Collaboration between government, industry, specialists, and consumers ensures shared responsibility. By combining technological safeguards with coordinated policy and active risk management, Australia can grow its clean energy capabilities while protecting critical infrastructure from emerging cyber threats.

 

---

The Hamilton Locke team advises across the energy project life cycle – from project development, grid connection, financing, and construction, including the buying and selling of development and operating projects. For more information, please contact Matt Baumgurtel.

---

 

[1] CERs are a subset of DERs and specifically refer to the consumer-owned technologies which generate, store or manage electricity. The primary focus of this article is on DERs.

[2] Michael Rothschild, ‘Combating the cyber threat to Australia’s distributed solar grid ambitions’ Australian Information Security Association (Web Page) .

[3] Daniel Mercer, ‘Australia’s electricity grid increasingly vulnerable to hackers via solar panels, smart devices’, ABC News (online, 14 March 2022) .

[4] Rothschild (n 2).

[5] Green Energy Markets, Projections for distributed energy resources – solar PV and stationary energy battery systems (Report, December 2024) 14 chrome-extension://efaidnbmnnnibpcajpcglclefindmkaj/https://www.aemo.com.au/-/media/files/major-publications/isp/2025/GEM-2024-Solar-PV-and-Battery-Projections-Report.pdf>.  

[6] ‘Role of Smart Grids in Australia’s Path to Energy Independence’ Smart Lifestyle Australia  (Web Page, 11 February 2025) .

[7]Power Circle, Digitalization of the Grid (White Paper, November 2022) 2 .

[8] Jasmin Jessen, ‘Top 10 Uses of IoT in Energy’, Energy Digital (Web Page, 12 March 2025) ; Tanveer Ahmad and Dongdong Zhang, ‘Using the internet of things in smart energy systems and networks’ (2021) 68 Sustainable Cities and Society.

[9] Warren, Smart Grid Technology: Powering Australia’s Renewable Energy Future’ Sustainable Future Australia (Web Page, 2 April 2025) .

[10] ‘How cyber attacks can threaten the energy transition’, Twoday (Web Page, 1 September 2025) .

[11] ‘Home Energy Management System’, Evergen (Web Page) <https://evergen.energy/home-energy-management-systems/>.

[12] Warren (n 9).

[13] Mercer (n 3).

[14] Warren, ‘Renewable Energy’s Achilles Heel: Why Cybersecurity is Critical for Australia’s Green Grid’, Sustainable Future Australia (Web Page, 3 April 2025). .

[15] Mercer (n 3)

[16] Warren (n 14).

[17] Mercer (n 3).

[18] Mercer (n 3).

[19] Warren (n 14).

[20] Richard Bergman, Tony Martin and Emma Hawthorne, ‘How cyber security can keep pace with the energy transition’, EY (Web Page, 9 October 2023). .

[21] The Transformation Group, Safeguarding the grid: Cyber Threats in Energy Infrastructure (Report) 2 .

[22] ‘Securing Renewable Data: Green Energy Sector Cybersecurity Challenges’ Beetroot (Web Page, 3 May 2025) < https://beetroot.co/business/securing-renewable-data-green-energy-sector-cybersecurity-challenges/#:~:text=Renewable%20energy%20systems%2C%20from%20wind,millions%20of%20customer%20data%20records.>.

[23] ‘Cybersecurity Challenges in the Renewable Energy Sector’, EC-Council University (Web Page, 10 February 2025) .

[24] See ibid.

[25] Twoday (n 10).

[26] Falah Alanazi, Jinsub Kim and Eduardo Cotilla-Sanchez, ‘Load Oscillating Attacks of Smart Grids: Vulnerability Analysis’ (2023) 11 IEEE Access 36538, 36538-36539.

[27] CrowdStrike, 2025 Global Threat Report (Report) 2-3 .

[28] Tom Kline, Unlocking Australia’s Green Future: The Critical Rols of New Grid Technology’, Climate Tech Partners (Web Page, 28 October 2025) .

[29] Department of Home Affairs, ‘Cyber Security (Security Standards for Smart Devices) Explanatory Document’ (Explanatory Document, 2024) .

[30] See Ibid.

[31] Australian Energy Market Commission, ‘National Electricity Amendment (Cyber security roles and responsibilities) Rule 2024 (Final Determination, December 2024) 32 .

[32] Australian Energy Market Operator, ‘AESCSF 2025 Distributed & Consumer Energy Resources Guidance’ (Guidance Material, 2025) 4 .

[33] See Ibid 5-7.

[34] Australian Energy Market Operator (n 32) 7.

[35] Australian Energy Market Commission (n 31).

[36] Department of Climate Change, Energy, the Environment and Water, ‘National Consumer Energy Resources Roadmap’ (Report, July 2024) .

[37] Australian Energy Market Operator (n 32).

[38] Australian Energy Market Operator (n 32).

[39] Australian Energy Market Operator (n 32).

[40] SolarEdge, ‘Submission to the 2023-2030 Australian Cyber Security Strategy’ (Submission, 29 August 2025) 2 .

[41] Department of Climate Change, Energy, the Environment and Water (n 36).

[42] SolarEdge (n 40).

[43] Department of Climate Change, Energy, the Environment and Water, ‘National Consumer Energy Resources (CER) Roadmap Implementation Plan Update’ (Report, August 2025) 20 .

[44] Warren (n 14).

[45] Warren (n 14).

[46] Juanwei Chen et al,’ Cybersecurity of distributed energy resource systems in the smart grid: A survey’ (2025) 383 Applied Energy.

[47] Warren (n 14).

[48] Juanwei Chen et al (n 46).

[49] Juanwei Chen et al (n 46).

[50] Juanwei Chen et al (n 46).

[51] ‘OT Security: Recent Attacks Expose Risks for Australia’s Critical Infrastructure‘ KineticIt, (Web Page, 15 October 2024) .

[52] Dor Son Tan, ‘Energy System Cybersecurity for an Uncertain World’, Energy Networks Australia (Web Page, 20 April 2023) .

[53] Australian Energy Market Commission (n 31).

[54] Bella Peacock, ”Really Serious’ Problems Cybersecurity Breaches Pose in Australia’s DER Future’, PV Magazine Australia (Webpage, 27 June 2023) .

[55] Australian Energy Market Commission (n 31).

[56] Australian Energy Market Commission (n 31).

[57] Australian Energy Market Commission (n 31).

[58] Australian Energy Market Commission (n 31).