Cyber security steps up as hot topic for consumer energy resources

Stock image ex Canva used as feature image for Wattwatchers blog post on cyber security

After bubbling along in the background for years, this year the cyber security implications of aggregating many remotely-controllable solar inverters and other energy IoT devices are bursting into the public space in real-time. Secure communications between grid-edge devices and the cloud is a crucial focus for Wattwatchers’ technology roadmap and rolling product releases.

SECURING THE GRID-EDGE: GAVIN DIETZ, WATTWATCHERS CEO

‘In the case of photovoltaic inverters (solar inverters), which play an increasingly vital role in Australia’s power supply, the potential ramifications could be catastrophic, presenting threats to national security, economic prosperity and even to life.’ – POWER OUT? Solar inverters and the silent cyber threat, Cyber Security CRC, August 2023

It’s geo-political, ideological, technical, commercial and a key challenge for policy-makers and industry self-regulation all at once.

In recent weeks and months there’s been a flurry of activity around the cyber security of solar inverters, coming from groups as disparate as energy system operators and regulators, cyber industry researchers, government agencies, politicians and parliamentary hearings.

This includes:

  • The release of the Cyber Security Cooperative Research Centre’s POWER Off? Solar inverters and silent cyber threat report in August, which includes recommendations to test all solar inverters being deployed in Australia, and to ban and recall from use those found to have serious cyber security vulnerabilities.
  • Revelations through federal parliamentary hearings (Senate estimates) that the Australian Department of Climate Change, Energy and the Environment and Water (DCCEEW) is working with Standards Australia on new standards for solar inverters, and the Australian Energy Market Operator (AEMO) on potential technical solutions to inverter-related cyber vulnerabilities. 
  • Trade media coverage including a Solar Quotes blog post headlined Ausgrid Highlights Multi-Billion-Dollar Cyber Risks In Solar And Battery Tech
  • A research report from the Institute of Public Affairs (IPA), a conservative think tank, called Energy Security is National Security: A Framework for Better Energy Outcomes in Australia
  • Public warnings by the Federal Opposition’s Shadow Minister for Home Affairs and Cyber Security, Senator James Paterson, that inverters – the majority of them made in China and subject to its laws – could be ‘weaponised by hackers’, urging the Albanese Government to invest in cyber security spending to safeguard the grid.
  • Self-assessments for AEMO’s Australian Energy Sector Cyber Security Framework (AESCSF)
  • A series of updates to the Commonwealth’s Security of Critical Infrastructure (SOCI) Act 2018, which includes electricity as critical infrastructure, bringing ‘operation-critical IoT devices’ into its scope. 

While some of this rising tide of cyber concerns can be linked to ‘other agendas’ – including China-sensitivity and related geo-political tensions, political positioning, and the pro-fossil fuels lobby and anti-renewables campaigning – there clearly are legitimate concerns in play.

Core role for technology and data

We’ve always known that the emerging electricity grid of the not-too-distant future, where nearly half of Australia’s electricity generation could be coming from rooftops and buildings, has to be enabled by technology and data.

With Internet of Things (IoT) technologies now proliferating in the electricity system, and artificial intelligence (AI) coming hot on its heels, it’s no surprise that cyber security is bursting into industry prominence alongside grid stability, resilience, affordability and carbon reduction imperatives.

Most of the focus now is falling on solar inverters, which turn the DC power generated from photovoltaic (PV) panels into the AC power that homes and most businesses use, of which there are already 3.5 million-plus operating in Australia.

But there will be many more smart device ‘actors’ in the electricity grid theatre as we expand consumer energy resources (CER), also known in industry terminology as distributed energy resources (DER). Especially in combination with demand flexibility, the electrification of everything and the rise of concepts like grid-interactive efficient buildings and 24/7 carbon accounting.

Beyond solar inverters, think batteries and their inverters, smart hot water and HVAC, load management and orchestration, electric vehicles and their charging infrastructure, and all manner of monitors, sensors and control systems.

All of which will be operating alongside, but mainly if not completely independent of the energy industry’s main focus of digitalisation, the utility ‘smart meter’, an outdated technology which currently struggles to even support a real-time display for customers.

Integration, interoperability and orchestration

Securely integrating all of these technologies, making them interoperable with one another both on-site and through the cloud, and orchestrating them in virtual fleets is the stuff that keeps grid and network operators awake at night in an increasingly cyber-sensitive world.

Enhanced security features are a core element of Wattwatchers’ technology roadmap and product releases coming in the months and years ahead, starting with the Auditor 6MW-CER next month (December 2023) which includes monitoring, remote control of solar for dynamic optimisation, plus switching for one household load such as hot water.

For security best practice reasons, which is a touch ironic, Wattwatchers doesn’t talk publicly about the full detail of our security features. 

First and foremost, however, our technology is Australian-designed, Australian-coded and Australian-made. Knowing and understanding the provenance of firmware, software and hardware is a key first step in security engagement.

A core feature is our use of secure cellular 4G for data backhaul between the devices and the cloud, where inverter-based solutions typically rely on WiFi that ‘piggybacks’ on the household’s internet connection. This has clearly been identified as an operational performance weak spot and as a security vulnerability.

Wattwatchers will increasingly act as a technology intermediary between other IoT devices like inverters and smart appliances on one side, and the cloud and the electricity system on the other, providing secure and guaranteed communications as part of the service.