Australia's cybersecurity plans overlooked smart home devices, expert warns
According to cyber security expert Leon Poggioli, the current proposals to reform Australia's cybersecurity legislation should pay more significant attention to smart home devices, in particular the solar inverters instrumental in grid stability. Poggioli is the ANZ Regional Director at Claroty, a company specialising in the protection of critical infrastructure sectors including government, energy, healthcare, and education.
In his commentary, Poggioli highlighted the positive direction in which Australia's new cyber legislation and cybersecurity strategy of 2030 are geared, with the clear objective of making the country a leading force in cyber safety. Key aspects are the enhanced focus on "Systems of National Significance" and the institution of "Mandatory minimum standards for consumer smart devices."
Poggioli explained, "Smart home devices, which are controlled by electricity distributors for power grid stability, is the key intersection between these two areas that warrants special consideration." The most notable case is in South Australia, where new installations of home solar panel systems require connection to SA Power Networks, allowing for the remote disconnection of these home solar systems when the grid supply exceeds demand.
As Australia's National Electricity Market (NEM) continues its push towards higher use of renewable energy, it's anticipated that more remote grid operations will be needed to maintain balance in supply and demand. Poggioli noted, "These solar inverters are typically considered to be smart home devices, but they are actually playing a vital role in Australia's decarbonised energy future." He added, "In 2023, 38.6% of energy supplied by Australia's NEM was from renewable sources (up from 26.6% in 2020), and this is expected to continue to grow."
However, he expressed concern that devices like solar inverters, often several years old, are not top of mind for consumers in terms of regular updates to guard against security vulnerabilities. Besides, if manufacturers cease operations, ensuring ongoing device support, maintenance, and security updates becomes a massive challenge. "This underscores the urgency of incorporating contingency plans and regulatory measures that account for the lifecycle of these devices," Poggioli emphasised.
In summary, Poggioli suggests a preventive approach: to include all smart devices involved in power generation within the scope of critical infrastructure. Such a move would facilitate the identification and mitigation of potential cyber risks, providing a more robust level of resilience against emerging threats. Poggioli concluded, "By addressing this risk, Australia will be able to progress towards a less carbon-intensive energy future without increasing the risk of a cyberattack impacting grid stability."