NEM cybersecurity update: loading

In modern society we expect someone to look out for us and our many devices with respect to keeping them cybersecure. It is an unspoken expectation that someone should update our devices with the latest security patches to protect us from the bad actors lurking in the dark parts of the web. Soon the Australian electricity system will get the next best thing.

I of course refer to the recent rule change proposed by Federal Energy Minister The Hon Chris Bowen to establish the Australian Energy Market Operator (AEMO) as the Cyber Incident Coordinator. We have previously talked about the need to protect our energy system from malicious actors who may be state-sponsored, have criminal objectives or even be ‘hacktivists’.

Under the proposal,  AEMO’s role would be further defined to act as a ‘clearing house’ of issues and preparations to defend the shared energy system from cyber-attack. However it is important to note that this does not give AEMO the ability to dictate what individual industry participants must do, which is a risk/reward decision that organisations must make for themselves.

We think this proposal strikes a good balance between what AEMO does now, its relationships to industry and being given unchecked powers that would force unjustified costs onto the industry and eventually consumers.

Interestingly, it seems like the objectives of this rule change are ultimately aimed at building the case for funding to uplift AEMO’s cyber capabilities, which is a hard one to argue against.

It also helps to fill one of the positions in the broader roles and responsibilities work that we’ve been calling for over several years.

As energy is only one sector of the economy, AEMO’s proposed new role doesn’t take away from the remit of the existing plethora of three and four-letter acronyms which are charged to protect Australia’s cybersecurity such as the ASD, ACSC, CISC.

If nothing else, this added definition to fill out the roles and responsibilities map helps make sure there’s not a duplication of effort that could be spent on other more productive things.

Our energy system is changing and the way we protect it needs to change too

In the context of moving to an energy system with millions of tiny generators that all need to be cyber-secure, we are lucky that there are solutions in this space, but it will require the whole of industry working in concert.

If we don’t start seriously thinking about these issues now, the onus of security will be passed down to the many households that will own these devices. Unlike large organisations, these households don’t have the benefit of a corporate cybersecurity team and are ill-equipped to make these types of decisions for themselves or for the wider system.

This rule change goes some way to answering some of the questions I have posed and networks are ready to pick up the phone when AEMO calls.

Thankfully this update won’t require a restart of the NEM.