ASX-listed energy software provider Energy One has been targeted in a cyberattack with the company confirming that “certain corporate systems in Australia and the United Kingdom” were affected.
Energy One, which specialises in energy trading software for clients including major retailers and generators in Australia, Europe and the United States, said in a statement it “took immediate steps to limit the impact of the incident,” including disabling “some links between its corporate and customer-facing systems.”
The company said it had alerted the Australian Cyber Security Centre and U.K. authorities of the breach and “analysis is underway to identify which, if any, additional systems may have been affected by the cyberattack.”
The attack comes after the federal government-backed Cyber Security Cooperative Research Centre (CSCRC) raised concerns that Australia’s use of foreign-made solar panel technology, notably inverters, has made the country susceptible to targeted cyberattacks that could undermine the stability of power grids.
In a new report, the CSCRC has highlighted that the cyber risk associated with solar inverters has increased as the popularity of smart home energy systems has boomed, with most inverters now web connected for monitoring and control purposes.
The CSCRC said as the number of homes with solar systems continues to increase, the risk associated with inverters continues to grow with the devices vulnerable to a range of cyber intrusions including “hacking, malware attacks, manipulation and disruption.”
“As internet-connected devices they collect and distribute valuable data and are attractive targets for malicious cyber actors,” the research body said. “In the case of photovoltaic inverters, which play an increasingly vital role in Australia’s power supply, the potential ramifications could be catastrophic.”
While individual attacks wouldn’t affect the grid more broadly, CSCRC Research Director Helge Janicke said a widespread attack could destabilise an entire power grid, leading to widespread blackouts.
“Conceivably such attacks could be so severe that they result in a ‘black start’ event, an effective restarting of a power grid,” he said. “It could take a week to recover from a black start because power plants would be incapable of turning back without reliance on an auxiliary power source.”
The CSCRC has recommended a raft of policy solutions, saying Australia needs to take a more hands-on approach to regulation of cyber security, especially as it relates to the security of critical infrastructure.
The CSCRC said is calling for cyber security impact assessments for all solar inverters sold in Australia and the introduction of mandatory cyber security ratings for solar inverters. It also declared that any inverters assessed as having serious cyber security vulnerabilities should be removed from sale and recalled from use, or appropriate security fixes should be applied if available.
“There is an opportunity to embed cyber security considerations into mandatory standards that solar inverters sold in Australia should be required to meet,” it said.
This content is protected by copyright and may not be reused. If you want to cooperate with us and would like to reuse some of our content, please contact: firstname.lastname@example.org.