Cyber threats to energy market prompts possible rule change


The Australian Energy Market Commission (AEMC) has published a consultation paper on a rule change request to establish cyber security as one of the Australian Energy Market Operator (AEMO)’s responsibilities under the National Electricity Rules (NER).

The request has been issued by federal Energy Minister Chris Bowen to help the energy industry be cyber security ready.

Under the proposed rule change, AEMO would specifically be required and funded to undertake four cyber security preparedness functions, including coordinating a National Electricity Market (NEM) cyber incident response plan and supporting energy businesses to be prepared for cyber incidents.

AEMO would be required to also provide expert cyber security advice to government and industry and distribute critical cyber security information to market participants.

AEMO currently has existing emergency powers to respond to actual cyber incidents.

AEMC Chair Anna Collyer said as the country’s energy system becomes increasingly digitised and interconnected, robust cyber security measures are crucial to ensure electricity supply reliability and resilience.

‘’Cyber security is an important enabler for the energy transition. For it be successful, the associated risks need to be well managed, and the proposed rule change aims to formally recognise the provision of identified cyber security services as one of AEMO’s core responsibilities under the National Electricity Rules,” Collyer said.

”The objective is to provide clarity on their role in this area, enable cost recovery for cyber security services, and enhance accountability across the industry.”

Electricity industry cyber security challenges are being addressed through the stakeholder collaboration, Australian Energy Sector Cyber Security Framework (AESCSF), which serves as a voluntary assessment program, enabling participants to evaluate and improve their cyber security maturity.

The proposed rule change aims to build upon these existing efforts, providing AEMO with the necessary tools and resources to further bolster the NEM’s resilience against evolving cyber threats.

Malicious actors targeting upstream suppliers can impact downstream customers potentially disrupting businesses in the energy sector.

Image: Australian Signals Directorate

The Australian Signals Directorate Cyber Threat Report 2022-2023 found that 15% of all cyber security incidents that financial year were categorised as C3 or above, 17% of which were from the energy sector.

Common C3 incident types include compromised assets, network or infrastructure, data breaches, ransomware, following by exploitation of public-facing applications and phishing.

In May 2024, Victorian electricity company Sumo confirmed a data breach of personal information of 40,000 customers and in June 2024, two rare-earth mineral companies, Iluka Resources and Northern Minerals were targeted respectively by denial-of-service and ransomware attacks.

Feedback on the consultation paper close 18 July 2024 and insights will be published in draft on 26 September 2024.

This content is protected by copyright and may not be reused. If you want to cooperate with us and would like to reuse some of our content, please contact:

Popular content

Neoen reaches new milestone with Collie big battery
16 July 2024 French renewable energy and storage developer Neoen has announced a new milestone for its massive Collie battery energy storage system being construct...