Cyber Domain, Military, Geopolitics Australia, Pacific Islands

Jun Osawa
Research Fellow,
Sasakawa Peace Foundation

printprint

Small-scale solar power systems account for 8.1%[1] of the total power supply in the Australia, a country where a heated debate has been raging since summer 2023[2] over the cybersecurity of such systems. Questions were first raised by Chris Bowen, Australian minister for climate change and energy, who pointed out that overreliance on Chinese-made solar power equipment poses supply-chain risks for renewable energy. “When supply chains are so concentrated, and getting more concentrated,” Bowen told an Australian newspaper In February 2023, “the risk is greater every day.”[3]

Australia is rich in natural resources like coal and natural gas, but it has been turning aggressively to renewables in recent years in an effort to counter global warming. In 2021–22, it generated 49.2% of its electric power from coal, 18.1% from natural gas, 1.7% from oil, 12.8% from solar, 10.7% from wind, and 6.3% from hydropower.[4] Renewable sources thus accounted for more than 30% of its power supply. (In Japan, so-called new energy accounted for 12.8% and hydropower for an additional 7 .5%.)[5] Of the 12.8% generated by solar power in Australia, about a third came from large-scale power plants and the remaining two-thirds from small-scale solar power systems installed by households and private businesses.[6]

The issue raised by the energy minister concerns the cybersecurity of these small-scale systems, which use Chinese-made “smart” inverters connected to the Internet. James Paterson, the opposition shadow minister for home affairs and cyber security has also long warned about the security risks of Chinese IT equipment, opposing the government’s use of Chinese surveillance cameras and DJI drones. In a July 2023 TV interview, he noted that 60% of smart inverters were Chinese made and that (1) these manufacturers are subject to China’s National Intelligence Law, (2) many of their executives are members of the Chinese Communist Party, (3) Chinese inverters have technical vulnerabilities that could make them targets of cyberattacks by the People’s Liberation Army or the Ministry of State Security, and (4) such a cyberattack could take the entire Australian power grid offline.[7]

In August 2023, the Cyber Security Cooperative Research Center released a report based on research funded by the Australian government to investigate cybersecurity vulnerabilities. It recommended that “Cyber security impact assessments be completed for all solar inverters being sold in Australia” and that “Solar inverters assessed as having serious cyber security vulnerabilities should be removed from sale and recalled from use.”[8] In response to these recommendations, the Australian government is reportedly developing security standards for small-scale, rooftop solar power equipment for private homes and commercial buildings, along with mitigation measures in the event of a cyberattack.[9]

Countermeasures in Japan

In Japan, cyber risk countermeasures for electric power and other critical infrastructure are stipulated in the 2014 Basic Act on Cybersecurity. Article 12 calls for the establishment of a basic plan for the “promotion of ensuring cybersecurity in critical social infrastructure providers,” while Article 14 stipulates that “measures such as formulating standards, exercises and training, information sharing, and the promotion of other voluntary activities” be provided for critical social infrastructure providers.[10] Based on this act, the NISC (National center of Incident readiness and Strategy for Cybersecurity) coordinates cybersecurity policy with critical infrastructure operators, such as by periodically revising the cybersecurity action plan for critical infrastructure protection and the common standards on information security measures.[11]

The so-called Economic Security Promotion Act enacted in May 2022 recognizes the importance of ensuring the stable provision of essential infrastructure services (electricity, gas, water, etc.) for national security and requires that the installation of critical facilities by service providers be subject to prior screening.[12] At a November 17, 2023, a press conference, Economic Security Minister Sanae Takaichi announced that 210 companies and organizations have been designated for such a prior government review, noting that the screening system would be launched in May 2024 following a six-month transitional period.[13]

Managing Cyber Risk during a Contingency

In Japan, responsibility for managing cyber risk to electric power infrastructure rests with business operators. Specifically, the Electricity Business Act obliges utilities to conform to technical standards to ensure the cybersecurity of facilities used for general electricity transmission and distribution, electricity transmission, specified electricity transmission and distribution, and electricity generation. The cybersecurity of small capacity generation facilities, which do not fall under the category of critical infrastructure, had previously been outside the scope of government regulation. But with the decentralization of power sources and the expansion of online control, the October 2022 revision to the technical standards for electric facilities added the remote monitoring and control systems of electric facilities for private use as being subject to cybersecurity guidelines. In other words, household solar power systems—which are not owned by electric utilities—were defined as “electric facilities” subject to cybersecurity obligations.[14] The government subsequently issued cybersecurity guidelines for installers of small capacity generation facilities, recommending (in some cases, advising) that they comply with those guidelines.[15]

A distinctive feature of the recommendations in the abovementioned cyber risk report funded by the Australian government is that they focus not on conventionally recognized cybersecurity threats but rather on potential cyberattacks from hostile countries during a contingency. This no doubt reflects a heightened sense of crisis following the cyberattacks on Ukraine’s electric power infrastructure since Russia’s invasion in 2022.[16] Cyber threat entity Sandworm, which has been linked to Russia’s GRU (Main Intelligence Directorate of the General Staff of the Armed Forces), has reportedly conducted relentless cyberattacks on Ukraine’s power grid.[17] In its annual Cyber Threat Report for 2023, the Australian Signals Directorate expressed alarm at a China-sponsored cyber actor known as Volt Typhoon, saying that it discovered a cluster of activities using “built-in operating tools to help blend in with normal system and network activities. These techniques, it said, could be applied against critical infrastructure sectors worldwide, including in Australia.[18]

By contrast, Japan’s measures against cyber risks to the electric power infrastructure include only peacetime initiatives, with responsibility being placed in the hands of the installers and operators of critical infrastructure. Because cyberspace is interconnected, though, Japan’s national security is just as exposed to malicious cyber actors as Australia’s. Japan, too, must quickly reformulate its cyber risk countermeasures with contingencies in mind.

(2024/01/15)

Notes

  1. 1 Australian Government, Department of Climate Change, Energy, the Environment and Water, “Australian Energy Update 2023,” September 2023.
  2. 2 See, for example, “China’s spy threat to our solar energy grid,” The Australian, July 21, 2023.
  3. 3 “China’s solar dominance a risk for Australia’s renewable energy supply: Bowen,” The Sydney Morning Herald, February 18, 2023.
  4. 4 “Australian Energy Update 2023” (note 1).
  5. 5 Agency for Natural Resources and Energy, Enerugi hakusho 2023(Annual Report on Energy: Japan’s Energy White Paper 2023), May 2023.
  6. 6 “Australian Energy Update 2023” (note 1), p. 29.
  7. 7 “Chinese Spy Concerns in Solar Power Market,” Sky News, July 21, 2003.
  8. 8 Cyber Security Cooperative Research Center, “Power Out? Solar Inverters and the Silent Cyber Threat,” August 2023.
  9. 9 “Reliance on solar ‘a risk to security,’” The Australian, October 24, 2023.
  10. 10 Refer to the text of the Basic Act on Cybersecurity.
  11. 11 NISC website.
  12. 12 Refer to the text of the Economic Security Promotion Act.
  13. 13 “Seifu kikan infura setsubi donyu no jizen shinsa taisho ni 210 jigyosha o shitei,” NHK News, November 17, 2023.
  14. 14 Ministry of Economy, Trade, and Industry, “Shokibo hatsuden setsubi to no saiba sekyuriti taisaku ni kakawaru kento nit suite,” December 24, 2021.
  15. 15 Electric Power Safety Division, Industrial and Product Safety Policy Group, Ministry of Economy, Trade and Industry, “Jikayo denki kosakubutsu ni okeru saiba sekyuriti taisaku ni tsuite,” September 2022.
  16. 16 In its annual cyber threat report for 2023, the Australian Signals Directorate, responsible for Australia’s cybersecurity, noted that “Russia’s war on Ukraine has continued to demonstrate that critical infrastructure is viewed as a target for disruptive and destructive cyber operations during times of conflict” and that malicious cyber actors have targeted critical infrastructure across Europe. Australian Signals Directorate, ASD Cyber Threat Report 2022–2023, chap. 2, November 14, 2023.
  17. 17 Sandworm conducted a multievent cyberattack that leveraged a novel technique for impacting industrial control systems (ICS) and operational technology (OT), causing a power outage that coincided with mass missile strikes on critical infrastructure across Ukraine. For details, see the report by Mandiant, a leading US security firm: Ken Proska, et al, “Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology,” Mandiant Blog, November 9, 2023.
  18. 18 ASD Cyber Threat Report 2022–2023, chap. 3 (note 16).