China’s Cybersecurity Risks in Australia’s Renewable Energy Supply Chain

In Australia, discussions surrounding the renewable energy supply chain often take a sharp turn when the topic of cybersecurity arises, particularly regarding the significant role of China in this sector. While industry professionals are keen to discuss their reliance on Chinese suppliers for solar panels, inverters, and batteries, they become noticeably reticent when it comes to addressing the associated cybersecurity risks.

China’s dominance in the renewable energy market is evident, as it supplies a vast majority of solar technology and components for wind turbines. During a recent session at the Australian Clean Energy Summit, attendees skirted around the issue of cybersecurity, reminiscent of the “He Who Must Not Be Named” trope from the Harry Potter series, making it clear who was at the centre of their concerns.

Cybersecurity Risks Highlighted

One participant acknowledged that China’s control over the supply chain positions it as a primary source of cybersecurity threats, although they requested anonymity. Sophie Pearce, the Home Affairs assistant secretary for cybersecurity, addressed a small audience, stating, “We know that foreign, hostile actors see Australia’s energy system as a good target.” She emphasised that the energy transition heightens these risks, particularly as Australia becomes increasingly reliant on foreign investments and supply chains.

Pearce further noted that dependencies on jurisdictions that could potentially demand access to data or systems amplify these cybersecurity concerns. The Australian Energy Market Operator (AEMO) shares this apprehension regarding the concentrated supply chain, with Pearce Courtney, who oversees cyber coordination for energy markets at AEMO, expressing that while maintaining visibility over the entire structure is crucial, the concentration of technology remains a significant challenge.

Local Manufacturing and Regulatory Gaps

According to a 2022 report by the International Energy Agency (IEA), China accounts for 80% of the global supply chain for solar panel manufacturing, with a 2024 study indicating that it holds nearly 85% of global battery cell production capacity. In contrast, Australia has only one solar panel manufacturer, Tindo Solar, and a few local battery producers like Empower, which operates in both Australia and Malaysia.

As the renewable energy landscape evolves, large-scale projects in wind, solar, and storage are increasingly vulnerable to cyberattacks, particularly given the lengthy timelines from design to construction, which may not account for evolving cybersecurity needs. Moreover, the surge in rooftop solar installations and home batteries has created additional vulnerabilities. Darren Gladman, a regulatory manager at SMA Australia, pointed out that the influx of small-scale devices, often lacking robust security measures, presents an inviting target for cybercriminals.

Regulatory Challenges and Vulnerabilities

The federal battery rebate programme mandates that all home batteries purchased with the subsidy must be enabled for virtual power plants (VPPs), with similar requirements in Western Australia. However, energy projects exceeding 30 megawatts must adhere to cybersecurity plans as stipulated by the 2018 Security of Critical Infrastructure Act, leaving a significant regulatory gap for smaller projects under this threshold.

Research funded by CSIRO has indicated that a cyberattack on Australia’s distributed energy resources could disrupt the National Energy Market’s (NEM) frequency, potentially leading to widespread instability. The study highlighted that the long lifespan of solar inverters, combined with users’ lack of awareness regarding cybersecurity compliance, exacerbates the risk of such attacks.

The Challenge of Outdated Technology

Deloitte partner David Owen referred to the influx of inexpensive, insecure devices in Australian homes as “digital asbestos,” suggesting that future generations will face the burden of addressing these vulnerabilities. The question of who will bear the cost of replacing outdated technology remains uncertain, especially as consumers may hesitate to invest in new equipment if their current devices are still operational.

As the landscape of renewable energy continues to evolve, the responsibility for addressing cybersecurity vulnerabilities becomes increasingly complex. With multiple stakeholders having access to a single rooftop solar system, the accountability for patching vulnerabilities is often unclear. Manufacturers, energy market operators, and virtual power plant operators all have potential access points, yet homeowners may resist the financial implications of upgrading their systems.