Why Australia’s cyber regulation needs to evolve with the renewable energy transition

An independent cybersecurity review has called for significant legislative reform to ensure Australia's Security of Critical Infrastructure (SOCI) Act remains fit for purpose in an energy system increasingly powered by renewable generation.

Led by Professor Jill Slay, the review makes clear that the SOCI Act was originally designed for traditional, centralised energy infrastructure. However, as the system continues evolving towards decentralised, inverter-based resources, the regulatory framework risks lagging behind the technical reality, particularly around digitalisation and supply chain complexity.

This raises a broader question for the energy sector: how should cybersecurity responsibilities be structured in a system where generation, storage, and control are increasingly distributed and interconnected?

One of the review’s key recommendations is to strengthen accountability across the supply chain. This could involve placing more explicit cybersecurity obligations on technology providers or requiring asset owners and operators to demonstrate how these obligations are managed across vendors.

Both approaches highlight a fundamental shift in how Australia approaches cybersecurity in the energy sector. In traditional systems, cyber risk was largely concentrated within a smaller number of centralised assets. But in the modern day, renewable energy systems distribute both capability and risk across a much wider ecosystem of technologies and providers.

The result is that cybersecurity can no longer be considered in isolation at the asset level. For it to be effective, it must be understood as a system-level challenge, where gaps in one part of the chain can have wider implications for grid reliability and resilience.

The review also recommends giving the government direct power to ban dangerous technologies and suppliers that pose an unacceptable risk to the grid, rather than relying solely on industry to manage those risks through contracts and due diligence. This change would acknowledge a simple but undeniable truth: when it comes to the critical infrastructure that powers our country, some risks simply cannot be managed through procurement and contractual due diligence alone.

Another important implication of the review is the potential expansion of the Australian Energy Sector Cyber Security Framework (AESCSF)  assessments overseen by the Australian Energy Market Operator (AEMO).

If applied more broadly, this could help establish a more consistent baseline across the industry. But the review is clear that compliance frameworks alone are not enough. What ultimately matters is not only whether organisations meet defined standards, but whether they have the genuine capability to anticipate, detect, and respond to emerging risks over time. The review recommends moving away from a light-touch, documentation-focused approach towards a framework with clear accountability, assurance and appropriate enforcement mechanisms.

There are already examples of suppliers, including SMA, engaging proactively with these frameworks through voluntary participation in AEMO-led cybersecurity assessments. This demonstrates that higher standards are both achievable and scalable across the industry.

However, a voluntary approach alone is unlikely to deliver consistent protection across critical infrastructure. Establishing clear, enforceable cybersecurity requirements for all suppliers would help ensure a level playing field and provide greater assurance that all technologies connecting to the grid meet a consistent, high standard of cyber resilience.

As Australia accelerates its energy transition, the role of inverter-based resources, digital control systems, and connected infrastructure will continue to expand. And as it does, the potential for cyber risks expands with it.

These technologies are central to enabling a more flexible, resilient and low-carbon energy system, but they also increase the importance of robust cybersecurity practices across the entire supply chain. A weakness anywhere in that chain is a potential weakness in the grid itself and, by extension, in the electricity supply that homes, businesses and essential services depend on.

The review signals a need to revisit not only regulatory settings, but also how the industry collectively approaches cybersecurity – as a foundation of energy security and system stability, not simply a compliance requirement.

Modernising cyber regulations for the energy sector will require a careful balance of clear standards, accountability, and a willingness to adapt to evolving technologies and risks as they present themselves.

The review's recommendations, if acted upon, would bring Australia's framework more in line with comparable international approaches and better reflect the realities of a modern, renewable-powered grid.