Could a cyberattack destabilise Australia’s future grid?

As Australia’s energy transition accelerates, cyber risk is emerging as one of the sector’s most complex vulnerabilities.

The shift toward a more decentralised, digitalised energy system — increasingly reliant on smart inverters, consumer batteries, virtual power plants, EV chargers and orchestration platforms — is creating new operational efficiencies. But it is also expanding the number of potential entry points for cyber threats.

Unlike traditional centralised generation assets, many of these technologies sit beyond the physical perimeter of conventional utilities. They are connected through software platforms, cloud systems, communications networks and third-party devices spread across homes, businesses and distribution networks.

But cyber governance may not be evolving at the same pace as the energy transition itself.A recent study supported by the Australian Renewable Energy Agency and conducted by CAPA Intelligence warned of the “increasing cybersecurity risks associated with large-scale Consumer Energy Resource (CER) fleets in Australia’s evolving energy system”.

As CER fleets gain greater influence over grid stability, their exposure to cyber threats also increases, “necessitating immediate and coordinated action across industry and policy domains”.

That concern is becoming more relevant as Australia moves toward a grid with much higher levels of consumer energy participation and remote coordination.

The Clean Energy Council (CEC), in a submission to the Australian Government’s cyber security strategy consultation, said the internet connectivity of consumer and distributed energy resources “exposes the energy system to cyber threats”.

For Maxime Di Petta, CEC Senior Policy Officer, Distributed Energy, Planning and Environment, there is a “need to consider if adequate protections are currently in place to protect Australian households and businesses”.

She also pointed to uneven coverage across the renewable energy sector. Large-scale generators and batteries above 30MW (but larger than Internet of Things devices) are covered by the Security of Critical Infrastructure Act, while “medium-scale generators and batteries” below that threshold have “no current policy or legislation”.

For “Virtual Power Plants (VPPs), aggregators and original equipment manufacturer (OEM) portals”, there is “no current policy or regulation”.

Di Petta warned that safeguards around CER and DER products, and the information networks accessing and controlling them, are “essential”. The CEC recommends a clearer governance structure that defines obligations, duties and responsibilities, and calls for mandatory standards for VPPs and OEM portals, suggesting ISO 27001 could provide “an appropriate base line”.

The issue is not hypothetical.

Could cyberattacks on smart inverters, if orchestrated at scale, create wide-scale instability in the power grid and energy market?

While the impact of such attacks would depend on careful planning and orchestration, existing contingency mechanisms may not be enough against adversarial cyber events.

“While the grid can assure certain power system security to survive inadvertent contingency events, it is insufficient to defend against savvy attackers who can orchestrate attacks in an adversarial manner,” according to Xiangyu Hui from the University of Melbourne.

Ezra Beeman, CEO of Empower Energy and Managing Consultant at Energeia, said it is “great to see Australian security researchers turning their minds to the related cyber-security issues”.

Since "the threat of cyberattacks on smart inverters causing wide-scale power instability is significant… perhaps SOC 2 or ISO 27001 security standards should be required for all inverter OEMs and VPP operators?”

Battery storage adds another layer to the risk picture. As battery energy storage systems become more connected and remotely managed, cyber vulnerabilities within battery management systems are drawing increasing scrutiny.

Cloud-connected storage assets “are often remotely managed using cloud-based control systems”, exposing them to cyberattacks that could have “catastrophic consequences for the electrical grid and the connected infrastructure”, according to cyber security researcher Frans Öhrström.

The Department of Home Affairs’ Critical Infrastructure Security Centre has also warned that even battery energy storage owners should assess cyber security risks when selecting technology vendors and service providers, and said maintaining “strong cyber security controls should be a high priority for any owner or operator of a BESS”.

Policy is beginning to respond.

In March 2026, the Australian Government released 18 initial CER device requirements covering technologies including solar inverters, batteries and electric vehicles. The requirements are intended to provide early guidance before a regulatory framework is established.

The Department of Climate Change, Energy, the Environment and Water says the National CER Roadmap includes technology reforms to ensure devices are “secure, connected, reliable and optimised”, and notes the need to strengthen “cybersecurity, system protections and emergency safeguards” as more devices connect to the grid.

The challenge for industry is now clear: Australia must connect millions of flexible energy assets fast enough to decarbonise, while making sure those assets do not become a new source of system risk.

As the grid becomes more intelligent, decentralised and software-defined, cyber security is no longer a back-office technology issue. It is becoming a core energy security question.