New Energy Bulletin: AEMC seeks feedback on proposed changes to AEMO’s cyber security roles and responsibilities

On 26 September 2024, the Australian Energy Market Commission (AEMC) released a draft determination and draft rule (Draft Rule) to amend the National Electricity Rules (NER). The Draft Rule aims to confirm and clarify the Australian Energy Market Operator’s (AEMO) role and responsibility in managing cyber security risks affecting the National Electricity Market (NEM).

Outline of Proposed AEMO Cyber Security Functions

The Draft Rule formally establishes cyber security as one of AEMO’s power system security responsibilities and provides AEMO the following functions to achieve this responsibility:

1. through the Australian Energy Sector Cyber Incident Response Plan (AESCIRP), plan and coordinate the NEM-wide response to a cyber incident that adversely affects the secure operation of the power system.  The AESCIRP will set out the coordination of market, state and federal responses to such cyber incidents;
2. support market participants in improving cyber incident preparedness, including through:

1. 1. continued development and maintenance of the Australian Energy Sector Cyber Security Framework (AESCSF) and coordination of annual assessment programs under the framework;
   2. development and delivery of cyber incident scenario exercises;
   3. development and dissemination of guidance materials and tools; and
   4. participation in working groups, standards committees and similar bodies;

3. undertake research and provide advice to government and market participants on cyber security risks; and
4. distribute critical cyber security information to market participants, including energy sector specific information on the following:

1. 1. collated advice from government agencies and other bodies;
   2. cyber security threats and vulnerabilities;
   3. preventative information technology patches and other mitigations; and
   4. public advisory reports, including post incident assessments.

Effect of Proposed Cyber Security Functions

The Draft Rule does not give AEMO the power to impose mandatory obligations on market participants in relation to cyber security. Rather, it formalises cyber security functions that AEMO already undertakes under the National Electricity Law (NEL), and ensures that AEMO:

1. can recover incurred costs in providing its cyber security functions through the existing participant fees regime; and
2. is immune from liability when performing its cyber security functions under the NEL.

Invited Consultation

The AEMC is seeking feedback from stakeholders on the Draft Rule by 7 November 2024 to support their final determination which is scheduled for 12 December 2024. Submissions can be made at this link.

If you would like further information or assistance in understanding or providing feedback on the Draft Rule, please contact the Hamilton Locke New Energy Team at new.energy@hamiltonlocke.com.au

The Hamilton Locke team advises across the energy project life cycle – from project development, grid connection, financing, and construction, including the buying and selling of development and operating projects. For more information, please contact Matt Baumgurtel.