Optus Breach – What is Cyber Security for renewable energy generators?

The recent Optus Data breach raised nationwide concerns, however, the Commonwealth Government has already introduced a slate of new cyber security regulations aiming to strengthen the protection of critical infrastructure, including renewable energy assets.  

The regulations aim to equip critical infrastructure providers with financial and regulatory support required to ward off malicious cyber-attacks. They introduce significant reporting obligations for critical infrastructure operators, which are valuable targets for malevolent state and non-state actors.

In this article, we break down the Commonwealth’s new statutory regimes, examining the financial and regulatory support provided by the legislation and the practical ramifications of the regulations for renewable energy asset holders.

Commonwealth Expands Definition of ‘Critical Infrastructure’

In 2018, Federal Parliament introduced the Security of Critical Infrastructure Act 2018 (Cth) (Act). The Act introduced a range of cyber risk management obligations for four sectors – electricity, ports, gas, and water and sewerage.

In response to increased reliance on digital communication and storage, which surged in the wake of the COVID-19 pandemic, the Commonwealth government passed the Security Legislation Amendment (Critical Infrastructure) Act 2021 (SLACI Act), which amends the Act. In addition to introducing further compliance obligations, the SLACI Act significantly expands the definition of ‘critical infrastructure’ to capture nine additional sectors. 

The SLACI Act also imposes two new important obligations on entities responsible for critical infrastructure.

‘Critical Electricity Assets’

Critical infrastructure in the Act includes ‘critical electricity assets’, which is ‘an electricity generation station that is critical to ensuring the security and reliability of electricity networks or electricity systems in a State or Territory.’1 An electricity generation station will only be critical to security and reliability, if it:

  1. has an installed capacity of at least 30 megawatts; and
  2. is connected to a wholesale electricity market (Critical Electricity Asset).2


If the above criteria are met, the electricity generation station may be subject to the following obligations.

Owners of Critical Electricity Assets should also consider compliance with the Australian Energy Sector Cyber Security Framework (AESCSF). The AESCSF is a voluntary cyber security framework developed by the Australian Energy Operator to address increasing cyber security risks faced by the Australian energy sector.

Through the framework, participants are able to assess the criticality of their assets in relation to other participants and improve their own cyber security capabilities. This participation serves to assist participants in warding against future attacks. The AESCSF is still voluntary but may become mandatory at a later stage.

Government Assistance Obligations

Part 3A of the Act creates government assistance obligations for all ‘responsible entities’.

Depending on the obligation, the responsibility will sit with either:

  • the entity with ultimate operational responsibility for Critical Electricity Asset (Responsible Entity), or
  • the entities that hold a direct or joint interest of at least 10% in a Critical Electricity Asset, or that hold an interest and are able to directly or indirectly influence or control the asset (Direct Interest Holders).  

These obligations give the Department of Home Affairs more tools to incentivise compliance with the regulatory framework of the Act. They include:

  • Issuing Information Gathering Directions: requiring Responsible Entities to provide support and relevant information in the event of a cyber security incident.
  • Issuing Intervention Requests: requiring Responsible Entities to cooperate with the Australian Signals Directorate, the Australian government agency responsible for information security and cyber warfare, in response to a cyber security incident. This includes allowing access to computer systems and entity data, installing software and removing devices from the Responsible Entity’s network.
  • Issuing Action Directions: requiring Responsible Entities to comply with directions relating to specific actions issued by the Department in response to a cybersecurity incident.3

While these new powers are broad, they do not provide the government with a carte-blanche to intervene in cyber security incidences. To impose an obligation on a Responsible Entity, the authorising Minister must be satisfied that several criteria are satisfied, including that:

  1. no other regulatory system could be used to provide a practical and effective response to the incident;
  2. there is a material risk that the incident in question will seriously prejudice Australia’s social or economic stability, defence or national security; and
  3. a cybersecurity incident on a Critical Electricity Asset is occurring or imminent.

Cybersecurity Incident Notification Obligations

Part 2B of the Act creates additional reporting requirements for any Responsible Entity that has experienced or is experiencing cybersecurity issues in relation to a Critical Electricity Asset. 

Like the obligations discussed above, the reporting requirements will only apply where they have been actively instituted under the instruction of the relevant Minister. 

Once imposed by the relevant Minister, the obligations impose strict time limits on reporting incidents. A Responsible Entity is required to notify the Federal Government within:

  • 12 hours of discovery if the incident has a ‘significant impact’; or
  • 72 hours of discovery if the incident has a ‘relevant impact’,

on the sector’s functionality. A ‘significant impact’ refers to scenarios in which a cybersecurity incident has a material effect on public accessibility to essential goods and services. A ‘relevant impact’ includes any other kind of incident that affects critical infrastructure.

 Hamilton Locke’s View

For renewable energy developers, operators and owners with generation assets producing 30 MW or more, it is ‘critical’ to understand whether their project is a Critical Electricity Asset for the purpose of the Act. Early identification of cyber security obligations and incorporation of a AESCSF compliant cyber security system can result in significant cost savings. 

The Hamilton Locke team advises across the energy project life cycle – from project development, grid connection, financing, and construction, including the buying and selling of development and operating projects. For more information, please contact Matt Baumgurtel.

1 Security of Critical Infrastructure Act 2018 (Cth) s 10(1)(b).

2 Security of Critical Infrastructure (Definitions) Rules (LIN 21/039) 2021(Cth) s 5(a)ii, (b).

3 https://www.legislation.gov.au/Details/C2018A00029