[00:00:00] Speaker A: A quick disclaimer that since the recording, Doris has moved on from working at SMA Australia. We still believe the content was insightful and needed to be published. Happy listening.
[00:00:10] Speaker B: I think what we definitely need is a harmonisation of cybersecurity standards across Australia. So not every state going down their own pathway, but actually having that harmonized on a national level. The other thing is like linking the, the Cybersecurity act with the Critical Infrastructure act and making sure that there's no loopholes there.
[00:00:39] Speaker C: This is KVC as a primary target.
[00:00:43] Speaker B: For ransomware campaigns, security and testing and performance can comply. We can actually automate that, take that data and use it.
[00:00:53] Speaker A: Joining me now is Doris Spiel Tena, MD and Regional Manager APAC from SMA Australia. And today we're discussing how cyber security can take Australia to net zero. So, Doris, thanks for joining and welcome.
[00:01:06] Speaker B: Thanks Chris, thanks for having me.
[00:01:08] Speaker A: Okay, so Net zero, I really, I'm curious to know what do you mean by this? Because, I mean, that's a great place to start.
[00:01:17] Speaker B: When net zero would be, you know that 100% of our energy production in Australia would go entirely into renewables.
[00:01:27] Speaker A: Okay, so in terms of, at the moment, where is that sort of sitting? What would be the percentage? Do you have any sort of stats on that?
[00:01:34] Speaker B: Yeah, so at the moment, on average in Australia we've probably got 37% nationally that comes from renewable energy and then in, with some exceptions, in renewables on average.
[00:01:51] Speaker A: So would you say, from your experience, would you say that's high, low in comparison to other parts of the world? Where does that sort of sit?
[00:01:58] Speaker B: Yeah, it's probably not bad. I mean, the 75% is definitely outstanding and very high. But yeah, so it's sort of like, you know, 37 to 50 would put us in an adequate spot internationally.
[00:02:14] Speaker A: And then in terms of like applying that to like a cyber security angle, what do you, what are your thoughts then on that? If we were to sort of just zoom out really quick, I suppose to paint the picture.
[00:02:23] Speaker B: So Australia is in the midst of this transition to net zero. So that means that in Australia our energy and supply in the network is moving from a handful of big fossil fuel power stations, so that's your gas and coal plants, to a decentralized network of a lot of different renewable entry plants. So solar parks, wind farms, batteries and the likes. And so increasingly these decentralized networks of renewables are essentially digitized energy networks where every asset, whether it's small or large, is interconnected, connected to a communication system or a network. And so I suppose with that cybersecurity play center stage two, you know, where we need cybersecurity to identify any missing links, any blind spot so to ensure that nobody attacks and turns the lights off. And so that's, you know, a threat that's become more prevalent now with this high, you know, high penetration of renewables and all of these different devices that it had been, you know, back in the day. And so obviously everybody wants 24,7 supply of energy and so it's essential that we have very strong cybersecurity place that, you know, people could build the trust and the confidence in that path towards net zero, if that makes sense.
[00:03:46] Speaker A: Okay, so I want to keep following so this whole, you know, with, with net zero, I mean you obviously know way more about this than me. But what is the sort of general consensus? Because I mean, depends on what you read. Obviously people are for it, people are against it. Walk me through what's happening in terms of the landscape because I think this is really interesting in terms of the net zero, but then also bringing in the cyber component. But I'm really curious to just get your view of the lay of the land at the moment.
[00:04:10] Speaker B: Yeah, so Australia has the highest per capita rooftop solar penetration in the world. And so it's really leading. So you could say that you are like individuals. So people in the residential space and increasingly also business owners, smaller manufacturing. So they really see the benefit of renewable energy, so the benefit of putting solar onto their roofs. So this is progressing really, really well however, you know, in the large scale utility space. So Australia tries to move away from coal fired power stations and gas supplied to large solar parks, wind farms and large batteries. And in order to sort of replace that old infrastructure with new infrastructure, we also need better transmission lines and the likes and, and that's sort of where social license for that part is not as strong because firstly it's quite a costly investment into the future of, you know, replacing the old infrastructure with the new. But also there's a bit of this not in my backyard thing going on where, where people are not too pleased if transmission lines, which are perceived to be quite ugly, or perhaps not everybody likes a wind farm if that happens to be in their backyard. But you know, we are, in general, we are getting there. Australia is a big country, so there is a lot of space for the solar parks or the wind farms. And so in relative terms to other parts of the, of the world, we're actually doing quite, quite well. And people do have in general a positive attitude towards renewables okay, so going.
[00:05:54] Speaker A: Back to your comment before, you said in Australia in terms of like houses, we've got the highest amount. Why would you say that's the case in comparison to other parts of the world? I'm just curious to understand.
[00:06:04] Speaker B: Well, I suppose we'd be blessed country where the sun always shines. But equally, perhaps 10, 12 years ago the government paid really high subsidies in the form of feed in tariffs. So people, people would create their own solar energy on their rooftops and then they would sell it back to the energy retailers and then they, you know, the government would give them a really good price and guarantee them a price for selling this energy back into the grid for you know, the next 10 years or the next however many years to come. And so by and large these, these high feed in tariffs they have now in most states or territories subsided. So they no longer exist however, because the energy prices have been going up more generally. Pre solar on your roof is actually quite a good thing to do for people and especially these days if you combine it with a battery so you can store your solar energy during the day and then put it on this battery and then retrieve it from the battery once the sun has gone down. So that's a pretty good proposition for, for many households, especially since the price of the system cost has been coming down.
[00:07:25] Speaker A: Yeah. And I also think with you know, rising cost of living etc. It's definitely increased. Would you say as well that in terms of our like general electricity, the cost is higher in Australia than it is for other countries?
[00:07:37] Speaker B: It's an average price. Like there's a lot of countries where the cost of energy is much higher. Especially for those countries where there are a lot of fossil fuel dependent and where all of the fossil fuels have to be imported and where they may not have the space to for solar plants or for wind farms and the likes for even for you know, coal fired power station or something like that. So on average the energy price in Australia is up to not too bad compared to some of those other countries say in, even in Southeast Asia or in Europe or in Japan.
[00:08:16] Speaker A: So I'm aware there's this target to reduce, you know, greenhouse emissions. I think it was like 43% by like 2030.
So would you say we're on target for that? I mean you've obviously already done a little bit of the context in terms of why people are moving towards solar, et cetera. But would you say we're likely to hit that goal? Because that isn't too far away.
[00:08:37] Speaker B: 2030, if a lot of these connection approvals for the big solar plants or the big wind farms or big batteries, if that is being accelerated and goes ahead and if we can draw up some more support for the transmission lines, then yes, I believe we are in a very good pathway to get there be 2030 or you know, 31 or. But you know, we should be getting, we should be getting close. A lot of that will also hinge on what's going to happen in the federal election in most likely the first or the second quarter of 2025. Cause you know, some of the energy policy may change, but presuming it it stays as it is and it keeps on going into the same direction of supporting renewable energy, then we should be able to get there and hit those targets.
[00:09:32] Speaker A: So then following the theme of net zero and the goal that I believe is 2050, which is a decent amount of time. That's crazy, but you know, it's further than 2030. Do you think we'll ever get to net zero though?
[00:09:44] Speaker B: Yes, I believe we can get to net zero. A lot of the renewable energy resources, such as the products we provide can, not wanting to go too technical but can create sort of synthetic inertia and in a digital way produce inertia that's required in the grid. Where previously sort of big synchronous condensers and machines would have done that work. So those that would have been powered by like coal fired power station and other such, you know, older infrastructure. So yeah, so if we bring in these new technologies then it is entirely possible it is also required but of course that the price for, for example for green hydrogen production will have to come down significantly because some fuel forms like this will still be needed in some of the heavy industries. So there's one thing to move to 100% electricity supplied for the, you know, for, for the current grid to renewable energy. And it's another thing to decarbonize or heavy industries in mining and related industries.
[00:11:00] Speaker A: Okay, now that we sort of set the tone and you've sort of explained a bit more about the landscape, I want to shift gears slightly and talk a little bit more about South Australia. So I'm informed that South Australia is taking the lead on cybersecurity standards in energy systems. So tell us more about that.
[00:11:20] Speaker B: It's an interesting case in point as I said earlier. So on average in Australia we would have 37% of the energy mix being renewable energy, whereas in South Australia we have a 75% on average. South Australia also is a net exporter of Renewable energy. So they produce more than they need. And so presumably because of that, nobody asked them to. Because of that, because they punch above their weight, they're leading on the energy transition. And so they're probably thinking, therefore we get to set the rules. So in one such example, earlier this year, the South Australia state power networks, they set new cyber rules without actually an overarching policy framework. So for example, they demanded that all servers on which energy production or consumption data is being stored or processed, that they need to be housed within Australia. Now that's a really big call. So from a commercial point of view, for a company like ours or any competitor really, South Australia really only accounts for 5%, 5% to 10% of our Australia sales revenue. So you would have to think until all of the states and territories or at a federal level, you know, unless they were to adopt such a rule of having all service in Australia, we wouldn't want to make the investment of moving all of the service to Australia just because one of the states demands them. So from a cybersecurity point of view, however, I probably say that South Australia is the only state that actually does take cybersecurity in the renewable energy grids seriously. And so therefore they want to push for the necessary reforms. So while we might not like that commercially, from, from my perspective, it is a good thing.
[00:13:27] Speaker A: Okay, there's a couple of interesting things in there that you said. So you said South Australia is taking cybersecurity more seriously. So what do you mean, what does seriously look like in your eyes? And what are the other states and territories not doing?
[00:13:39] Speaker B: Well, they think about what would be good, what would good regulation look like. And so for example, moving servers onshore and therefore trying to reduce nation state interference and in general better control and having all that data being stored onshore, it's a good thing. A lot of other countries have already made that move. And so, you know, South Australia has taken it upon themselves to prescribe that, but also other sort of regulations or standards for large scale utility plant as well as what we call consumer energy resources. So that's your residential solar inverter or your battery or your, or your electric cars. So yeah, so they are thinking about how can we improve the situation for large scale utility and for those CER resources. And that's a good thing. The other governments, other state governments, they have been made aware among them by the South Australian government themselves. They've also been made aware by us because we've been pushing into that direction as well. And we would like to See, higher standards. However, when the, for example, New South Wales government released its consumer energy strategy, so just very recently after months of consultation, cybersecurity was not even mentioned once in the document.
[00:15:16] Speaker A: Okay, so why would you say it wasn't mentioned? Because they don't take it seriously or what? What's the theory?
[00:15:20] Speaker B: Yes, it's just not a consideration. I mean, at the moment, you know, there's a lot of other, a lot of other criteria in the consumer energy space. So for example, all of the state governments, amidst this cost of living crisis, everybody wants to of course, reduce the price of energy, reduce the price of systems. And so there's rather a push into that direction as well as how can we keep the energy grid stable from a just an energy mix perspective and how can we, you know, ensure yet doing the right thing by the people rather than, you know, bringing in onerous cybersecurity standards that perhaps would also raise the bar for lower priced products, for example, from China coming into the country and into the market. So chip and cheerful over cybersecurity.
[00:16:15] Speaker A: Okay, so this is interesting. So in terms of the. Going back to you mentioned before, not a consideration because you're doing it more on the manufacturing level. So again, if we look at like a router, home router, I mean, there's, I've had these discussions recently with people on the show that, you know, like you said, cheap and cheerful. We can produce it, mass produce, it's a lot cheaper than if we were to factor in more secure devices. So what I'm hearing from what you're saying is people that are looking at this are like, oh, we can forego security because we want to try to drive the cost down. Is that a fair assumption?
[00:16:44] Speaker B: Yes, I think it is. And I suppose there's also other acts. So for example, the Cybersecurity act at a federal level that would sort of have to come and regulate things such as routers or things such as all your internal things like your baby monitors or your home inverters or whatever. So to really combat that, and so perhaps the individual states such as New South Wales, they might have thought, well, this is not our problem, this should be a federal problem and it should be regulated under the Cybersecurity Act.
[00:17:22] Speaker A: So would you also say, Doris, that people just don't know enough about cybersecurity, so therefore when people don't know something, they just try to avoid it or just, you know, glide over certain elements of it. Would you say there's also that side of it?
[00:17:36] Speaker B: Yes, look, I mean on the, on the large scale utility side, there is a, and has just been released by Australia, a cybersecurity maturity framework. So for the large scale utility space people. So regulators, agencies are taking it very seriously. However, on the small side of things. So in the residential and the commercial space, neither consumers nor businesses, nor at this point the regulator, you know, have been really looking at this because if you think about it, if there's an attack on one or two or three large solar parks or wind farms, you can bring the grid down. But to orchestrate an attack on lots of individual residential inverters or batteries or EV cars would be sort of a much harder thing to do. Right. And so I think there definitely is less awareness about that. Probably there's less worry about it in the message that it could bring down the whole energy grid on that. So I think it's question of priorities.
[00:18:48] Speaker A: But that to me makes zero sense because it's like, how can they not say it's a priority? Because when like you just mentioned, like if this is under critical infrastructure, so imagine if things just stop working, people can't run electricity, people can't power their offices. I'm surprised that people aren't taking this more seriously and maybe that's biased to me because I'm running a cyber security show. But for me, even if anyone were to look at this, they could still say, well, we need to make sure we have uptime, so we need to make sure that security is factored into it.
[00:19:16] Speaker B: Yes. And again, at this, at the critical infrastructure level, so at the large solar parks, large wind farm level, definitely. So the awareness is there and there's a lot of different things in place to make it safe.
But when it comes to the individual devices in a household or, or, or a business, that's sort of where people lose interest because people make decisions with their wallet. And cybersecurity is a topic that's been over everybody's head. You know, if, if you are trying to speak to my neighbors or people I know and then they just, they're just like, yeah, well I bought this other product because it was $1,000 cheaper.
[00:20:02] Speaker A: And that part of it I understand if I put on my consumer hat, but is there going to be more regulation around the products that are being manufactured, that this has to be embedded and then therefore, maybe as a result government can try to drive down some of that cost. So therefore people aren't spending an additional five, sorry, additional 1,000. Maybe it's an extra 200 in terms of, if they were to pro rata that cost over all of the, you know, you know, all these individual devices etc. Do you think you see that coming into play? I mean, I have these conversations now even from a telco perspective for people that run security, surveillance cameras, etc.
[00:20:38] Speaker B: Yeah, look, it's a good point. And Australia has this new Cyber Security act and with that the ministry will have the powers to think about regulating all these Internet of things resources and mandating higher standards. So I think that's what we are definitely going to see. The, I guess the higher cost of a device that's being produced in Germany over a price that may be a device that may be produced in China. What makes it more expensive is not just the cybersecurity aspect, it's just one of the many aspects, but one of the things is also that it will perhaps last longer, is more reliable. So the, you can of course spread that return of investment over perhaps 10 or 15 years rather than just five years.
[00:21:30] Speaker A: And I understand there are manufacturing costs and labor and all of those sort of things. I mean, but you'd be familiar with when the government saw rolling out Huawei as a risk and they didn't. And do you think that now the government will say, well, we're not going to procure these devices from X country or X part of the world because we're concerned about cybersecurity or. So is that what we're going to start to see in terms of your commentary around the regulation, the government starting to step in, or do you think that's probably an unrealistic goal?
[00:22:01] Speaker B: Yeah, look, that's probably an unrealistic goal. There might just be, you know, certain standards that businesses have to meet, like for example, ISO 27001 or something like that. So we, for example, we would like to see certification like that being mandated. And of course there may be also other standards that could be mandated within the Internet of Things space. And so the minister would have the powers to do that. One of the, you know, one of the regulations we would like to see that we, we see in place in Germany is that the government has the powers that when they suspect foul play by any company, you know, whether they meet certain standards or not, but if they suspect foul play, they can then start an investigation. And if that investigation finds that the devices that have been installed in fact either do not meet the standards and the regulations that the company claimed that it meets, or also if there's other sort of like hidden backdoors or something being installed on the devices, then the government could demand that all of those devices be de installed and could also demand that of course none of those devices of that brand will ever be installed in the country again. And so I think that happened in Germany. So Germany has such a law and so who are their telecommunications? Like they had to rip up all of the infrastructure and they have to now deinstall all of that infrastructure in Germany. So we would like to see a law like that because you can deploy whatever standard you want. In the end of the day, what a company says rolls off their conveyor belt and what they do sell into the country often could be very two different things.
[00:23:55] Speaker A: So would you say in your experience that law will come to fruition? Because I mean it makes sense, right? Because again, look, I, I get it. No one wants to pay more money because, you know, they don't understand it enough. And I totally understand from a consumer perspective also when it comes to critical infrastructure, that's another problem. But again, like as you've just mentioned, like they had to rip it all out and then restart again because they suspected to your terminology, foul play. So do you think this is going to happen or where do you sort of see this coming into it?
[00:24:24] Speaker B: It's not something that's underway at the moment in Australia. I think Australia might go down a different path of, of a number of different regulations and standards rather than something more open as this law in Germany or in Europe. So I don't have my hopes up, but it is definitely something that we speak to different state governments or federal ministers about and we would love to see that because it's almost like a little bit of a blanket insurance policy in a space where technology just develops so rapidly and as soon as a standard is mandated or launched, it is already out of date and doesn't really provide the necessary protections.
[00:25:14] Speaker A: So going back to your comment around foul play and if someone suspects it, like you were using the example from Germany, what does that then look like? So when you say someone, do you mean like a business or this someone individually and then who are they sort of like reporting that to, to a regulator there or what does that look like?
[00:25:30] Speaker B: Yeah, so it would be. So it would be a company, say a brand, be it Huawei or, or be it another brand. So if any of the other market players or a regulator, somebody had taken the device and they taken it apart and they can see, oh, there's interesting, this device open so has a back door or RM sends signals back to servers in China or in Russia or somewhere and the device does something that is it is actually not expected to do, then the people who have this suspicion can take that to the regulator. The regulator would then consider that case. If they think it's valid and strong enough, they will then launch into an independent investigation. And if that investigation finds those devices to be in violation of the codes, then then yeah. And the government has the power to prohibit the sale of those products in the, in the country and also have the powers to de. Install those devices.
[00:26:39] Speaker A: Yeah, that's interesting because I think as you're talking, I'm just thinking that for that example in Germany, like that that could have been a massive national security issue for them as well. You're forgetting about the cyber component, that's one thing. But then like that could roll out and really start to impact then country.
[00:26:56] Speaker B: Yes, that's exactly right. So I mean really what you would want to have is a combination of two things, like really strong standards that prevent the installation of dodgy equipment in the first place. But then also the powers and the regulation that allows you to, you know, pull up any bad actor to remove the infrastructure or remove the devices if they are found to be in violation.
[00:27:24] Speaker A: So then going back to some of the, we've already had around like the regulation and the standards. So if we're not going to get there in Australia and people are procuring, procuring, sorry, this technology from elso because it's cheaper, doesn't then pose, yes. A cyber risk which we establish for the national security. Like is our government just not factoring this in as a risk?
[00:27:44] Speaker B: Yes, I think they're not. And, and I think we need to see action there quite quickly.
[00:27:51] Speaker A: So why wouldn't they factor this in when they've already like again, back to my Huawei example, the whole NBN thing, like wouldn't they have learned from that and now these things are becoming even more prolific. Like is what's your like thinking behind their motivation to perhaps not worry about it?
[00:28:08] Speaker B: I think that renewable energy versus telecommunication is perhaps a more politicized topic. Right. So anybody on whatever side of politics would have said, yes, we need the nbn, yes, everybody needs Internet in their homes, be it rural or in the city, everybody has a right to fast Internet. So I don't think that there was any political dispute over it. And so therefore, you know, the government together with the key telecom players were able to roll out that infrastructure and do those things. And the only political issues they had was about the cost of the rollout and how it is done and how long it was taken and all the rest of it. But it wasn't really so much a discussion around the actual doing it or not doing it or the substance of it. Whereas with renewable energy, it is such a politicized topic where one side of politics is really pushing for it and the other side of politics is not really in favor of it. And so therefore the current government, the labor government that's pushing for it, with a strong criticism of it being a very costly energy transition, they want to do everything to keep the cost down and make it as cheap as possible for the consumers of the, of the renewable energy. And so therefore that is where it becomes difficult because cybersecurity is the trade off against this cheap energy transition.
[00:29:43] Speaker A: Yeah, I totally hear what you're saying. And unfortunately that is the conundrum. But then as, as you're speaking, I'm thinking, well, yeah, sure, okay, going back to the point, no one wants to pay more money if they don't have to. I get it. However, when you say that it's taking the can down the road. So what I mean by that is just say they went and procured this technology from X part of the world because it's significant, significantly cheaper than perhaps from other regions like Germany and friends. But then it becomes a national security issue because like you said, there's backdoors and then there's spyware and then they're monitoring everything that we're doing. It just feels like a delay is the problem. So yeah, we sort of, yes, saved a couple of bucks in the beginning, but then we've got an even bigger problem on our hands, which is, is an infinite, like there's so many a can of worms that, that opens up there in terms of problems. I just don't understand how people can't see, in terms of the supply chain, is that the part? I know, I know it's a political problem, but again, like, it just feels like we're sort of robbing Peter to pay Paul a little bit. It's just they're both sort of bad.
[00:30:43] Speaker B: Yes, 100% agree. It is a problem that, I mean, also in Australia we're seeing some brands, some companies, all of them from China being, you know, very strong, gaining a lot of market share, and all of that supply chain is coming out of China. And if any one of those companies, they're not state owned at this point, but who knows, in two years time, five years time, these companies could be state owned. Right. And so then we have a 80% of our residential or commercial solar infrastructure, you know, being owned by the Chinese state government, for example. I mean that could be a scenario. And then of course, you know, any such state government would have access to the individual devices that power our homes and businesses. So I think, you know, there's with that concentration, with that high dependence on brands from just one country or just high dependence on just, you know, one or two brands, it's a, it's a concentration risk paired with a cybersecurity risk that we potentially will have to face in a few years time.
[00:32:03] Speaker A: So where do you think we go from here, Doris? So I know there's not an easy answer to that, but obviously we've talked through a few scenarios. What are the risks, et cetera? What are your thoughts sort of moving forward as we enter into 2025 and beyond?
[00:32:15] Speaker B: I think what we definitely need is a harmonisation of cybersecurity standards across Australia. So not every state going down their own pathway, but actually having that harmonized on a national level, that's one thing. The other thing is like linking the Cybersecurity act with the Critical Infrastructure act and sort of making sure that there's no loopholes there. Definitely, you know, we do have a self assessment cybersecurity framework which is a maturity model. It's a self assessment rather than being a third party assessment. So I think that should happen as well and we should also mandate some of those standards such as ISO 27001 and yeah, and then as I said before, help destabilize regulation of this security blanket of, you know, the government having the powers to investigate companies if they suspect FAWA plan.
[00:33:17] Speaker A: So Doris, do you have any sort of closing comments or final thoughts you'd like to leave our audience with today?
[00:33:22] Speaker B: Encourage everyone to think about cybersecurity. I mean your audience clearly does that anyway, but perhaps for people to share with their neighbors and their friends and their peers and their family members that, you know, cybersecurity is a topic that everybody has to take seriously and so they should think twice when they make investments into their residential devices or anything they put into their business in terms of infrastructure or equipment.
[00:34:01] Speaker C: This is kabicast, the voice of Cyber.
[00:34:05] Speaker A: Thanks for tuning in. For more industry leading news and thought provoking articles visit KBI Media to get access today.
[00:34:13] Speaker C: This episode is brought to you by MercSec your smarter route to security talent Mr. Executive search has helped enterprise organizations find the right people from around the world since 2012. Their on demand talent acquisition team helps startups and mid sized businesses scale faster and more efficiently. Find out
[email protected] today.
