It’s Cybersecurity Awareness Month this week, and things are not going well in corporate Australia. Qantas failed its customers by allowing the alleged theft and supposed resale of 5.7 million customer records, including some fairly sensitive personally identifiable information.
As I write this, I am riding in a Geely EX5 that Uber sent me this morning to take me to my Qantas flight. I am hosting both the Sydney EV meetup and attending Mobility Live, and I am reminded of the many interactions involving my devices and personal data that are required to get me to Sydney.
I am also reminded that many entities owe me, and every other Australian, a duty of care to keep us safe from theft, fraud, and worse.
Last week, I wrote about Portia Rooney and her Net Zero Engineering Solutions project, which is funded by iMove and aims to solve the technical challenges related to AC V2G. However, I made a mistake in stating that the inverter standard AS 4777.2 makes no mention of AC V2G.
Peter Kilby bailed me up on LinkedIn about this. Peter is an engineer for Energy Queensland and sits on the EL-42 Standards Australia committee responsible for that standard. He pointed out that the 2024 amendment to the standard added a clause (2.3.4) stating that both AC and DC V2G are covered by the standard.
Nevertheless, I am not aware of any AC V2G wallbox and vehicle combination that has been tested and certified. Portia’s programme aims to understand how such a system can comply, and whether any changes to standards and regulations are needed to accommodate this technology.
At its core, AS 4777 is about keeping people and the electricity system safe. It contains a set of predictable, defined responses to grid conditions, the most important of which is the requirement to shut down the inverter when the grid is not present, or when voltage and frequency fall outside of defined limits.
However, it does not have much to say about cybersecurity. Despite connected inverters and batteries having been around for well over a decade, cybersecurity standards — beyond the obligation under Australian consumer law for a product to be fit for purpose — have only recently become part of the consumer energy resource (CER) landscape.
AS5573, also known as the Common Smart Inverter Profile Australia (CSIP-AUS), is a standard that is still in the process of being adopted. Derived from the international IEEE 2030.5 standard, this standard is still in the process of being adopted, although many distribution network service providers (DNSPs) now mandate its use for connecting solar inverters.
The Clean Energy Council also requires support for inverters to be certified for generating solar Small-Scale Technology Certificates (STCs), which form part of the subsidy mechanisms for domestic solar and storage.
Standards Australia also covers residential charging equipment under the proposed AS5396 standard, which is styled as a consumer guide, not an enforceable standard. Cybersecurity does at least get a mention here, under clause 3.4, which states:
3.4 Cybersecurity and data capture.
Security measures should be incorporated into the charging station so that its functions are resilient to cyberattack. These measures should ensure that communications are exchanged securely, with authentication and encryption to prevent unauthorised interception by a third party.
However, given that this is a consumer guide, there is a glaring omission: there is nothing to guide consumers on how to achieve security.
Regulation moves slowly in Australia. Currently, the ARENA-funded Consumer Energy Resources Integration process is underway to navigate this complex web of standards, numbers, and acronyms, and to recommend a secure path for integrating various types of CERs into the Australian grid.
It is a volunteer committee of experts from business, government, and academia, and I am one of them. I can’t comment on a process that operates under Chatham House rules, but it is open to participation and will produce documents for public comment in due course.
In the case of EV charging, however, including vehicle-to-grid, the answers to the cybersecurity questions are straightforward. There is really only one way to secure connections. From car to charger, the only viable option is ISO 15118-20, unmodified and without any additional Australian specifications.
This is the only thing that will gain acceptance with global EV original equipment manufacturers (OEMs). If anything is specified from charger to cloud, it must be OCPP 2.01 or 2.1. However, I concede that CSIP-AUS may be necessary, bearing in mind that both use the same TLS 1.3 encryption system.
While Australia may consider itself unique and special — it has indeed reached levels of CER penetration that are the envy of the world — creating unique standards slows down technology adoption, adds costs for consumers, and restricts choice, as manufacturers decline to adapt their products for our small market.
One of the great things about Portia Rooney’s project is that she has been appointed as a Winston Churchill Fellow and funded to travel to Europe to learn about V2G there, bringing the best of those insights back to Australia to accelerate V2G adoption.
The EU is investing considerable time and resources in V2G integration through the extensive multinational Task 53 research project. This is something that Australia needs to watch and engage with at all levels.
Cybersecurity is a global and continuous task. Threats cross boundaries and evolve rapidly as AI and quantum computing become tools available to hackers and fraudsters on an industrial scale. Australia must accelerate its response to this rapidly evolving threat environment, which it can only do by working with and learning from our global friends and neighbours.
Ed Lynch-Bell is Principal at Second Mouse, dedicated to building more sustainable energy tech and mobility products, services and businesses. Ed is also a co-host of the Melbourne and Sydney EV Meet-ups, bringing the e-mobility industry together.