Critical National Infrastructure
Exposure.

Australia’s national electricity grid now runs through more than four million internet-connected homes. The devices doing it are regulated as consumer gadgets, not as critical infrastructure — and their supply is concentrated in a handful of foreign vendors.

Australia treats its electricity grid as critical infrastructure — named in legislation alongside water, telecommunications and defence as a system the country cannot function without. That grid now depends, in part, on more than four million internet-connected devices sitting on the roofs and in the garages of ordinary homes. None of this is secret: the scale is published, the devices are catalogued, the supply chain is a matter of public record. And the law that governs the security of those devices treats them as household gadgets, not as the national-security assets they have quietly become. For something we call critical infrastructure, that is a remarkable gap to be able to point at in the open.

This is not a story about a breach, a kill switch, or a foreign plot. It is simpler and harder than that. It is about a critical national system that has been quietly rebuilt on a foundation of consumer-grade connected hardware, at a scale and speed that has outrun the rules meant to secure it — and about the fact that the whole exposure can be seen, mapped and measured from the outside, in public, by anyone who knows how to look.

The scale: a national asset built on consumer devices

Start with the size of the thing, because the size is the argument. More than four million Australian homes have rooftop solar — the highest penetration of any grid on earth — and together they now supply roughly an eighth of the nation’s electricity. Each system reaches the grid through an inverter: a small, internet-connected computer that converts the panel’s output and, increasingly, takes remote instructions about how much power to push back into the network. These are not passive tiles on a roof. They are live, addressable endpoints, and the grid leans on them more every quarter.

The fleet is also being deliberately enlarged. In November 2024 the Australian Energy Market Commission made a final rule requiring a smart meter in effectively every home across the National Electricity Market by 2030, replacing the last of the old accumulation meters with connected, communicating devices. Layer in household batteries and electric-vehicle chargers, and the picture is unambiguous: a critical national system is being rebuilt, on purpose, around millions of consumer-grade connected devices in private hands.

The floor: regulated as a gadget, not as infrastructure

Here is the part that should give a security professional pause. Australia does now regulate these devices — but it regulates them as consumer electronics, not as critical infrastructure. That distinction is the whole problem.

The law is real and recent. The Cyber Security Act 2024 and its Smart Device Rules, in force since 4 March 2026, set a mandatory baseline for consumer connectable products — and, after the government deliberately brought consumer energy resources into scope, that baseline now reaches rooftop inverters and home batteries. But it is a baseline of three requirements: no universal default passwords, a vulnerability-disclosure channel, and a defined security-update period. Those are the same three rules that apply to a smart speaker or a baby monitor. It is a sensible floor for a household gadget. It is not a control regime for hardware wired into the national grid. Connectivity standards such as CSIP-AUS and the National Energy Public Key Infrastructure sit alongside it, but they govern how an inverter communicates and how its exports are controlled — not whether the device, or the vendor behind it, can be trusted.

And the obligations that are built for critical infrastructure mostly miss this layer. The Security of Critical Infrastructure regime is anchored on generators above 30 megawatts; a single rooftop system sits far below that line, and an aggregator that remotely controls a fleet of them has no clear classification in the Act. The market operator has a formal cyber-security role in the rules, but not the authority to compel participation. And the high-risk-vendor exclusion Australia applied to telecommunications and 5G has no enacted equivalent for grid-connected energy devices. So the floor exists — but the regime matched to the national-security scale of the exposure does not. The country’s own legal commentators have said as much, calling for mandatory device-level standards across distributed energy rather than a consumer baseline propped up by voluntary frameworks.

The supply: concentration is a risk surface

Now add where the devices come from. Research cited in the Australian Parliament puts firms headquartered in China at around 58 per cent of the Australian inverter market, with the two largest suppliers Chinese-owned; the same country dominates the supply of panels and batteries as well. This is best understood not as an accusation against any company but as a question of concentration. When a single origin supplies the majority of a critical component, that dependence is itself a vulnerability — a single point through which an upstream regulatory, commercial or geopolitical event can ripple into the domestic fleet, regardless of anyone’s intent.

That the risk is real enough to act on is no longer a fringe view: both the United States and the European Union moved in 2026 to restrict high-risk inverter suppliers from sensitive or publicly funded energy infrastructure. The concern has also surfaced in specific, if unproven, form. In 2025 investigators reported finding undocumented communication hardware — cellular radios not listed in product documentation — inside Chinese-manufactured inverters and batteries overseas. Treated honestly, that is an unverified finding rather than a proven one: it concerns devices abroad, not the Australian fleet, and at least one subsequent probe, by a Danish trade body, found no malicious link in the equipment it examined. It belongs in a category any disciplined assessment knows well — a potential false positive that is still worth checking, precisely because the consequence if it is real is severe.

And the checking is the point. No one has independently verified the inverters sitting on Australian roofs, and “we assume they are fine” is not a control. The risk that matters is not one compromised house — it is the aggregation. A single vendor’s cloud platform can reach a fleet of tens of thousands of devices, and a coordinated manipulation of enough of them could push the grid’s frequency off its mandatory 50 hertz: the precondition for cascading failure and, in the worst case, a “black start,” where the network cannot restart itself without outside help. Whether the hidden radios are real is almost beside the point. The remote-control pathway is a documented design feature, openly used for export management, and it has never been independently assured. A Deloitte partner has called the flood of cheap, insecure devices entering Australian homes “digital asbestos” — a hazard installed cheaply now that someone, eventually, will have to pay to remove.

The ownership: why it sits unowned

If the exposure is this visible, why has no one closed it? Because of how the grid is built. In the 1990s Australia took the vertically integrated state electricity commissions — which had owned generation, poles, wires and billing as one entity — and deliberately broke them apart. Generation and retail were opened to competition; the networks were treated as regulated monopolies and, in most states, sold. What emerged is not one organisation but a coalition: separate generators, transmission and distribution networks, retailers and gentailers, coordinated by a thin national regulatory layer sitting on top.

The consequence is rarely stated plainly: no entity sees the whole board. A generator secures its plant, a network its substations, a retailer its billing, an overseas manufacturer its cloud platform — each to its own standard, under its own regulator, with its own incentive to spend no more on security than the rules require. The exposure lives in the seams between them, and the seams belong to no one. That is why a risk this nameable can remain un-owned: there is no single party whose job it is to own it.

The machine: built for efficiency, not resilience

The deeper reason these devices were drawn into the grid is economic, and the economics themselves tell you what the system was built to prize. Australia runs two clocks at once. At one extreme, the wholesale price of electricity is reset every five minutes — and since October 2021 each interval settles on its own price, a design tuned to reward whatever can respond fastest. At the other, you cannot finance a power station or a wind farm on a number that moves every five minutes, so the physical market sits underneath a separate layer of hedging contracts and long-dated offtake agreements — power purchase deals that lock in a price for ten, fifteen, twenty years. Some of those long-term contracts, struck by the major gentailers years ago, are still live today, written before much of this connected hardware existed. A grid that prices itself every five minutes is, at the same time, bound by commitments made two decades out.

That five-minute clock rewards assets that can move in real time — increasingly aggregated fleets of household batteries, bid in as virtual power plants and dispatched remotely over the internet, often through a manufacturer’s overseas cloud. Rooftop solar plays a quieter role, netting off household demand behind the meter, but it is the same connected hardware on the same platforms, and it is the bulk of the volume. The market, in other words, was engineered to pull consumer devices deep into the operation of a national grid — because doing so is efficient, lowers costs and signals investment. Resilience and device-trust were never the question it was built to answer. That is not a scandal; it is a design optimised for one thing, now carrying the weight of another.

The lens: exposure you can see from the outside

Strip away the alarm and what remains is an ordinary, assessable governance exposure — which is exactly how it should be treated. The technical facts translate cleanly into the language the obligated entities already answer to. For a network or generator it is a SOCI risk-management and supply-chain question: an internet-connected operational estate, with vendor remote access, partly built on devices a reasonable assessment would flag as high-risk. For anyone holding the consumption and generation data these devices produce, it is an Australian Privacy Principles and Notifiable Data Breach question. For the controls themselves it maps onto the ASD Essential Eight and the ACSC Information Security Manual. For the financial institutions exposed to energy assets through lending or investment, it is a third-party and operational-resilience question under APRA obligations.

None of that requires system access to assess. What an organisation has connected, what is reachable, whose cloud can reach in, and what a reasonable regulator would already expect of it — the shape of that exposure is visible from the outside, using only public sources. That is the discipline: turning a sprawling, foreign-supplied attack surface into a clear, defensible statement of where an organisation actually stands. It is the same self-attestation gap we examined across government in “Government Is Failing Its Own Cyber Rules,” now playing out at grid scale.

Sources

This analysis draws on primary and authoritative public sources.

• Australian Energy Market Commission — final rule: universal smart meter deployment across the NEM by 2030 (28 November 2024)
• Clean Energy Council — Rooftop Solar and Storage Report 2025 (four million-plus homes; world’s highest penetration)
• Department of Home Affairs — Cyber Security Act 2024 and Security Standards for Smart Devices (in force 4 March 2026)
• Cyber and Infrastructure Security Centre — explanatory document (consumer energy resources brought into scope)
• Hamilton Locke — Securing the smart grid: cybersecurity challenges in Australia’s distributed energy future (December 2025)
• European Commission funding restriction on high-risk inverters, extended to battery storage (May 2026); US Department of Defense trade restrictions effective 2027
• Australian Energy Market Operator — National Electricity Market (five-minute dispatch and settlement)
• Australian Signals Directorate — Annual Cyber Threat Report 2024–25

Frequently asked questions

Are solar inverters and smart energy devices regulated in Australia?

Yes. The Cyber Security Act 2024 and its Smart Device Rules, in force since 4 March 2026, set a mandatory baseline for consumer connectable products, and consumer energy resources including rooftop inverters and home batteries were brought into scope. But it is a consumer-grade baseline of three requirements — unique passwords, vulnerability disclosure and a defined update period — not a critical-infrastructure control regime.

Is there a law banning high-risk or foreign-made solar inverters in Australia?

No. Unlike the high-risk-vendor exclusion Australia applied to 5G telecommunications, there is no enacted equivalent for grid-connected energy devices. The United States and the European Union both moved in 2026 to restrict high-risk inverter suppliers from sensitive or publicly funded energy infrastructure.

Does the Security of Critical Infrastructure (SOCI) Act cover rooftop solar?

The SOCI regime is anchored on generators above 30 megawatts. A single rooftop system sits far below that threshold, and aggregators that remotely control fleets of household devices have no clear classification in the Act.

How can an organisation assess its exposure to these risks?

From the outside, using only publicly available sources. A passive external assessment maps what an organisation exposes — connected systems, vendor remote access, reachable services — against the obligations that bind it, including SOCI, the ASD Essential Eight, APRA standards and the Privacy Act.