Australia is experiencing a once-in-a-generation energy build-out. Offshore wind and distributed energy systems are being deployed at speed, reshaping how electricity is generated, coordinated and controlled. The urgency—driven by decarbonisation, reliability and resilience—is exposing a harder problem: infrastructure risk assessment is struggling to keep pace with the systems we are constructing.
Blind spots are emerging first in electricity generation and distribution. But as new technologies are layered and scaled nationally, risk exposure compounds and becomes harder to evaluate. Rather than trying to eliminate risk, the objective needs to be identifying, managing and containing it before it hardens into structural vulnerabilities.
The issue is not just that each of many component technologies could pose risk to generation; it is that integrating them can produce new, system-level vulnerabilities that are difficult to detect in advance. Shared firmware, overlapping control planes, common vendors and remote-access pathways may appear manageable in isolation but may not be when replicated across the grid. These interaction effects are the blind spots.
Offshore wind power illustrates the challenge. A modern project is not simply turbines anchored in the sea. It combines sensors, industrial control systems, remote diagnostics, subsea communications, cloud platforms and globally distributed supply chains. Each element may be assessed for safety and cyber resilience. The harder question is how they interact once integrated.
But this pattern is not confined to offshore wind. Grid-scale batteries depend on software updates and cloud coordination. Rooftop solar, household batteries and electric vehicle chargers are orchestrated through aggregators. Control increasingly resides in software layers spanning jurisdictions. Projects are assessed individually; the cumulative exposure across the entire collection of technologies—what specialists call the ‘technology stack’—is not.
As concentration deepens in parts of the clean-energy supply chain, structural risk is sharpening. When a small number of suppliers dominate critical components, commercial leverage and technical dependency converge. A single deployment may appear manageable. But repetition at scale makes substitution harder and more costly. Flexibility erodes and resilience becomes harder to recover. Once platforms are embedded across projects, options narrow and trade-offs harden—especially where viable alternatives are already limited.
This dynamic is clearest where industrial policy has driven scale in targeted sectors. China’s combination of state direction, preferential finance and coordinated scale has secured dominance in several clean-energy and enabling technologies. The strategic question for Australia is structural: does reliance on a dominant supplier create system-level vulnerability, even if individual projects seem acceptable?
ASPI’s earlier work in a report titled ‘In Whose Tech We Trust?’ examined how ownership, access, jurisdiction and control shaped national risk. That framing remains essential. But as energy systems becomes more software-defined and interdependent, those same questions now need to be answered inside operational systems, not only at the level of procurement or market design.
Australia’s policy settings recognise systemic risk. Cyber-physical threats are now part of mainstream energy security thinking, and supply-chain assurance is receiving greater scrutiny. The challenge is not the absence of awareness, but analytical framing. Assessments still tend to occur asset by asset, mirroring patterns seen in other digitally enabled sectors or earlier eras of infrastructure.
What is needed is a way to see the technology stack in energy as a stack.
A technology-stack threat-surface analysis begins with integration rather than provenance. Instead of asking whether a particular vendor is ‘safe’, it examines how hardware, firmware, software, communications pathways and operational practices interact once deployed at scale. It focuses on consequence, concentration and controllability: how severe would disruption be, how concentrated dependencies are, and how much practical control exists if something goes wrong.
The value is precision, not alarmism.
System-level analysis would enable decision-makers to distinguish between tolerable dependencies and high-consequence concentrations. It would clarify which risks can be mitigated through architecture, governance or contractual controls, and which require diversification or redesign—doing so before configuration choices lock in and alternatives narrow.
Consider distributed energy. The question is not whether every inverter, battery or charger is suspect; it is whether particular combinations of firmware, cloud orchestration, update mechanisms and market incentives could create conditions for cascading disruption. Those conditions depend on configuration, timing and scale. Without stack-level visibility, governments risk either complacency or blunt interventions that impose unnecessary economic cost.
The same logic applies to offshore wind. Connectivity and remote-access settings chosen today will shape national exposure for decades.
There is also a strategic dimension. Australia increasingly needs to explain its infrastructure choices to partners, investors and allies. Demonstrating that decisions rest on rigorous, system-level analysis strengthens credibility and shows risks are being managed proportionately.
A technology-stack threat-surface analysis will not eliminate risk. No complex system is risk-free. What it offers is the ability to see how exposure accumulates, intervene early and make defensible energy-security decisions with eyes open.
If Australia is to build clean energy at pace while retaining confidence in the systems it deploys, it needs to invest not only in generation capacity but in analytical capability. Seeing the energy stack before it locks in is becoming essential to governing a resilient and trusted energy transition.