The Australian Energy Sector Cyber Security Framework (AESCSF) offers a tailored approach to bolstering cyber security for OT environments within Australia’s energy sector. In this blog, we provide an overview of this framework, explore its role in the uplifting security standards in Australian operational technology (OT) systems, as well as potential challenges that organisations may encounter while aligning their practices. 

So, what is the AESCSF?  

The Australian Energy Sector Cyber Security Framework (AESCSF) is a framework developed for the Australian energy sector to enable participants to assess, evaluate, prioritise, and improve their cyber security capabilities and maturity. It is more specifically used to help address increasing cyber risks and is tailored to the energy sector of Australia, aligning with existing policies and guidelines of Australia. Since its creation, its application has extended out from just the energy sector, to other parts or critical infrastructure, such as liquid fuel. Its use in organisations enhances, uplifts, and supports consistency across the market and non-Australian energy markets. 

AESCSF was established in 2018 by the Australian Energy Market Operator (AEMO) in collaboration with the Australian Cyber Security Centre (ACSC), the Cyber and Infrastructure Security Centre (CISC), and representatives from Australian energy organisations. AESCSF references from various industry frameworks such as US Cybersecurity Capability Maturity Model (C2M2) and National Institute of Standards and Technology (NIST) to ensure the best global practices and standards, and leveraged to ensure compliance to the specifics of Australian laws and policies. 

AESCSF structure 

The framework is comprised of two different sections – a critical assessment and a cyber security capability and maturity assessment. Within the critical assessment there are three distinct sections for electricity, gas, and liquid fuels. The capability and maturity assessment is for any organisation applying the framework, regardless of their sector. This is available in both a Full and Lite assessment, which assesses an organisation against eleven different domains: 

1. Risk Management (RM)
2. Cyber Program Management (CPM)
3. Asset, Change, and Configuration Management (ACM)
4. Identify and Access Management (IAM)
5. Information Sharing and Communication (ISC)
6. Threat and Vulnerability Management (TVM)
7. Situational Awareness (SA)
8. Event and Incident Response, Continuity of Operations (IR)
9. Supply Chain and External Dependencies Management (EDM)
10. Workforce Management (WM)
11. Australian Privacy Management (APM) 

From each of the domains, organisations are ranked for maturity indicator level (MIL) 1 – 3 and security profile (SP) 1 – 3. The MILs define the organisation’s maturity progression of the framework, whereas the SP provides a target state of maturity which is inclusive of practices with varying MILs.  

Assessment within MIL 1 is denoted a ‘yes’ or ‘no’, to indicate if the practice is present or not. For MIL 2 and 3, there are four stages – not implemented, partially implemented, largely implemented, and fully implemented. These first two stages – not implemented and partially implemented – are regarded as not complete and the latter two – largely implemented and fully implemented – are complete. Each of the MIL practices have individual criteria to meet but overall, as the level of MIL advances, there are more detailed requirements to achieve and to proceed to the next MIL will require the previous MILs to be fully completed. This includes no presence of any anti-patterns as anti-pattern practices impact the implementation of MIL practices. 

In consideration of the current stated structure above, an update of the framework (AESCSF V2) will soon be released in 2023. 

AESCSF use in operational technology 

The AESCSF recognises the importance of securing operational technology (OT) systems by extending its principles to address OT-specific challenges within their assessments with: 

• Risk management by identifying and assessing risks, vulnerabilities, and threats within OT systems, such as supervisory control and acquisition systems (SCADA) and industrial control systems (ICS). 
• Addressing and tailoring OT-specific controls such as network segmenting, access controls, application whitelisting, and anomaly detection to help protect the integrity, availability, and confidentiality by minimising the risk of unauthorised disruptions. 
• Implementing incident response and recovery plans with considerations of OT incidents to guide for an effective recovery plan.
• Establishing OT-specific training and awareness for general and specialised personnel to ensure that all OT system handlers are equipped with practices such as secure configuration management, patching procedures, and safe operation procedures to protect and defend against potential intrusions. 

Impact to organisations in Australia 

AESCSF is a vital cyber security framework specifically designed for organisations within the energy, gas, and liquid fuel sectors in Australia. It also serves as the primary reference or mandate by Australian Government departments and relevant regulatory or advisory bodies. As a significant amount critical infrastructure within the energy sector utilise OT and IT environments, organisations have used the framework and mandates as an opportunity to significantly uplift their OT security posture to align with their IT security posture.  

Organisations have been tasking themselves to meet the minimum alignment of SP-2 to ensure their approach towards cyber security, particularly in their OT space, is implemented correctly allowing them to manage the evolving cyber threat landscape against critical infrastructure. Some organisations are finding their approach to SP-2 challenging due to the business relying on tacit knowledge with a combination of poor asset management and risk management processes that prioritise cyber security best practices. This is further exacerbated with complexity of systems and environments within their OT space.  

Such challenges have highlighted key constraints and risks related to insufficient resources and technology that are needed within the organisation, particularly in the business-critical space of OT, to adequately meet MIL 2 and 3 practices in their journey towards SP-2. 

Need guidance on selecting the right framework for your organisation? 

Selecting the right framework is an important first step to ensuring a secure environment, but with so many options on the market, it can prove a daunting task. As a trusted provider of comprehensive cyber security solutions, Secolve offers expertise and guidance needed to navigate the intricacies of these frameworks. We understand the unique challenges faced by OT organisations of all sizes and can assist you in selecting, implementing, and optimising the right framework for your specific needs. 

Contact us today to learn more about how we can empower your organisation to navigate the ever-evolving cyber landscape and stay one step ahead of potential threats.