The Essential Eight framework has its roots in IT security but has also found application in OT cyber security with its structured approach to tackling challenges that emerge at the intersection of technology and industry. In this blog, we explore this foundational framework, its use in securing OT environments, and why you may or may not choose to implement it within your organisation. 

What is the Essential Eight (E8)? 

The Essential Eight (E8) is an Australian cyber security framework created by the Australian Signals Directorate (ASD) and developed by the Australian Cyber Security Centre (ACSC). The framework was published in 2017 originally to promote a solid security and operational baseline practices within Australian government agencies, department, and local councils and businesses. Since it is considered a good place to begin implementing security controls, many private sector businesses also consider E8 to establish a security foundation within their organisation.  

The Essential Eight is a framework that is most effective for small to medium businesses. It prioritises mitigation strategies designed to protect Microsoft Windows-based, internet-connected networks and is a fundamental starting point for those just starting to implement security measures without suitable budget or resources. As organisations grow, their increased budget and resources allow them to incorporate additional frameworks and standards in addition to E8 to cover all other aspects of managing, mitigating, and preventing cyber risks.  

How is the Essential Eight structured? 

The Essential Eight framework is comprised of three primary objectives: attack prevention, limiting attack impact, and ensure data availability. From these three objectives, eight mitigation strategies were formed to constitute the Essential Eight: 

• Application control 
• Patch applications  
• Configure Microsoft Office macro settings 
• User application hardening 
• Restrict administrative privileges  
• Patch operating systems 
• Multi-factor authentication 
• Regular backups 

Additionally, there are 4 levels of maturity, ranging from zero to three. This helps organisations distinguish between increasing levels of adversary tradecraft and track their compliance.  

Extending E8 to operational technology 

The security controls within the Essential Eight are designed to help foundations of most sectors that utilise IT environments. Implementing E8 to operational technology (OT) environments allows us to enhance the security protection to OT systems and reduce cyber risks. The E8 can help in OT environments by: 

• Enhancing threat mitigation. The security controls within E8 are designed to address common security threats and vulnerabilities on IT-based devices and Windows-based OT devices and instrumentation.
  

• Protecting and increasing resilience to malicious software. E8 emphasises proactive measures such as application whitelisting, patching, and end-user hardening on IT-based devices, including Windows-based OT devices and instrumentation.
  

• Improving access controls. E8 highlights restrictive admin privileges and implementation of multi-factor authentication (MFA), particularly on applications or platforms that support OT environments and industrial control system processes.

• Ensuring business continuity. By regularly backing up and verifying the integrity of digitally enabled devices such as PLCs, industrial network infrastructure, and other supporting IT-based technology in OT environments, organisations can mitigate the risks of unnecessary downtime. 

Implementation of the Essential Eight framework 

At its core, E8 is a baseline framework. Effective use of the framework can be extended to all sectors, not just limited to critical infrastructure, such as financial and education institutions, healthcare providers, and private sector organisations.  

The Australian Government has amended in their Protective Security Policy Framework (PSPF) – Policy 10: Safeguarding data from cyber threats to mandate the Essential Eight framework for all non-corporate Commonwealth entities to be at least maturity level 2. E8 is also implemented within Australian critical infrastructure providers, as can be seen with water and energy suppliers, and transportation and communication networks.  

Large organisations that have complex and siloed IT infrastructure where inconsistent IT environments exist across the organisation, tend to apply only E8 controls at a site or IT-environment level. This approach is not ideal as it may lead to inconsistent roles and responsibilities for managing and maintaining security controls across the complex environment. Complex organisations may need to also apply holistic cyber security controls with centralised oversight to combat cyber risks, as the baseline nature of E8 would not satisfy the organisation’s risk tolerance based on the current cyber threat landscape. Alternative security frameworks such as NIST-CSF and AESCSF would be more applicable and appropriate to a large organisation’s cyber security strategy and approach, due to the holistic nature of their guidance and controls. 

Need guidance on selecting the right framework for your organisation? 

Selecting the right framework is an important first step to ensuring a secure environment, but with so many options on the market, it can prove a daunting task. As a trusted provider of comprehensive cyber security solutions, Secolve offers expertise and guidance needed to navigate the intricacies of these frameworks. We understand the unique challenges faced by OT organisations of all sizes and can assist you in selecting, implementing, and optimising the right framework for your specific needs. 

Contact us today to learn more about how we can empower your organisation to navigate the ever-evolving cyber landscape and stay one step ahead of potential threats.