The Australian Energy Sector Cyber Security Framework (AESCSF) was developed explicitly for the Australian energy sector in response to the heightened cyberthreat that continues to taunt the industry. Since its first release in 2018, the Framework has been refined to better cater for organisations of varying maturity and criticality, and closely maps to a number of international and Australian Cybersecurity standards, including the NIST CSF, ISO 27000 series, IEC 62443 series, and the Privacy Act 1988 (Cth).

Serving as both a cybersecurity framework and an annual assessment program, the AESCSF provides a standardised approach for organisations to assess their current state of security capabilities and maturity, and ensure they are well equipped and prepared should a cyber-attack eventuate. Moreover, the framework allows organisations to benchmark themselves against other organisations in the energy sector. Whilst the assessment is still voluntary, we strongly recommend that all organisations within the energy sector complete it to gain visibility of their current cyber security posture ensure appropriate controls are in place to prevent any future attacks. 

The assessment itself consists of two components. The first is performed using a Criticality Assessment Tool (CAT) which determines your organisation’s criticality within the energy sector. Whether you are an electricity, gas or liquid fuels organisation, there is a specific CAT that aligns to your needs (keep in mind that if you operate in more than one energy sub-sector (you have both electricity and gas assets, for example) the respective criticality assessment must be done for each sub-sector). The overall criticality of your organisation is subsequently determined by which sub-sector scored the highest. Finally, each criticality rating is aligned to a respective Security Profile (SP) rating, from 1 (lowest) to 3 (highest). 

The second component of the AESCSF is a maturity assessment which examines the security practices in place across 11 domains, and assesses their maturity using a progressive approach. The respective domains are:

• Risk Management
• Cybersecurity Program Management
• Workforce Management
• Identity and Access Management
• Asset, Change and Configuration Management
• Event and Incident Response, Continuity of Operations
• Situational Awareness
• Threat and Vulnerability Management
• Australian Privacy Management (Australian Specific)
• Cybersecurity Architecture
• Supply Chain and External Dependencies Management.

The AESCSF has three different maturity assessments, however, the model selected for the organisation is dependent on the results from the CAT assessment. Each assessment model consists of a pre-determined number of practices which must be in place, as well as anti-patterns (‘bad’ activities which undermine the effectiveness of cyber security capabilities) which must not exist. Conducting this assessment gives you visibility of the percentage of practices your organisation meets for each domain, thus enabling you to determine your cyber security maturity level, and establish a plan to address the identified gaps.  

Conducting an AESCSF assessment annually provides organisations with a better understanding of their current state, pinpointing where controls are deficient, where further uplift may be required, and where cybersecurity controls are in place and operating effectively. From these findings, a remediation process can be established, leaving the organisation better equipped to prevent and address possible cyberattacks. 

Threat actors are getting smarter by the minute, frequently targeting the weakest link when setting out on their destructive rampage against critical assets. More than ever before, entities in the energy sector must have comprehensive awareness of their operating environment, and a proactive approach to cyber security.