Skip to content

The Australian Energy Sector Cyber Security Framework (AESCSF)

The Australian Energy Sector Cyber Security Framework (AESCSF) was developed in 2018 to help organizations in the energy sector improve their cyber security capabilities and maturity. It includes relevant security practices and a methodology for organizations to assess their criticality. The AESCSF was updated in 2022.

Framework structure

The framework is broken down into domains and objectives, as well as practices and anti-patterns.

Domain

Domains are groupings of cyber capabilities. There are 11 domains in the AESCSF.

Objective

Objectives are targets to support domains. Each domain has its own objectives.

Practices

Practices are tasks, activities, or positive security patterns. Each objective contains multiple practices.

Anti-patterns

Anti-patterns are negative security patterns that increase cyber risk. They should not be present, because they undermine an organization’s cybersecurity. Only nine of the domains contain anti-patterns.

Domains

These are the 11 domains of the AESCSF:

  • Risk management (RISK) — This domain involves establishing, operating and maintaining an enterprise cybersecurity risk management program. The program must identify, analyse, and mitigate cybersecurity risk to the organization.
  • Cybersecurity program management (PROGRAM) — The PROGRAM domain establishes and maintains an enterprise cybersecurity program. This needs to provide governance, strategic planning, and sponsorship of the cybersecurity activities. It must align the cybersecurity objectives with the organization’s strategic objectives and risk to critical infrastructure.
  • Asset, change, and configuration management (ASSET) — This domain involves managing the organization’s operational technology (OT) and information technology (IT assets). The management needs to be measured alongside the organizational objectives and risk to critical infrastructure.
  • Identity and access management (ACCESS) — This domain is concerned with managing identities for entities that may require physical or logical access to the organization’s assets.
  • Cyber security architecture (ARCHITECTURE) — ARCHITECTURE involves mapping your IT and OT assets, as well as planning how security controls should be implemented.
  • Threat and vulnerability management (THREAT) — This domain involves establishing plans, procedures and technologies for threat and vulnerability:
    • Detection
    • Identification
    • Analysis
    • Management
    • Response
  • Situational awareness (SITUATION) — This involves establishing activities and technologies to collect, analyse, alarm, present and use operational and cybersecurity data.
  • Event and Incident Response, Continuity of Operations (RESPONSE) — The RESPONSE domain involves establishing plans, procedures and technologies to respond to cybersecurity events and to maintain operations.
  • Supply chain and external dependencies management (THIRD-PARTIES) — This involves managing the risks from third-party vendors.
  • Workforce management (WORKFORCE) — This domain involves creating a cybersecurity-focused work culture and ensuring employees are competent.
  • Australian Privacy Management (PRIVACY) — This involves mitigating privacy-related risks through managing personally identifiable information throughout its lifecycle.

Maturity Indicator Levels (MILs)

Each practice and anti-pattern has a Maturity Indicator Level (MIL). MILs indicate the maturity relative to other practices. There are three levels:

  • MIL 1 — The practice is performed
  • MIL 2 — The practice is performed and documented. Stakeholders have been identified and involved. Sufficient people, funding and tools have been provided to support the practice. Standards to guide the practice’s implementation have been identified.
  • MIL 3 — Practices meet MIL 2. Activities are guided by governance and policies. The personnel performing a practice have the adequate skills. Policies feature compliance requirements for standards and guidelines. Each practice has assigned personnel who have responsibility and authority for it. Activities are reviewed periodically to ensure that they align with policy.

MILs for each domain are assessed as:

  • Partially implemented
  • Largely implemented
  • Fully implemented
    They are calculated based upon the response for the patterns and anti-patterns.

Using the framework

The steps for using the AESCSF include:

  1. Assess your organization’s criticality
  2. Select the appropriate assessment model
  3. Determine which assets are within the assessment’s scope
  4. Complete the assessment

1. Assess your organization’s criticality

This is accomplished through one of three tests, depending on your organization’s subsector:

The Electricity Criticality Assessment Tool (E-CAT)

For:

  • Generation (E-GEN)
  • Transmission (E-TNSP)
  • Independent interconnectors (E-IC)
  • Distribution (E-DNSP)
  • Retail (E-RET)
  • Market operations (E-OPS)

The Gas Criticality Assessment Tool (G-CAT)

For:
• Production (G-PROD)
• Transmission (G-TNSP)
• Bulk storage (G-STOR)
• Distribution (G-DNSP)
• Retail (G-RET)
• Market operations (G-OPS)

The Liquid Fuels Criticality Assessment Tool (L-CAT)

For:
• Extraction and production (L-EXTR)
• Transport and import (L-TRAN)
• Storage (L-STOR)
• Refinement (L-RFIN)
• Wholesale and retail (L-WHLS)

2. Select the appropriate assessment model

There are three separate assessment options:

  • AESCSF Version 2 Full Assessment — This is suited to medium and high-criticality organizations. Depending on the organization’s size and its required stakeholders, it could take between a few hours and a few days to collect the necessary information.
  • AESCSF Version 1 Full Assessment — This is the older version, which is the minimum standard for medium and high-criticality organisations. It could take anywhere from a few hours to a few days to complete.
  • AESCSF Version 2 Lite — This is a stripped down version of the assessment. It should take between 15-20 minutes.

3. Determine which assets are within the assessment’s scope

It’s recommended for organizations to include all of their assets in the assessment collectively (as opposed to asset by asset). This gives them an aggregate view of the assets across the organization, which provides a more accurate view of the organization’s overall security posture.

4. Complete the assessment

To complete the assessment, you will need to include the right people, such as:

  • Organizational management
  • Information technology
  • Operational technology
  • Shared services

Throughout the assessment, you should take notes to substantiate your assessment. This will make it easier when you redo the assessment in future years.

The AESCSF CORE v2 can be downloaded here.

Leave a Reply

Your email address will not be published. Required fields are marked *