The Australian Energy Sector Cyber Security Framework (AESCSF) was developed in 2018 to help organizations in the energy sector improve their cyber security capabilities and maturity. It includes relevant security practices and a methodology for organizations to assess their criticality. The AESCSF was updated in 2022.

Framework structure

The framework is broken down into domains and objectives, as well as practices and anti-patterns.

Domain

Domains are groupings of cyber capabilities. There are 11 domains in the AESCSF.

Objective

Objectives are targets to support domains. Each domain has its own objectives.

Practices

Practices are tasks, activities, or positive security patterns. Each objective contains multiple practices.

Anti-patterns

Anti-patterns are negative security patterns that increase cyber risk. They should not be present, because they undermine an organization’s cybersecurity. Only nine of the domains contain anti-patterns.

Domains

These are the 11 domains of the AESCSF:

• Risk management (RISK) — This domain involves establishing, operating and maintaining an enterprise cybersecurity risk management program. The program must identify, analyse, and mitigate cybersecurity risk to the organization.
• Cybersecurity program management (PROGRAM) — The PROGRAM domain establishes and maintains an enterprise cybersecurity program. This needs to provide governance, strategic planning, and sponsorship of the cybersecurity activities. It must align the cybersecurity objectives with the organization’s strategic objectives and risk to critical infrastructure.
• Asset, change, and configuration management (ASSET) — This domain involves managing the organization’s operational technology (OT) and information technology (IT assets). The management needs to be measured alongside the organizational objectives and risk to critical infrastructure.
• Identity and access management (ACCESS) — This domain is concerned with managing identities for entities that may require physical or logical access to the organization’s assets.
• Cyber security architecture (ARCHITECTURE) — ARCHITECTURE involves mapping your IT and OT assets, as well as planning how security controls should be implemented.
• Threat and vulnerability management (THREAT) — This domain involves establishing plans, procedures and technologies for threat and vulnerability:
  • Detection
  • Identification
  • Analysis
  • Management
  • Response
• Situational awareness (SITUATION) — This involves establishing activities and technologies to collect, analyse, alarm, present and use operational and cybersecurity data.
• Event and Incident Response, Continuity of Operations (RESPONSE) — The RESPONSE domain involves establishing plans, procedures and technologies to respond to cybersecurity events and to maintain operations.
• Supply chain and external dependencies management (THIRD-PARTIES) — This involves managing the risks from third-party vendors.
• Workforce management (WORKFORCE) — This domain involves creating a cybersecurity-focused work culture and ensuring employees are competent.
• Australian Privacy Management (PRIVACY) — This involves mitigating privacy-related risks through managing personally identifiable information throughout its lifecycle.

Maturity Indicator Levels (MILs)

Each practice and anti-pattern has a Maturity Indicator Level (MIL). MILs indicate the maturity relative to other practices. There are three levels:

• MIL 1 — The practice is performed
• MIL 2 — The practice is performed and documented. Stakeholders have been identified and involved. Sufficient people, funding and tools have been provided to support the practice. Standards to guide the practice’s implementation have been identified.
• MIL 3 — Practices meet MIL 2. Activities are guided by governance and policies. The personnel performing a practice have the adequate skills. Policies feature compliance requirements for standards and guidelines. Each practice has assigned personnel who have responsibility and authority for it. Activities are reviewed periodically to ensure that they align with policy.

MILs for each domain are assessed as:

• Partially implemented
• Largely implemented
• Fully implemented
  They are calculated based upon the response for the patterns and anti-patterns.

Using the framework

The steps for using the AESCSF include:

1. Assess your organization’s criticality
2. Select the appropriate assessment model
3. Determine which assets are within the assessment’s scope
4. Complete the assessment

1. Assess your organization’s criticality

This is accomplished through one of three tests, depending on your organization’s subsector:

The Electricity Criticality Assessment Tool (E-CAT)

For:

• Generation (E-GEN)
• Transmission (E-TNSP)
• Independent interconnectors (E-IC)
• Distribution (E-DNSP)
• Retail (E-RET)
• Market operations (E-OPS)

The Gas Criticality Assessment Tool (G-CAT)

For:
• Production (G-PROD)
• Transmission (G-TNSP)
• Bulk storage (G-STOR)
• Distribution (G-DNSP)
• Retail (G-RET)
• Market operations (G-OPS)

The Liquid Fuels Criticality Assessment Tool (L-CAT)

For:
• Extraction and production (L-EXTR)
• Transport and import (L-TRAN)
• Storage (L-STOR)
• Refinement (L-RFIN)
• Wholesale and retail (L-WHLS)

2. Select the appropriate assessment model

There are three separate assessment options:

• AESCSF Version 2 Full Assessment — This is suited to medium and high-criticality organizations. Depending on the organization’s size and its required stakeholders, it could take between a few hours and a few days to collect the necessary information.
• AESCSF Version 1 Full Assessment — This is the older version, which is the minimum standard for medium and high-criticality organisations. It could take anywhere from a few hours to a few days to complete.
• AESCSF Version 2 Lite — This is a stripped down version of the assessment. It should take between 15-20 minutes.

3. Determine which assets are within the assessment’s scope

It’s recommended for organizations to include all of their assets in the assessment collectively (as opposed to asset by asset). This gives them an aggregate view of the assets across the organization, which provides a more accurate view of the organization’s overall security posture.

4. Complete the assessment

To complete the assessment, you will need to include the right people, such as:

• Organizational management
• Information technology
• Operational technology
• Shared services

Throughout the assessment, you should take notes to substantiate your assessment. This will make it easier when you redo the assessment in future years.

The AESCSF CORE v2 can be downloaded here.

The post The Australian Energy Sector Cyber Security Framework (AESCSF) appeared first on Josh Lake Writing.

The Queensland Government’s information and cyber security policy (IS18) aims to improve the security of services to Queenslanders. It strives to make organisations more robust by continuously improving information security.

The policy helps to ensure that the Queensland Government uses a risk-based approach that’s consistent in its implementation. Ultimately, it strives to maintain confidentiality, integrity and availability.

IS18 is split up into:

• Five policy requirements
• Two reporting requirements
• Advice
• Scope
• Applicability
• Implementation
• Policy benefits

The five policy requirements:

1: Agencies must implement an ISMS based on ISO 27001

This requires agencies to implement and operate an information security management system (ISMS) that’s based on the latest version of ISO 27001 — Information security, cybersecurity and privacy protection — Information security management systems — Requirements. This is one of the global standards that defines ISMS requirements. ISO 27001 guides organizations in how to establish, implement, maintain and continually improve their ISMSs. Agencies must ensure that their ISMS is scoped to include security for all:

• Services
• Information
• Applications
• Technology assets

2: Agencies must apply a systematic and repeatable approach to security risk management

Risk management is central to effectively implementing and operating an ISMS. The information security risks faced by an agency need to be taken into account so that it is responsive to the constant changes of the threat landscape. It’s important for agencies to consider the risks associated with operational technology (OT) and ensure that it is governed holistically.

3: Agencies must meet minimum information security requirements

Queensland Government agencies are required to comply with the:

• Queensland Government Information security classification framework (QGISCF)
• Data encryption standard (DES)
• Queensland Government authentication framework (QGAF)

They also need to implement the Australian Signals Directorate’s (ASD) Essential Eight Strategies.

4: Accountable officers must obtain security assurance for systems

Accountable officers, such as CEOs, must obtain security assurance for each system to ensure that it adheres to policy and has the appropriate protections in place. The level of assurance required is determined by the a system’s criticality and significance.

5: Accountable officers must attest to the appropriateness of agency information security

Accountable officers need to endorse the information security annual return through the corporate audit and risk committee. They also need to attest to the agency’s information security posture and that its ISMS is compliant. This attestation must be published in the agency’s annual report.

Reporting requirements

1. Agencies must submit an information security annual return for each financial year. It is due each September 30.
2. When there is an applicable incident, an agency must engage with the Cyber Security Unit (CSU) as soon as possible. The specifics are outlined in the QGEA Information Security Incident reporting standard.

Advice

The IS18 policy should be read alongside the Cyber Security Policy documents for further information.

Scope

IS18’s scope includes:

• Where information, apps, and other tech can impact the business of the QLD Government or service delivery to Queenslanders.
• Activities affected by information security.

Applicability and implementation

IS18 applies to all QLD Government departments, accountable officers and statutory bodies. When implementing this policy, agencies should complete a gap analysis and develop a transition plan that’s based on a risk assessment. This needs to be signed off by the accountable officer.

IS18 policy benefits

Among other benefits, IS18:

• Helps the QLD Government align with international best practices.
• Uses a risk-based approach to improve decision making.
• Provides a flexible approach.
• Supports timely incident reporting.

The post What is the Queensland Government’s IS18 (Information and cyber security policy)? appeared first on Josh Lake Writing.