Align with the Australian Energy Sector Cyber Security Framework
The Australian Energy Sector Cyber Security Framework (AESCSF) was developed through collaboration with industry and government stakeholders, including the Australian Energy Market Operator (AEMO), Australian Cyber Security Centre (ACSC), Critical Infrastructure Centre (CIC) and the Cyber Security Industry Working Group (CSIWG). Based on the US Department of Energy’s ES-C2M2 cyber security capability model, it has been developed and tailored for the Australian energy sector. Its purpose is to enable participants to assess, evaluate and improve their cyber security capability and maturity.
Huntsman Security’s AESCSF solution helps you assess an organisation’s alignment with the framework; it supports the measurement of cybersecurity capability and maturity indicator level.
Download our AESCSF Compliance Guide
How the AESCSF works
Overview of the AESCSF Architecture
AESCSF – Framework Architecture
The AESCSF has two key components, a criticality assessment and a cybersecurity capability and maturity assessment.
The criticality assessment determines the criticality of an entity, relative to its peers – the primary objective of the tool is to rank all participating entities on a single scale for the purpose of reporting, benchmarking and determining the applicable target state maturity guidance from the ACSC.
The assessment is tailored to electricity subsectors: generation, transmission, distribution and retail. Each subsector has been assigned a criticality band on the scale. Key criticality indicators for each electricity market subsector have been established to stratify participating entities within the subsector criticality bands.
The cybersecurity capability and maturity assessment elements of the AESCSF can be used by organisations in any industry. However, the criticality assessment is specific to the electricity sector. The three criticality levels in the AESCSF are aligned to Security Profiles (SPs), as shown in the table.
Criticality Levels and Security Profiles
Cybersecurity capability and maturity assessment
There are two elements of the cybersecurity capability and maturity self-assessment element of the AESCSF – Security Profiles (SPs) and Maturity Indication Levels (MILs).
Cybersecurity capability – Security Profiles
Defined by the ACSC, the AESCSF has three SPs, aligned to the three Participant Criticality levels. Each SP consists of a number of cybersecurity Practices and Anti-Patterns, spread across a set of Domains that map to MILs. There are 282 Practices and Anti-patterns included in the AESCSF
Security Profiles and Practices
The Practices and Anti-Patterns grouped within the SPs are at differing MILs, to target higher levels of maturity across certain cyber security activities and behaviours and in response to the threat landscape. SPs cannot be applied independently to each Domain; in order to achieve an SP, entities must be performing all of the Practices, and not exhibiting any of the Anti-Patterns within that SP, and any preceding SPs, across all Domains. SPs are cumulative i.e. SP-2 can only be achieved if SP-1 is also achieved.
Within the AESCSF the Practices and Anti-Patterns are organised into a set of eleven Domains, each with an overriding security purpose. The Domains include the ten from the ES-C2M2 model plus the Australian Privacy Management Domain.
Maturity Assessment – Maturity Indicator Levels (MILs)
There are four MILs in the model, 0 through to 3. Unlike SPs, the MILs apply independently to each Domain, which means an entity could receive different MIL ratings for different Domains. The overall MIL achieved is the lowest MIL achieved across all Domains. The MILs are cumulative within each Domain; an entity must perform all of the Practices, and not exhibit any of the Anti-Patterns, in that MIL and any preceding MILs.
How the cybersecurity capability and maturity self-assessment works
The cybersecurity capability and maturity self-assessment has two versions:
- a Full self-assessment, and;
- a Lite self-assessment.
A Full self-assessment covers up to all 282 Practices and Anti-Patterns within the AESCSF (for SP-3 entities). A Lite self-assessment consists of 29 multiple choice questions. The scope of the Lite self-assessment is focused on Target State maturity guidance for Low criticality entities, whereas the Full self-assessment is designed for Medium and High criticality entities.
Full details of the AESCSF can be found at: https://aemo.com.au/en/initiatives/major-programs/cyber-security/aescsf-framework-and-reso
Is the AESCSF mandatory?
The AESCSF is not mandatory for Australian energy sector participants. However, the cyber resilience of the sector has come under increasing scrutiny due to the rise in number of sophisticated cyber-attacks against critical infrastructure around the world. The AESCSF aligns with existing Australian Privacy Principles and ACSC Essential Eight Strategies to Mitigate Cyber Security Incidents.
“Securing Australia’s critical infrastructure, and systems that control our essential services, is a major priority for the Australian Cyber Security Centre and our partners in the sector,” said ACSC Head Abigail Bradshaw CSC.
“We are continuing to see attempts to compromise Australia’s critical infrastructure. It is reprehensible that cyber criminals would seek to disrupt or conduct ransomware attacks against our essential services during a major health crisis,” Ms Bradshaw said.
In a time where many key staff work remotely, the ACSC has produced advice to help critical infrastructure providers protect themselves from cyber attack. You can find the advice via the link below:
https://www.cyber.gov.au/news/safeguarding-australias-critical-infrastructure-from-cyber-attack as key staff work remotely during the COVID-19 pandemic.
How Huntsman Security supports the AESCSF
Huntsman Security’s technology supports ten of the eleven domains detailed in the AESCSF.
Huntsman Security’s coverage of AESCSF Domains
Key areas of capability sit within the following domains:
- Continuously measures and audits control configuration, effectiveness and operation
- Performance metrics are mapped against Essential Eight framework maturity levels
- A live dashboard displays compliance and risk against the Essential Eight controls, along with real-time alerting of non-compliance
- Automatically generated and distributed reports to all stakeholders
- Perform logging
- Perform monitoring
- Establish and maintain a common operating picture
- Management activities
Event and Incident Response, Continuity of Operations
- Detect cyber security events
- Escalate cyber security events and declare incidents
- Respond to incidents and escalated cyber security events
- Plan for continuity
- Management activities
Download our AESCSF Compliance Guide
Find out more
If you would like more information regarding Huntsman Security’s support for AESCSF assessment, please send us a message via the button below.