Australian Energy Sector Cyber Security Framework
The AESCSF Benchmarking Dashboard is now live.
Benchmarking will remain open until Friday 22 March 2024.
Protecting Australia’s energy sector from cyber threats is of national importance. This has been as recognised by the inclusion of the energy sector within the Security of Critical Infrastructure Act 2018 (SoCI Act) reforms. These reforms support the ability of the energy sector to maintain secure and reliable energy supplies thereby supporting our economic stability and national security.
Background
In response to the Independent Review into the Future Security of the National Electricity Market - Blueprint for the Future recommendation 2.10, in 2018 the Australian Energy Market Operator (AEMO) collaborated with industry and government to develop a tailored cyber security framework for the Australian energy sector – the Australian Energy Sector Cyber Security Framework (AESCSF).
The AESCSF is both a framework and an annual voluntary assessment program. The program covers Australia’s electricity, gas markets (since 2021) and liquid fuels sector (since 2022).
Participation in the AESCSF program enables participants to undertake assessments of their own cyber security capability and maturity. Participants can use the results to inform and prioritise investment to improve cyber security posture. Participation is voluntary.
Each participating organisation’s assessments are anonymised, and the aggregated results analysed to produce the annual Report into the cyber security preparedness of the Australian electricity, gas and liquids sector. The confidential report is provided to Energy Ministers to support the energy sector’s developing cyber maturity. The program provides valuable national energy cyber security capability and maturity insights to complement SoCI Act reforms.
AESCSF 2023 Program
AEMO continues to work in partnership with Department of Climate Change Energy, Environment and Water (DCCEEW) and the Department of Home Affairs Critical Infrastructure Centre (CISC) on the 2023 Program to support energy organisation's continued cyber maturity journey and to support energy organisation’s Risk Management Plan (RMP) regulatory obligations under the SoCI Act.
The 2023 program will support:
Benefits
- Participants can use the self-assessment results to inform actions, priorities, and investments, to deliver a consistent risk-based approach, embedding cyber security responsibilities in the first line of defence to build organisational operational resilience.
- Participants will be able to benchmark their organisation against energy sector peers.
- Participants can use the Program to assess their cyber maturity to support their Risk Management Plan (RMP) regulatory obligations under the SoCI Act.
- The 2023 aggregated and anonymised AESCSF Self-Assessment data provides data-driven insights that are used for the benchmarking tool (available for participants) and informs content for the Cyber Security Preparedness of the Australia’s Energy Sector Annual Report. In turn this information informs sector policies to improve cyber security and operational resilience in the Energy sector.
AESCSF Version 2
Since its establishment in 2018 the AESCSF has had minor annual updates. The AESCSF is based on the U.S. Depart¬ment of Energy’s (DOE) Cybersecurity Capability Maturity Model (C2M2). The C2M2 has been through a process of updating culminating in the publication of Cybersecurity Capability Maturity Model (C2M2) version 2.1 (referred to as C2M2 V2.1) in June 2022.
In consultation with industry and governments partners, AEMO and DCCEEW updated the AESCSF to align with current international standards and address emerging technologies and the evolving cyber threat landscape. This will enhance industry cyber security risk management and assist industry with future planning and investment deci¬sions.
In December 2022 Energy Ministers endorsed AESCSF Version 2 (v2) and its use in the program. The Energy Ministers’ decision provided clear guidance about the continued role of the program to support energy sector cyber uplift. AESCSF’s value has also been recognised by its incorporation into the Risk Management Program (RMP) under the SoCI Act. The AESCSF 2023 Program is supporting assessment against both versions of the Framework.
|
AESCSF v1 |
AESCSF v2 |
||
|
Framework Core Component |
Number of Practices / Anti-Patterns |
Framework Core Component |
Number of Practices / Anti-Patterns |
|
US C2M2 Version 1.1 Practices* |
224 |
US C2M2 Version 1.1 Practices* |
296 (+72) |
|
Australian Privacy Management Domain |
16 |
Australian Privacy Management Domain |
16 |
|
Anti-Patterns |
42 |
Anti-Patterns |
42 |
|
TOTAL |
282 |
TOTAL |
354 (+72) |
Visit AESCSF Framework and Resources website to review all of the new resources on the AESCSF.
Contacts
For further information on the AESCSF please contact the Project Team:
E: aescsf@aemo.com.au