AESCSF Framework and Resources
The AESCSF has been developed through collaboration with industry and government stakeholders, including the Australian Energy Market Operator (AEMO), Australian Cyber Security Centre (ACSC), Critical Infrastructure Centre (CIC), and the Cyber Security Industry Working Group (CSIWG) which includes representatives from Australian energy organisations.
The AESCSF leverages recognised industry frameworks such as the US Department of Energy’s Cybersecurity Capability Maturity Model (ES-C2M2) and the NIST Cyber Security Framework (CSF), as well as referencing global best-practice control standards (e.g. ISO/IEC 27001, NIST SP 800-53, COBIT, etc.). It also incorporates Australian-specific control references such as the ASD Top 37 Strategies to Mitigate Cybersecurity Incidents (including the Essential 8), the Australian Privacy Principles, and the Notifiable Data Breaches scheme (NDB).
The lessons learnt from the 2018 assessment process and feedback attained from participating members will be utilised in updating the current version of the AESCSF. The updated version will also align to changes in the evolving threat, regulatory and technology framework.
Supporting the AESCSF is a criticality questionnaire that has been used to assess each market participant against a set of predefined criteria to determine their relative criticality to the sector. This questionnaire was developed in collaboration with the Department of Home Affairs Critical Infrastructure Centre (CIC). A market participant’s criticality (as informed by the questionnaire) will inform its desired target state maturity level within the AESCSF.
The supporting resources below detail the background and development of the 2018 AESCSF process as well as containing useful resources and supporting materials on how the assessment was structured and completed;