AESCSF | Sekuro

Assessing Cyber Security Maturity with the AESCSF

In an era where the cyber threat landscape is constantly evolving, robust cyber security measures are non-negotiable for all industries. However, nowhere is the need more acute than in the energy sector. For energy providers, the stakes are extraordinarily high; a cyber attack on critical energy infrastructure can have far-reaching consequences, affecting everything from individual households, to business, to national security. The urgency of fortifying cyber defences in this sector is apparent from high profile cyber attacks such as the Colonial Pipeline ransomware attack in 2021, leading to widespread fuel supply disruption across the Eastern United States.  

Amidst this backdrop, the Australian Energy Sector Cyber Security Framework (AESCSF) emerges as a critical tool. Designed to bolster the cyber resilience of the energy sector, the AESCSF provides tailored guidelines that address the unique challenges faced by energy providers. Given that there are multiple frameworks available, including two versions of the AESCSF itself, it is important for stakeholders to understand the nuances of these frameworks. This article will demystify the AESCSF, discussing its purpose, intended audience, and the key features that make it a cornerstone of Australia’s defence against cyber threats in the energy sector.

What is the AESCSF?

The AESCSF is a specialised cyber security framework developed specifically for the Australian energy sector. This framework serves as a blueprint for energy providers to assess, build, and manage their cyber security capabilities effectively. Given the critical nature of the infrastructure they operate, the AESCSF is designed not just to mitigate risks but to enhance resilience against potential cyber threats that can disrupt energy supply and impact national security.

The genesis of the AESCSF can be traced to the growing realisation of the escalating cyber threats facing the energy sector. As these threats evolved in complexity and potential impact, the need for a robust, yet flexible, sector-specific framework became apparent. In response, the AESCSF was developed through a collaborative effort involving key stakeholders from both industry and government. This cooperation ensured that the framework was not only comprehensive but also practical, tailored to the real-world needs and challenges specific to the energy sector in Australia.

Since its inception, the AESCSF has undergone one major revision to adapt to the changing cyber landscape. The transition from Version 1 (V1) to Version 2 (V2) of the framework marked a substantial development in utility and robustness, with V2 expanding on the original by introducing more refined tools and clearer guidelines to assist energy providers in achieving higher levels of cyber maturity. The differences between V1 and V2 will be addressed in more detail below.

AESCSF Versions | Sekuro
AESCSF Versions

Who is the AESCSF For?

The AESCSF is designed to assist any organisation interested in assessing their cyber security maturity and capability. Specifically, the framework is tailored to address the unique challenges and requirements of the electricity, gas, and liquid fuels sub-sectors. However, it is particularly vital for entities operating within critical infrastructure sectors or those managing operational technology (OT) assets. Organisations outside these energy sub-sectors might find that the Criticality Assessment Tool (CAT), which is part of the AESCSF, is less applicable due to its focus on criteria that are uniquely relevant to these specific industries.

How is the AESCSF Different from C2M2?

The AESCSF was specifically developed to align closely with the U.S. Department of Energy’s Cybersecurity Capability Maturity Model (C2M2), using it as a foundational framework. However, the AESCSF introduces several elements specifically designed to address the unique needs of the Australian energy sector.

While C2M2 was created by the U.S. Department of Energy with a broad application intended for any industry worldwide, the AESCSF narrows its focus significantly to cater exclusively to the energy sector, encompassing electricity, gas, and liquid fuels sub-sectors in Australia. This focus is evident in several key additions:

  • Australian-specific requirements: the AESCSF incorporates Australia-centric security strategies such as the Essential 8 Strategies, which are a series of baseline cyber security measures recommended by the Australian Cyber Security Centre (ACSC). It also aligns with the Australian Privacy Principles, and the  Australian Government Information Security Manual, such that AESCSF compliance achieves consistency across these other references.
  • Contextual guidance relevant to the Australian energy market: AESCSF provides tailored guidance that considers the specific operational and regulatory environment of the Australian energy market. This includes nuances in market operations, legal requirements, and regional cyber security threats.
  • Additional information on best practices and common pitfalls: The framework goes further to equip organisations with knowledge on best practices specifically curated for their context and alerts them to common pitfalls that energy sector entities might face in Australia.
Differences between AESCSF and C2M2 | Sekuro
Differences between C2M2 and AESCSF

Note: C2M2 underwent a major update to C2M2 V2.1, the changes subsequently incorporated into AESCSF V2.

In essence, AESCSF acts as a more comprehensive and localised version of C2M2 for the Australian energy sector. It offers deeper guidance and addresses Australian regulatory concerns alongside the core C2M2 framework. These enhancements make the AESCSF a robust tool for Australian energy sector entities, ensuring their cyber security practices are both globally informed and locally applicable. This strategic adaptation from the broader C2M2 model reflects a thorough understanding of the sector-specific risks and regulatory environment that characterises the Australian energy landscape.

The Structure of the AESCSF

As a framework, the AESCSF can be broken down into two key components: criticality assessment, and cyber security capability and maturity self‐assessment.

 CRITICALITY ASSESSMENT

The first component, the criticality assessment, utilises the Criticality Assessment Tool  (CAT) mentioned earlier. This tool is adapted to the specific needs of different sub-sectors within the energy industry – electricity, gas, and liquid fuels – each having a tailored version of the CAT. The outcomes of this assessment are crucial as they determine the specific form of self-assessment required by the participating organisation. This ensures that the evaluation is perfectly aligned with the nature and risks of their operations.

Cyber security capability and Maturity Self-Assessment

The second component, the Cyber Security Capability and Maturity Self-Assessment, is designed to be universally relevant to all participants, regardless of their market sub-sector. This comprehensive assessment encompasses all practices outlined in the AESCSF, which are further broken down into Domains, Objectives, Practices, and Anti-Patterns. In essence, the framework organises a set of cyber security practices into eleven logical domains, providing a structured approach to evaluating and enhancing cyber security maturity.

The framework describes a total of 282 Practices and Anti-Patterns in V1, and this number increases to 354 in V2, reflecting a desire for the energy sector to undergo more thorough cyber maturity assessment. Additionally, there is a Lite Self-Assessment available in the form of a questionnaire, which is particularly suited for participants with low criticality assets or those new to the framework and possibly resource-strapped.

This two-pronged approach ensures that all entities, from large utilities to smaller firms, have a methodical way to assess and improve their cyber security readiness effectively. The Lite Self-Assessment further allows newer participants to assess how ready they are to take on V1 or V2 assessment as they mature.

Components of the AESCSF | Sekuro
AESCSF Components

Cyber Security Capability and Maturity Measures

In the context of the AESCSF, cyber security capability and maturity are gauged through two key metrics: the Maturity Indicator Level (MIL) and the Security Profile (SP).

Maturity Indicator Level (MIL)

The MIL is a core measure based on a maturity scale similar to that established in the C2M2. In the AESCSF, each Practice and Anti-Pattern is assigned a MIL, indicating its maturity relative to other Practices within the framework. The MIL scale ranges from MIL-1, which represents the most basic level of maturity, to MIL-3, the most advanced or sophisticated level. 

It is important to note that each Domain within the framework assesses maturity independently. For example, an organisation might achieve a MIL-1 in the “Architecture” Domain but score a MIL-3 in “Risk Management”. The overall MIL for a participant is determined by their lowest MIL score across all Domains. Therefore, even if an organisation scores MIL-3 across most Domains but receives a MIL-1 in just one Domain, such as “Architecture”, the overall MIL would be MIL-1. To progress to a higher MIL, an organisation must meet all the Practices of that level and the one preceding it, without exhibiting any Anti-Patterns from either level.

Security Profile (SP)

The Security Profile (SP) is an innovative measure introduced specifically within the AESCSF and is not found in the C2M2. SPs are developed by the ACSC in consultation with the Australian Energy Market Operator (AEMO) and industry representatives. This measure uses a risk-based approach to evaluate maturity and serves as a benchmark for organisations within the energy sector. The appropriate SP for an organisation is determined based on its overall criticality assessment. Unlike MILs, SPs are not applied independently; to achieve a designated SP, an organisation needs to satisfy the Practices across all relevant Domains for that SP and higher levels, while also ensuring no Anti-Patterns are present for those levels.

These measures are designed to provide organisations with a clear framework to assess their cyber security posture systematically and make informed improvements tailored to their specific operational and risk contexts.

Identifying and Achieving a Target State Maturity

SPs are designed to be dynamic, effectively responding to the evolving threat landscape within the energy sector. This flexibility is crucial for maintaining resilience against new and emerging threats.

As such, SPs are structured to allow for adjustments in the allocation of Practices among different maturity levels. This means that Practices initially categorised at a higher MIL can be reassigned to a lower SP if the risk assessment and industry standards deem it more critical. This dynamic structuring helps organisations remain agile, ensuring that their security measures are both current and effective.

For instance, the Practice concerning the update and prioritisation of suppliers and other third parties, currently listed as THIRD-PARTIES-1f, is a prime example of this flexibility. Although it is designated at MIL-3, indicative of a high maturity level, it falls under SP-2. This placement recognises the critical nature of managing third-party risks efficiently, ensuring that such Practices are prioritised appropriately in response to their potential impact on security.

Maturity Indicator Levels (MIL) | Sekuro
AESCSF Maturity Indicator Levels

How Sekuro Can Help

Sekuro is exceptionally well-suited to support organisations with the AESCSF, drawing upon its wealth of experience with GRC frameworks. With a proven track record, Sekuro excels in guiding businesses towards alignment with regulatory and industry standards, encompassing but not limited to the AESCSF, NIST CSF, ISM, and ISO27001.

For organisations outside the energy sector, Sekuro brings extensive expertise in leveraging the NIST CSF as a foundational tool for evaluating cyber security strategies against globally recognised best practices. Sekuro, as an industry leader, is striving to be among the first NIST CSF 2.0 capable organisations in Australia. Additionally, Sekuro offers support in crafting precise risk scenarios and threat models through the utilisation of the Mitre Att&ck Framework and the NIST 2.0 Framework.

Energy sector companies that are seeking to align themselves with the AESCSF framework can partner with Sekuro on various levels, including:

  • Consultation on criticality, relevance, which framework is most suited to the organisation;
  • Assessment of which practices are not yet in alignment with AESCSF;
  • Consultation on strategy and planning the roadmap to adjust practices to align with the AESCSF;
  • Solutions on the operation of practices in alignment with the AESCSF through its GRC consultancy.
Sita Bhat

Principal Consultant, Sekuro

Sita Bhat is a Principal Consultant at Sekuro, and leads the Governance, Risk and Compliance (GRC) team across various states in Australia – working with numerous global tech giants. Sita is an IRAP Assessor and is passionate about sharing her skills and knowledge, and championed the first GRC related stream inside Sekuro's Hackcelerator program.

Hollie Brown, Consultant
Hollie brown

IRAP / GRC Consultant, Sekuro

Hollie is a Consultant within the GRC team at Sekuro, specialising in IRAP assessments. She has a passion for cyber security in the areas of governance, risk management and compliance, with a background in developing cyber security solutions based on frameworks, risk, and gap assessments.

Scroll to Top