Protecting the Australian energy sector against increasingly sophisticated cyber threats is a matter of national importance - not only to ensure the integrity and reliability of electricity supply via the grid, but also for economic stability and national security purposes.
To address this challenge and in response to the Finkel Review recommendation 2.10, AEMO in conjunction with industry and government partners has developed a tailored cybersecurity framework for the Australian energy sector – the Australian Energy Sector Cyber Security Framework (AESCSF).
This new framework provides a foundation on which the sector can be consistently assessed and will provide the insight required to uplift the maturity of its cyber security capabilities, and ultimately strengthen its cyber resilience.
The new framework will be used to undertake assessments of cyber security maturity across the sector, the results of which will be consolidated into an annual report to the Energy Security Board (ESB) with the inaugural report to be submitted by end of the 2018 calendar year.
The Australian Energy Sector Cyber Security Framework (AESCSF)
The AESCSF has been developed through collaboration with industry and government stakeholders, including the Australian Energy Market Operator (AEMO), Australian Cyber Security Centre (ACSC), Critical Infrastructure Centre (CIC), and the Cyber Security Industry Working Group (CSIWG) which includes representatives from Australian energy organisations.
The AESCSF leverages recognised industry frameworks such as the US Department of Energy’s Cybersecurity Capability Maturity Model (ES-C2M2) and the NIST Cyber Security Framework (CSF), as well as referencing global best-practice control standards (e.g. ISO/IEC 27001, NIST SP 800-53, COBIT, etc.). It also incorporates Australian-specific control references such as the ASD Top 37 Strategies to Mitigate Cybersecurity Incidents (including the Essential 8), the Australian Privacy Principles, and the Notifiable Data Breaches scheme (NDB).
The Framework Resources section details the background and development of the AESCSF as well as containing useful resources and supporting materials on how to complete the assessment.
Supporting the AESCSF is a criticality questionnaire that will be used to assess each market participant against a set of predefined criteria to determine their relative criticality to the sector. This questionnaire was developed in collaboration with the Department of Home Affairs Critical Infrastructure Centre (CIC). A market participant’s criticality (as informed by the questionnaire) will inform its desired target state maturity level within the AESCSF.
The questionnaire will be combined with the Framework and targeted guidance material to form an Assessment Toolkit, allowing market participants to assess their cyber security maturity.
The Australian Energy Security Board (ESB) report is due by EOCY 2018 regarding its “assessment of the cyber maturity of all energy market participants to understand where there are vulnerabilities.”
The key milestones in achieving this outcome are:
- March 2018: Formation of the Cyber Security Industry Working Group (CSWIG) consisting of AEMO, industry and government representatives - Complete.
- April 2018: Endorsement of approach by the Australian Cyber Security Centre (ACSC) and Critical Infrastructure Centre (CIC) - Complete.
- July 2018: Project initiation following completion of the tender for consultancy support - Complete.
- September 2018: Finalisation of Framework, Criticality Assessment Tool, Assessment Toolkit and supporting Guidance - Complete.
- October 2018: Facilitation of Education Workshops for Market Participants to attend on the application of the AESCSF.
- November 2018: Completion of an AESCSF Self-Assessment by all Market Participants is required by 16 November.
- December 2018: Report delivered to the ESB.
The website will be updated as new materials become available.
For Framework Guidance and Assessment Support: Please contact the Project Team:
T: 1800 982 125