What is the AESCSF Framework?
In 2017, the Australian government set out an initiative to strengthen the country’s cybersecurity posture and created the AESCSF. The framework went under revision in 2019, and again in 2020. Though no major changes were made in 2020, the revision came as part of Australia’s Cybersecurity Strategy 2020, which has brought increased scrutiny over organizations operating within critical infrastructure sectors.
The framework applies specifically to Australian energy companies, and contains Australian-specific controls, along with questions from existing frameworks, such as the United States’ ES-C2M2 and NIST-CSF.
There are two parts to the framework – a criticality assessment and a cybersecurity capability and maturity assessment. The criticality assessment is designed to determine the criticality of each participant relative to their peers. This portion of the assessment has two separate versions for electricity and gas companies.
The capability and maturity assessment is designed for any organization operating with critical or operational assets, regardless of the subsector. There is a full version, which is to be used for medium or high-criticality organizations, and a lite version, which is limited in focus to only the Target State maturity guidance from the ACSC for Low criticality Electricity Participants.
Why Use the AESCSF Framework?
As of the writing of this article, the AESCSF is not required by the Australian government. However, proposals have been made to make it obligatory. Regardless, the AESCSF is a great framework for Australian energy companies to adopt since it relies on trusted frameworks, and takes a proactive approach to mitigate cybersecurity incidents.
Plus, organizations that submit their assessment will be able to access benchmark data to compare their results with others in their industry, which may help them better understand where to prioritize remediations.
How to Conduct an AESCSF Assessment?
The Australian Energy Market Operator (AEMO), which helped create the AESCSF assessment, offers several resources on their website to help you get started. These resources include an excel spreadsheet of the framework questionnaire and a PowerPoint deck explaining the order in which each section can be completed.
However, organizations with limited teams may find it difficult to organize and implement this framework with the resources provided. It may be helpful to engage a consultant within the Australian market or find ways to reduce the burden on your team by automating some of the assessment processes.
Ready to Start Your AESCSF Assessment?
Whether you choose to engage a consultant or tackle it yourself, SecurityGate.io can help your organization quickly get started with conducting an AESCSF assessment. Our platform does the heavy lifting of distributing and collecting assessment data within one secure location. SecurityGate.io is already being used by our network of Australian-based consultants to conduct AESCSF assessments.
If you’re ready to start your next AESCSF assessment, reach out to our team about getting started with the SecurityGate.io platform, or explore our list of consultant partners who can help you navigate the new assessment for Australian energy companies.
