The Australian Energy Sector Cyber Security Framework (AESCSF) Version 1 (V1) provides foundational baseline for implementation of a risk management program for a Critical Infrastructure (CI) Asset. In 2022, Version 2 (V2) was developed with increased practices and adjustment of domains for a more comprehensive assessment, incorporating the enhancements made in U.S. based C2M2 V2. In the AESCSF V2, the ‘Information Sharing and Communications’ domain was merged into the other domains and a new ‘Cyber Security Architecture’ was added.

• Version 1 at SP-1 remains the approved version to adhere to under the SOCI Act.
• Version 2 of the AESCSF has been updated largely based on the C2M2 framework.

However, with Version 1 domains being renamed and restructured to align more closely with globally recognised frameworks such as NIST and ISO27001, Version 2 provides stronger guidance regarding controls and policies that must be implemented to secure your asset.

The SOCI Act is a government legislation, which mandates CI asset owners and operators to implement a Critical Infrastructure Risk Management Program (CIRMP) aligned with one of five Risk Management Frameworks. The AESCSF is one of these frameworks, approved as the Australian industry-specific guideline for compliance under the broader obligations of the SOCI Act.

The AESCSF was developed to protect critical infrastructure in Australia, providing cyber security recommendations and defining practices for managing risk and implementing security protocols. It is based on the Cybersecurity Capability Maturity Model (C2M2) developed by the U.S. Department of Energy (DOE), closely aligned to the National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF), with additional material exclusive to the AESCSF, tailoring it to the Australian Energy Sector (AES).

The AESCSF framework serves as a sector-specific guideline and methodology for cyber security maturity assessment. It has been developed in collaboration among industry, government, and peak body stakeholders, with the aim to set benchmarks and enhance cyber security maturity across critical sectors of Australia, especially electricity, gas, and fuels.

The framework encourages organisations in achieving higher Security Profiles (SP) and address challenges by also detecting bad practices, called “anti-patterns”, activities that bring vulnerabilities and exposure to risks. The anti-patterns are majorly adopted by ACSC from the UK based National Cyber Security Centre (NCSC).

The AESCSF enables the Australian organisations or third-party associations in the power and energy sector or the nation, to build, develop, improve, and sustain cyber security capabilities and maturity.

There are three levels of maturity in the AESCSF, referred to as Security Profiles (SP-1, SP-2 and SP-3).

While the SOCI Act mandates that the AESCSF must be aligned with at least SP-1, it is up to the assessment, maturity stage, risk appetite, and business objectives of the organisation to determine the risk appetite, and feasibility to practice SP-2 or SP-3.

The AESCSF was created by AEMO for use in the context of all energy and power sector participants in Australia. However, since the AESCSF is largely based on the C2M2 framework, it is applicable across all CI asset types.