This article aims to clarify what’s going on under the hood of the Australian Energy Sector #CyberSecurity Framework (AESCSF) so you can better understand its benefits and limitations.
A brief history
In response to ever-growing concerns around cyber-attacks on critical infrastructure, the Australian Energy Market Operator (AEMO) released the Australian Energy Sector Cyber Security Framework (AESCSF) in 2019 [details here]. At the time, there were credible hints this “cyber security framework” would become the de-facto tool for reporting on and reaching mandatory target Maturity Indicator Levels (MILs) based on the corresponding tier rating for the given energy company.
Company boards became very concerned with reaching their target MILs and programs of work were hastily funded and initiated to address their low maturity levels in time for the next regulatory period. Without a clear understanding of what AESCF (I pronounce it “ā-siph”) is and isn’t, a mad charge into “security for the sake of compliance” began.
What is AESCF (the official line)?
From AEMO’s website: “The AESCSF unabashedly plagiarises leverages recognised industry frameworks such as the US Department of Energy’s Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) and the National Institute of Standards and Technology Cyber Security Framework (NIST CSF), and references global best-practice control standards (e.g. ISO/IEC 27001, NIST SP 800-53, COBIT, etc.). The AESCSF also incorporates Australian-specific control references, such as the ACSC Essential 8 Strategies to Mitigate Cyber Security Incidents, the Australian Privacy Principles (APPs), and the Notifiable Data Breaches (NDB) scheme.”
What is AESCF from an ISO 27001 (or 62443) perspective?
ISO 27001’s hamster wheel of continual improvement is a good fit. See: Mandatory Control 10.2 – Continual Improvement. “The organisation shall continually improve the suitability, adequacy and effectiveness of the information security management system”.
You could go into further detail here and say 9.1- Monitoring, measurement, analysis and evaluation is also a good match: “The organisation shall evaluate the information security performance and effectiveness of the information security management system”. I would say that 10.2 is achieved through 9.1 (and other means).
Misleading description to the uninitiated? What is it really?
At first glance, it appears to be an all-in-one cyber-security framework that’s got a little bit of everything in it… ISO 27001, NIST 800-53, COBIT, ACSC Essential 8, etc. Taken on face value, I would probably think all I needed to do for my cyber program is roll out AESCSF, turn the key and sit in a comfy chair. However, when delving in to the details, it becomes clear that this is not a cyber-security framework at all! What is it really, then?
Unmasking
It’s simply just the U.S. Department of Energy’s Energy Sector Cybersecurity Capability Maturity Model (C2M2), customised for the Australian Energy Sector, with a few notable (and questionable) changes:
- An additional domain for Australian Privacy Management- This is too much detail for a maturity model. Privacy (and other) compliance requirements are already captured when properly rolling out a real cyber-security framework like ISO 27001, IEC 62443, NIST CSF, etc.
- Management practices were removed from each domain- Due to the fact that none of the management practices were included, companies focusing solely on AESCF maturity are finding their new “framework” is not successfully integrating into the business as they’d anticipated.
And we would have gotten away with it, too, if it weren’t for those meddling cyber-security nerds.
My advice to AEMO et al… don’t try to re-invent the wheel. Just use the US DoE’s C2M2. If you insist on continuing, at least rename it to AESC2M2 to avoid confusion. And for those of you that haven’t started down the path of AESCSF– I encourage you to look at SoCIA for ahem.. other options. If you are using AESCSF, just remember that you still need ISO 27001, IEC 62443, NIST CSF or another recognised cybersecurity management framework and you can use AESCF to measure ‘continual improvement’ and maturity when planning your strategy.
Why (and how) you should use AESCF anyway
Now that Department of Home Affairs (D’ohHa) has made it pretty clear that you aren’t mandated to use AESCSF, and we have (hopefully) established why C2M2 is mostly better, there is still a good reason to continue using AESCSF… information sharing. By participating in the self-assessments, we are able to share with and learn from our peers what our maturity levels are. That is a question that the board will often ask.. “how are our peers doing?”.
You can still use C2M2 as your primary maturity measuring stick (i.e. add back those management practices AESCSF stripped out) and be in a good position to share your organisation’s MILs. C2M2/AESCSF play nicely within an ISO 27001, 62443 or any other recognised framework.
