The Australian Energy Sector #Cybersecurity Framework AESCSF Version 2 (aka AESCSF v2) is set to release in June 2023. This article gives you a quick overview of what’s new in AESCSF Version 2 and what it might mean to your critical infrastructure company. With only a short time to wait, let’s take a sneak peak at the most significant changes and consider what that means for your company’s cyber-security program so you can get a head start.
How to get a ‘sneak preview’ of AESCSF version 2
Before we jump into the details, you may be asking yourself, “where can I get a copy of AESCSF version 2?”. While you might find it difficult to find an advance copy, recall from this previous article that AESCSF is basically NIST C2M2 with a few tweaks. By using NIST C2M2 v2.1 (and I can spoil the fact that the AESCSF PRIVACY domain remains largely unchanged), you will be able to jump right in and have a look at what’s heading your way.
Here’s a numerical breakdown of the changes:
| AESCSF | V1 | V2 |
| Practices | 282 | 354 |
| MIL1 | 57 | 62 |
| MIL2 | 121 | 180 |
| MIL3 | 104 | 112 |
| SP1 | 88 | 123 |
| SP2 | 112 | 152 |
| SP3 | 82 | 79 |
| Unchanged | 140 | |
| Similar Intent | 53 | |
| Variation to Intent | 97 | |
| New | 641 |
1Note that since some practices have disappeared while others have split into two or more, this number does not directly compare to the total number of v2 vs v1 practices (i.e. from row 1: 354-282 = 72 ≠ 64)
Notable changes
Here’s a quick summary of what’s changing at a high level:
The main message I am receiving from this new version is that cyber security is an enterprise business concern– not just something for the cyber team to worry about.
Variations to some existing practices in wording and/or intent
After significant feedback, wording and guidance has changed to help reduce misinterpretation of intention, so we should start seeing more consistent responses. For example, the term “Common Operating Picture (COP)” is eliminated.. this one was annoying for many as there were no reference examples of what it means to satisfy that requirement.
A new architecture domain
In v1, the term, “architecture”, was really only talking to network segmentation. This new domain seeks to align with enterprise architecture, which includes consideration for governance, compliance and risk. Network segmentation practices from the former CPM domain are now parked here as well. Data security is now a thing. There are enough changes here to warrant a deep dive, but here are the five objectives for this domain:
- Establish and Maintain Cybersecurity Architecture Strategy and Program – (note this is where your IEC 62443 and TOGAF/SABSA kung fu can shine)
- Implement Network Protections as an Element of the Cybersecurity Architecture (IEC 62443-3-2, anyone?)
- Implement IT and OT Asset Security as an Element of the Cybersecurity Architecture
- Implement Software Security as an Element of the Cybersecurity Architecture
- Implement Data Security as an Element of the Cybersecurity Architecture (think crypto, DLP, etc.)
Information Assets
Specific objectives for information assets are called out. The previous version’s conversation was more “IT vs. OT”. This is a nice upgrade and will highlight the need for enterprise data governance. This combined with ARCHITECTURE objective 5, Data Security, means you’ll need to be on your toes with fully implementing your Information Classification, Labelling and Handling Policy (meaning education, awareness, training, processes, tools, etc.) if you haven’t already
Do I need to comply with AESCSF version 2?
Considering that the Security of Critical Infrastructure Rules (Australia) have only just been updated this year and requires critical infrastructure organisations that have chosen AESCSF for reporting their cyber security maturity to: “Meet Security Profile 1 as indicated in…the 2020‑21 (i.e. Version 1, not Version 2) AESCSF Framework Core published by Australian Energy Market Operator Limited”, the short answer is.. not yet from a compliance perspective, but the rumour is that you will be assessing against the new version once it’s released and reporting will reflect both versions. Yet, be warned: AESCSV version 2 will eventually completely supersede version 1, and considering the significant number of new or modified practices combined with the cultural need to break out of a silo mentality, it’s best to get ahead of the curve by adapting your cyber security strategy accordingly now.
