Australian Energy Sector Cyber Security Framework Version 2
The Australian Energy Sector Cyber Security Framework is being refreshed to better protect the mission critical functions of energy operators throughout Australia. Prepare for the changes coming up in June 2023 with this quick-read summary of what to expect in AESCSFv2 and why.
Share This Article:
The upcoming refresh for the Australian Energy Sector Cyber Security Framework (AESCSF) in June 2023 will introduce a number of readjustments and changes to make this maturity framework even more relevant to the energy sector.
One of the changes to the AESCSF is to change the focus to address the core function of the energy operator. This is a welcome change to the previous version where the confusion around business-critical ICT systems versus mission-critical operational technology (OT) systems may have led some operators down the wrong path expending efforts and controls that would not directly address maturity for the function.
What’s changing specifically?
Fundamentally the AESCSF practices are being redefined, where the focus on cyber security becomes a whole of business consideration as opposed to a dedicated cyber function.
Touching on the intent of the changes, there are some significant variations to the way the practices have been written. Previously referenced terms have now been removed as they remained undefined and caused confusion.
Broader changes to domains such as architecture have also been made. Governance, Compliance and Risk aspects are now aligned within enterprise architecture and include aspects such as consolidating requirements for network segmentation.
In terms of Governance goals, the establishment of a program for architecture is a key addition. The focus on network protections as an element of cybersecurity architecture will lead implementers towards IEC 62443 as guidance on how to achieve this.
Asset Management aspects relating to Asset Security also come into play, where understanding your asset landscape as part of the architecture is a key takeaway. The focus on asset inventory allows for the first step in understanding of potential targets that can be used as an attack vector.
The development of secure software within the architecture domain also plays a part. Secure software architecture heads off poor development practices as part of design and seeks to mitigate it at the earliest stages of system development. This is also augmented by data security goals for encryption in transit and at rest, and the associated data loss and prevention controls required as part of managing information.
Finally, information asset data governance strategies are now being combined with the Data Security domain to enforce core aspects, such as classification, labelling, and handling.
Why is the focus on the function so important?
Cyber security is generally a shared responsibility within organisations. Many energy operators compete with shared resourcing and there is a school of thought that controls can be homogenous across operating environments.
There are situations where this is valid and others where this is not recommended. The interconnected nature of SaaS, Cloud, and business systems remains a key threat vector to operational technologies and control systems. When the two domains are interconnected they can introduce risks to the core control function of the energy operator.
The key phrase in AESCSF v2 is “within the function”. As an example, a large-scale energy distributor’s ‘function’ is the distribution of energy. Applying that to where controls should be applied “within the function” requires a focus on the implementation of these controls throughout the Distribution Management System and associated technologies.
Many controls that are situated within the ICT or business system environment may have the potential to offer these controls within the OT environment. This should not be at the cost of lowering any other strategies where isolation and dedicated controls have been deemed to be the most appropriate control.
This phrase fundamentally changes the paradigm. In AESCSF v1, the controls and compliance could be more generic where a consolidated OT/IT response was provided. Whereas now to audit against this framework the controls must be applied within the function. This has the potential for many energy operators’ maturity levels to reduce substantially once AESCSF v2 assessment occurs, as controls applied outside of the core function will no longer be applicable.
Where to from here?
These changes are a welcome refocusing of the goals of AESCSF in terms of protecting the mission critical functions of energy operators throughout Australia.
The refocusing and broadening of the framework and the continual refinement is testament to the work the AEMO is doing in this space and shows great leadership within the Critical Infrastructure sector, tying in nicely with the Security of Critical Infrastructure Act Energy Sector specific rules.
Anchoram Consulting assists energy sector clients with interpreting and assessing themselves against many industry frameworks including IEC 62443, AESCSF, and others, providing an holistic approach and enabling organisations to not only protect mission critical systems but also ensure compliance and meaningful communication to senior leadership.
The Australian Energy Sector Cyber Security Framework is being refreshed to better protect the mission critical functions of energy operators throughout Australia. Prepare for the changes coming up in June 2023 with this quick-read summary of what to expect in AESCSFv2 and why.
Share This Article:
Categories
Subscribe
Subscribe to our newsletter and get the latest news and information from Anchoram.