Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
The Australian Energy Sector Cyber Security Framework (Framework) was developed through collaboration with industry and government stakeholders, including the Australian Energy Market Operator (AEMO), Australian Cyber Security Centre (ACSC), Critical Infrastructure Centre (CIC) and the Cyber Security Industry Working Group (CSIWG).
The Framework leverages existing industry standards including the US Department of Energy’s ES-C2M2 cyber security capability model and has been tailored for the Australian energy sector to align with local policy, such as the Australian Privacy Principles, the Notifiable Data Breaches scheme and the ACSC Essential Eight. Its purpose is to enable participants to assess, evaluate and improve their cyber security capability and maturity.
Huntsman Security’s solutions help organisations assess their alignment with the Framework by supporting the measurement of cyber security capability and maturity indicator level.
The Framework has two key components, a criticality assessment and a cyber security capability and maturity self-assessment.
The criticality assessment determines the criticality of an entity, relative to its peers. The primary objective of the tool is to rank all participating entities on a single scale for the purpose of reporting, benchmarking and determining the applicable target state maturity guidance from the ACSC. There are two versions of the tool, one for each of the electricity and gas sub-market.
Each electricity market and gas market role has been assigned a criticality band on the scale. Key criticality indicators for each market role have been established to stratify participating entities within the role’s criticality bands. Participating entities are placed within applicable role criticality bands based on their responses to questions.
The three criticality levels in the Framework are aligned to Security Profiles (SPs), as shown in the table.
There are two components of the cyber security capability and maturity element of the Framework – Security Profiles (SPs) and Maturity Indication Levels (MILs).
Defined by the ACSC, the Framework has three SPs, aligned to the three criticality levels. Each SP consists of a number of cyber security Practices and Anti-Patterns, spread across a set of Domains that map to MILs.
There are 11 Domains, each with an overriding security purpose. The Domains include 10 from the ES-C2M2 model plus the Australian Privacy Management Domain.
There are 282 Practices and Anti-Patterns included in the Framework.
SPs cannot be applied independently to each Domain; in order to achieve an SP, entities must be performing all of the Practices, and not exhibiting any of the Anti-Patterns within that SP, and any preceding SPs, across all Domains. SPs are cumulative i.e. SP-2 can only be achieved if SP-1 is also achieved.
There are four MILs in the model, 0 through to 3. Unlike SPs, the MILs apply independently to each Domain, which means an entity could receive different MIL ratings for different Domains. The overall MIL achieved is the lowest MIL achieved across all Domains. The MILs are cumulative within each Domain; an entity must perform all of the Practices, and not exhibit any of the Anti-Patterns, in that MIL and any preceding MILs.
The cyber security capability and maturity self-assessment has two versions:
A Full self-assessment covers all 282 Practices and Anti-Patterns. A Lite self-assessment consists of 29 multi-select questions. The scope of the Lite self-assessment is focused on Target State maturity guidance for Low criticality entities, whereas the Full self-assessment is designed for Medium and High criticality entities.
The Framework is not mandatory for Australian energy sector participants. However, the cyber resilience of the sector has come under increasing scrutiny due to the rise in number of sophisticated cyber-attacks against critical infrastructure around the world.
“Securing Australia’s critical infrastructure, and systems that control our essential services, is a major priority for the Australian Cyber Security Centre and our partners in the sector,” said ACSC Head Abigail Bradshaw CSC.
Further, recent amendments to the Security of Critical Infrastructure Act 2018 impose positive security obligations on critical infrastructure organisations.
Huntsman Security’s technology supports 10 of the 11 domains detailed in the Framework.
Key areas of capability sit within the following Domains:
Event and Incident Response, Continuity of Operations
If you would like more information regarding Huntsman Security’s support for AESCSF assessment, please send us a message via the button below.
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.