The Australian Energy Sector Cyber Security Framework (Framework) was developed through collaboration with industry and government stakeholders, including the Australian Energy Market Operator (AEMO)Australian Cyber Security Centre (ACSC)Critical Infrastructure Centre (CIC) and the Cyber Security Industry Working Group (CSIWG).

The Framework leverages existing industry standards including the US Department of Energy’s ES-C2M2 cyber security capability model and has been tailored for the Australian energy sector to align with local policy, such as the Australian Privacy Principles, the Notifiable Data Breaches scheme and the ACSC Essential Eight. Its purpose is to enable participants to assess, evaluate and improve their cyber security capability and maturity.

Huntsman Security’s solutions help organisations assess their alignment with the Framework by supporting the measurement of cyber security capability and maturity indicator level.

How does the AESCSF work?

The Framework has two key components, a criticality assessment and a cyber security capability and maturity self-assessment.

Criticality assessment

The criticality assessment determines the criticality of an entity, relative to its peers. The primary objective of the tool is to rank all participating entities on a single scale for the purpose of reporting, benchmarking and determining the applicable target state maturity guidance from the ACSC. There are two versions of the tool, one for each of the electricity and gas sub-market.

Each electricity market and gas market role has been assigned a criticality band on the scale. Key criticality indicators for each market role have been established to stratify participating entities within the role’s criticality bands. Participating entities are placed within applicable role criticality bands based on their responses to questions.

The three criticality levels in the Framework are aligned to Security Profiles (SPs), as shown in the table.

Criticality Levels and Security Profiles

Criticality Levels and Security Profiles

Cyber security capability and maturity assessment

There are two components of the cyber security capability and maturity element of the Framework – Security Profiles (SPs) and Maturity Indication Levels (MILs).

Cyber security capability – Security Profiles (SPs)

Defined by the ACSC, the Framework has three SPs, aligned to the three criticality levels. Each SP consists of a number of cyber security Practices and Anti-Patterns, spread across a set of Domains that map to MILs. 

There are 11 Domains, each with an overriding security purpose. The Domains include 10 from the ES-C2M2 model plus the Australian Privacy Management Domain.

Framework Domains

Framework Domains

There are 282 Practices and Anti-Patterns included in the Framework.

SPs cannot be applied independently to each Domain; in order to achieve an SP, entities must be performing all of the Practices, and not exhibiting any of the Anti-Patterns within that SP, and any preceding SPs, across all Domains. SPs are cumulative i.e. SP-2 can only be achieved if SP-1 is also achieved.

Security Profiles and Practices

Maturity Assessment – Maturity Indicator Levels (MILs)

There are four MILs in the model, 0 through to 3. Unlike SPs, the MILs apply independently to each Domain, which means an entity could receive different MIL ratings for different Domains. The overall MIL achieved is the lowest MIL achieved across all Domains. The MILs are cumulative within each Domain; an entity must perform all of the Practices, and not exhibit any of the Anti-Patterns, in that MIL and any preceding MILs.

How the cyber security capability and maturity self-assessment works

The cyber security capability and maturity self-assessment has two versions:

  • a Full self-assessment, and;
  • a Lite self-assessment.

A Full self-assessment covers all 282 Practices and Anti-Patterns. A Lite self-assessment consists of 29 multi-select questions. The scope of the Lite self-assessment is focused on Target State maturity guidance for Low criticality entities, whereas the Full self-assessment is designed for Medium and High criticality entities.

Is the AESCSF mandatory?

The Framework is not mandatory for Australian energy sector participants. However, the cyber resilience of the sector has come under increasing scrutiny due to the rise in number of sophisticated cyber-attacks against critical infrastructure around the world. 

“Securing Australia’s critical infrastructure, and systems that control our essential services, is a major priority for the Australian Cyber Security Centre and our partners in the sector,” said ACSC Head Abigail Bradshaw CSC.

Further, recent amendments to the Security of Critical Infrastructure Act 2018 impose positive security obligations on critical infrastructure organisations.

How Huntsman Security supports the AESCSF

Huntsman Security’s technology supports 10 of the 11 domains detailed in the Framework.

Huntsman Security’s coverage of AESCSF Domains

Key areas of capability sit within the following Domains:

Risk Management

  • Continuously measures and audits control configuration, effectiveness and operation
  • Performance metrics are mapped against Essential Eight framework maturity levels
  • A live dashboard displays compliance and risk against the Essential Eight controls, along with real-time alerting of non-compliance
  • Automatically generated and distributed reports to all stakeholders

Situational Awareness

  • Perform logging
  • Perform monitoring
  • Establish and maintain a common operating picture
  • Management activities

Event and Incident Response, Continuity of Operations

  • Detect cyber security events
  • Escalate cyber security events and declare incidents
  • Respond to incidents and escalated cyber security events
  • Plan for continuity
  • Management activities

Find out more

If you would like more information regarding Huntsman Security’s support for AESCSF assessment, please send us a message via the button below.


Read by directors, executives, and security professionals globally, operating in the most complex of security environments.