Skip to content

Tips for Australian energy sector cyber security framework compliance

Andrew Robinson |

February 14, 2020
Tips for Australian energy sector cyber security framework compliance



We’re buzzing…all the time.

I write this piece in the comfort of an air-conditioned building serviced by a lift (although I use the stairs) and a whole series of comforting amenities like a coffee machine (thanks YBF Ventures!), hot water (afternoon tea), chilled water (for in between coffee and tea), fridge (I don’t use it) and a dishwasher (I should use it more).

Not to mention card access control system, lighting and a reliable supply of pure electric juice for various digital devices…  What would I do without them? What would you do without yours? How would your business be disrupted if you had no electricity?

These electrons drift into your business at about the speed of spreading honey. Yet the signal flowing through the waves has your business moving toward the speed of light. Incredibly impressive. Yet incredibly vulnerable.



How vulnerable?

There is a whole complex chain of generation and distribution infrastructure that makes up the electricity grid and attacks on notoriously brittle electricity grids around the world (e.g. United States, Ukraine) have caused a level of fear and anxiety for operators (rightly so too!) that they may not be in control. Beyond disruption, the greatest risk of losing control in the energy sector is not denial of access to comforting amenities described above but… safety.

If interference results from a deliberate cyber-attack or incidental malware infection, then there’s the potential for real world impacts. In such cases, physical overrides and safety measures should cut in… at least in theory…


Cool, now watt?…

This is why in 2018, the Australian energy sector regulator, Australian Energy Market Operator (AEMO), released the Australian Energy Security Cyber Security Framework (AESCSF) in cooperation with industry and government partners.

The AESCSF is unique, in that it is not very closely aligned with (although may have been informed by) the industry standard for information security (ISO/IEC 27001), the Australian Government Information Security Manual (ISM) or the US NIST Cyber Security Framework.

It is in fact based on the US Department of Energy’s Cybersecurity Capability Maturity Model (ES-C2M2).


The AESCSF focuses, as it should, on the unique needs of the energy sector, including the use of Operational Technology (OT), which manages physical processes. It also includes ‘Anti-Patterns’, which seek to identify and weed out bad practices that can creep in and undermine security efforts if not kept under control or rather altogether avoided.

Assessment and reporting by energy sector operators against the requirements of the AESCSF is expected annually. Although reporting is not yet mandatory, this is expected to be changed imminently.


Gimme some good news…

Can do! The good news is that relevant subset of requirements within the AESCSF is determined by completing a Criticality Assessment and choosing your intended maturity level.

So, if you haven’t already begun your AESCSF journey, then you better start there! If you have already performed an assessment against the AESCSF, good job, we expect you’re busy working on improving your maturity.

Keep on ‘keeping on’ because our access to comforting amenities, and our safety, are in your hands.


Need some expert assistance?

With 6clicks, you can quickly and easily perform assessments of compliance against the AESCSF internally, or of third parties. Assessment can be conducted by your own organisation or by working collaboratively with any number of service providers (consultancies) that now choose to leverage 6clicks to perform assessments.

Use of a service provider can help bring independence, expert opinion and credibility to your assessment of compliance.

Our platform can also help you: 

  • Implement the requirements of the AESCSF
  • Record your information assets and classifications, as well as risks and treatment plans
  • Report the progress of control implementation and security incidents and issues including assessment results

The combined assessment and management system functionality will help you continually improve over time.

BONUS: You can also easily translate between the AESCSF and other frameworks such as ISO/IEC 27001!


The best time to start is now! Book a demo with our team at a time that suits you.

Book your demo

Related useful resources


Andrew Robinson

Written by Andrew Robinson

Andrew started his career in the startup world and went on to perform in cyber and information security advisory roles for the Australian Federal Government and several Victorian Government entities. Andrew has a Masters in Policing, Intelligence and Counter-Terrorism (PICT) specialising in Cyber Security and holds IRAP, ISO 27001 LA, CISSP, CISM and SCF certifications.