What is AESCSF v2 Update and what does it mean for cyber security in Energy?

The Australian Energy Market Operator (AEMO) has released a major update to its Australian Energy Sector Cyber Security Framework (AESCSF) that is focused on improving cyber security in Operational Technology (OT) and Industrial Control Systems (ICS).

Released on October 10, 2023, the Australian Energy Sector Cyber Security Framework Version 2 (AESCSF v2) includes 354 practices and anti-patterns that organisations are encouraged to adopt as part of their risk management program within the Security of Critical Infrastructure (SOCI) Act.

The growing risk of cyber-attacks in Australia’s energy sector is an increasing concern for organisations responsible for critical infrastructure – and adopting a robust risk management plan is compulsory for the 11 sectors under the SOCI Act.

In this blog, we’ll explain what the AESCSF is, everything you need to know about AESCSF v2, and what it means for organisations under the SOCI Act.

What is the AESCSF?

Developed in 2018 through collaboration by industry and government stakeholders – including the Australian Energy Market Operator (AEMO), Department of Industry, Science, Energy and Resources (DISER), Australian Cyber Security Centre (ACSC), and The Department of Home Affairs (DHA) – the Australian Energy Sector Cyber Security Framework (AESCSF) program provides a tool for assessing cyber security maturity across Australia’s energy sector.

The AESCSF is a cyber security framework developed and tailored to the Australian energy sector which enables Participants to assess, evaluate, prioritise, and improve their cyber security capability and maturity.

The AESCSF Framework Structure has two key components, a criticality assessment and a cyber security capability and maturity self-assessment:

  1. The Criticality Assessment Tool

The Criticality Assessment Tool (CAT) can be used to determine the criticality of your organisation relative to your peers, with a separate version available for the electricity, gas and liquid fuels sub‐sectors respectively.

  1. Self-Assessment

The self-assessment component is to evaluate your current cyber security capability and maturity and is designed to be relevant to all participants, regardless of your market sub‐sector. The tool is available in two versions, depending on your critical infrastructure and associated obligations.

Minor changes to the framework have occurred over time, including adding industry sectors such as gas markets and the liquid fuel sector to enhance uplift and support consistency across the energy sector. However, on October 10, 2023 – the first major update was released: The Australian Energy Sector Cyber Security Framework Version 2 (AESCSF v2).

More information about the AESCSF can be found in AEMO’s AESCSF framework and resources.

AESCSF v2 – Everything you need to know

AESCSF v2 is a newly released update to the original AESCSF that places more emphasis on operational technology (OT), securing supply chains, and integrating more relevancy to the SOCI Act, among other changes.

AESCSF v2 harnesses existing international industry standards such as the Electricity Subsector Cybersecurity Capability Maturity Model (C2M2) and National Institute of Standards and Technology (NIST) Cybersecurity Framework (NIST CSF), and places it in the context of the Australian energy sector and its existing policies and guidelines in addition to Australian legislation, including the privacy act.

In line with advancements in digitalisation and IT-OT connectivity across the sector, there are significant changes surrounding OT and cyber networks – including more segmented cyber networks that enable the isolation of cyber incidents and a move toward restricting access to a need-to-know basis.

While the complete list of changes can be found on the AEMO’s Summary of Changes, here are three key updates:

  1. Addition of a cyber security architecture domain focused on planning, designing, and managing the cyber security control environment.
  2. Refresh of the Dependencies domain now called the Third-Party Risk Management domain, to ensure the model effectively addresses third-party IT and OT cyber security risks, like sensitive data in the cloud and vendors with privileged access, as well as build supply chain security into organisation culture.
  3. Significant updates to the Risk Management domain to incorporate leading risk management practices and enhance coordination between cyber and enterprise risk management.

What industries are affected and what about my SOCI Act obligations?

The AESCSF v2 is relevant and applicable to any organisation in the Australian energy sector that owns and utilises critical infrastructure under the risk management program of the SOCI Act across the following industries:

  • Electricity, gas, and liquid fuels sub‐sectors, and,
  • Non-Australian Energy Market Operator (AEMO) electricity grids and markets.

Although the AESCSF was developed with the energy sector in mind, the recent amendment ensures that the framework can be used by all 11 sectors identified under the SOCI Act. You can adopt this new framework as part of your risk management program effective immediately. Helpful guidelines to better understand AESCSF v2 in more detail – including a quick reference guide – are available via the AEMO’s Framework and Resources page.

Unsure about your SOCI Act obligations? Here are three tips to achieve cyber security compliance when navigating the SOCI Act.


Unsure of your cyber security obligations or need support?

Protecting Australia’s energy sector from cyber threats is of national importance. The risks facing critical infrastructure are constantly evolving, and as such, cyber resilience must extend across all critical assets – including both IT and OT.

While it can be difficult to stay on top of reporting obligations, it is imperative to remain cyber-resilient to ensure Australia’s energy sector maintains secure and reliable energy supplies to support economic stability and national security.

SAGE Group is a 100% sovereign Australian company that has delivered digitisation and automation solutions across operational technology assets within critical infrastructure for more than 30 years. Our expertise in OT and digital transformation ensures we are well-placed to integrate cyber security solutions across the energy industry, and any organisation with critical OT assets.

To learn more about SAGE Group’s cyber security solutions, AESCSF v2 or the SOCI Act – get in touch with our Cyber Team.

Latest news

Get the latest industry news, insights and case studies from SAGE