Navigate the Australian Energy Sector Cyber Security Framework with actionable guidance on C2M2-based domains, maturity levels, and building a sustainable compliance program aligned with the SOCI Act.
The Australian Energy Sector Cyber Security Framework (AESCSF) has become the cornerstone of cyber security governance for energy sector organisations across the country. Developed collaboratively by the Australian Energy Market Operator (AEMO), the Australian Cyber Security Centre (ACSC), and industry stakeholders, the framework provides a structured approach to managing cyber security risk tailored to the unique challenges facing electricity and gas networks. AESCSF is built upon the US Department of Energy's Cybersecurity Capability Maturity Model (C2M2), bringing a proven maturity-based approach to the Australian energy sector context. Understanding this C2M2 foundation is essential for effective implementation. In our experience working with energy sector organisations, those that succeed with AESCSF are those that treat it not as a checkbox exercise, but as a genuine tool for understanding and improving their security posture. This guide provides practical guidance for navigating AESCSF requirements and building a sustainable compliance program that delivers real security value.
AESCSF is built upon the Cybersecurity Capability Maturity Model (C2M2), developed by the US Department of Energy specifically for the energy sector. This heritage means AESCSF organises security capabilities across ten domains, each containing practices that organisations implement at increasing maturity levels.
The ten C2M2-derived domains are:
Asset, Change, and Configuration Management (ASSET) - Managing the organisation's IT and OT assets, including hardware, software, and information, throughout their lifecycle.
Threat and Vulnerability Management (THREAT) - Establishing and maintaining plans, procedures, and technologies to detect, identify, analyse, manage, and respond to cyber security threats and vulnerabilities.
Risk Management (RISK) - Establishing, operating, and maintaining an enterprise cyber security risk management program.
Identity and Access Management (ACCESS) - Creating and managing identities for entities that may be granted logical or physical access to assets, and managing access rights.
Situational Awareness (SITUATION) - Establishing and maintaining activities to collect, analyse, alarm, present, and use operational and cyber security information.
Event and Incident Response, Continuity of Operations (RESPONSE) - Establishing and maintaining plans, procedures, and technologies to detect, analyse, mitigate, respond to, and recover from cyber security events and incidents.
Third-Party Risk Management (THIRD-PARTIES) - Establishing and maintaining controls to manage cyber security risks associated with services and assets that are dependent on external entities.
Workforce Management (WORKFORCE) - Establishing and maintaining plans, procedures, and technologies to create a culture of cyber security and ensure ongoing suitability and competence of personnel.
Cybersecurity Architecture (ARCHITECTURE) - Establishing and maintaining the structure and behaviour of the organisation's cyber security architecture.
Cybersecurity Program Management (PROGRAM) - Establishing and maintaining an enterprise cyber security program that provides governance, strategic planning, and sponsorship.
Within each domain, practices are assessed against Maturity Indicator Levels (MILs) from 0 to 3, where MIL 0 represents ad-hoc or non-existent practices and MIL 3 represents optimised, continuously improving capabilities. This maturity-based approach acknowledges that security improvement is a journey, and allows organisations to demonstrate progress over time.
One of the most common challenges organisations face is reconciling AESCSF requirements with other frameworks they may already be implementing. Understanding AESCSF's C2M2 foundation helps clarify these relationships.
NIST CSF Crosswalks: While AESCSF is based on C2M2, AEMO provides crosswalks to NIST CSF for organisations that need to demonstrate alignment to both. The NIST CSF functions (Identify, Protect, Detect, Respond, Recover) map across multiple AESCSF domains - for example, NIST's 'Identify' function maps to elements of ASSET, RISK, and PROGRAM domains. These crosswalks are useful for reporting but shouldn't be confused with the underlying structure.
ISM Alignment: The framework provides explicit mappings to the Information Security Manual, allowing organisations to demonstrate how AESCSF practices satisfy government security requirements. This is particularly relevant for government-owned energy entities.
ISO 27001: For organisations pursuing ISO 27001 certification, the control objectives align reasonably well, though the maturity model approach of AESCSF differs fundamentally from ISO's compliance-based assessment. AESCSF asks 'how mature are your capabilities?' while ISO 27001 asks 'have you implemented required controls?'
In practice, building a control mapping matrix that shows how practices satisfy multiple framework requirements reduces duplication of effort. The key is establishing AESCSF as the primary framework for energy sector organisations and mapping secondary frameworks to it, rather than maintaining parallel compliance programs.
After conducting numerous AESCSF assessments across energy sector organisations, several common gaps consistently emerge across the C2M2 domains.
ASSET Domain: Asset inventory and management represents a fundamental challenge. Organisations often have reasonable visibility of IT assets but struggle to maintain accurate, current inventories of OT assets, particularly at remote sites. Without knowing what assets exist and their criticality, practices in other domains lack a solid foundation.
THIRD-PARTIES Domain: Third-party risk management is consistently underperformed. The energy sector relies heavily on vendors for system integration, maintenance, and support, yet formal processes for assessing and monitoring vendor security practices are often immature. AESCSF expects organisations to evaluate third-party security posture and maintain contractual provisions supporting security requirements.
RESPONSE Domain: Incident response capabilities specifically tailored for OT environments present challenges. Many organisations have mature IT incident response processes that don't account for OT constraints - the need to maintain safety, limited ability to patch or isolate systems, and specialised knowledge required for OT-specific threats. Building OT incident response capability requires close collaboration between IT security and operational personnel.
SITUATION Domain: Achieving situational awareness across converged IT/OT environments is difficult. Many organisations lack integrated visibility, with separate monitoring for IT and OT that doesn't provide a unified operational picture.
WORKFORCE Domain: Cyber security training and awareness programs often focus on IT environments, leaving OT personnel without role-specific guidance on security practices relevant to their operational context.
Effective AESCSF compliance requires a structured, multi-year roadmap that balances quick wins with foundational improvements across the C2M2 domains.
The first step is conducting a thorough current-state assessment against AESCSF maturity levels, ideally with external validation to ensure objectivity. This assessment should involve both IT and OT stakeholders and should be honest about current capabilities - underreporting gaps only delays necessary improvements.
From the assessment, prioritise remediation activities based on risk reduction value and dependencies. Foundational capabilities in the ASSET and ARCHITECTURE domains often need to be addressed before practices in other domains can be effective. You can't implement effective access controls (ACCESS domain) without knowing what assets need protection.
Quick wins that demonstrate progress help maintain momentum and stakeholder support. Common quick wins include:
The roadmap should align with CIRMP reporting cycles and board reporting requirements. Budget planning should anticipate multi-year investment, as achieving MIL 2 or MIL 3 across domains requires sustained effort rather than one-time projects.
Finally, build continuous improvement into the program from the start. AESCSF's maturity model is designed to support ongoing improvement - organisations should plan for regular reassessment and roadmap refinement.
The relationship between AESCSF and the Security of Critical Infrastructure Act 2018 (SOCI Act) is fundamental for energy sector organisations. The SOCI Act establishes mandatory obligations for critical infrastructure operators, including the requirement to maintain a Critical Infrastructure Risk Management Program (CIRMP) that addresses cyber security hazards.
AEMO and the ACSC have positioned AESCSF as the recommended framework for addressing cyber security obligations under SOCI. Organisations that implement AESCSF comprehensively - a chieving appropriate maturity across the ten domains - will be well-positioned to demonstrate CIRMP compliance.
However, SOCI Act obligations extend beyond cyber security to include personnel, supply chain, and physical security. While AESCSF's WORKFORCE and THIRD-PARTIES domains address related cyber security aspects, the broader SOCI requirements need separate but coordinated risk management programs.
The SOCI Act also imposes incident reporting requirements. Cyber security incidents affecting critical infrastructure assets must be reported to the ACSC within specified timeframes, which requires clear incident classification criteria and established reporting procedures. The RESPONSE domain practices should include development of these procedures as part of broader incident response capability.
Understanding this regulatory context helps organisations frame AESCSF investment in terms of legal compliance as well as security improvement. Achieving higher maturity levels isn't just good security practice - it's demonstrable evidence of meeting legislative obligations.
AESCSF provides Australian energy organisations with a robust, practical framework for managing cyber security risk. Built on the proven C2M2 maturity model, it offers a structured approach to capability development across ten domains that address the full spectrum of cyber security concerns. Success requires treating the framework as a tool for genuine security improvement rather than a compliance exercise. By understanding the C2M2 foundation, mapping to existing security programs through available crosswalks, addressing common gaps systematically, and building a realistic multi-year roadmap, organisations can achieve sustainable compliance that delivers real security value. The alignment with SOCI Act requirements provides additional motivation and regulatory clarity for this investment.
Our team has extensive experience helping Australian energy organisations navigate AESCSF requirements and build mature cyber security programs across all ten C2M2 domains.
Related Projects
Developed an enterprise security architecture model using ArchiMate notation to establish traceability from regulatory drivers through security principles, controls, and technical implementations. The model aligns NIST CSF, AESCSF, and ISO 27001 frameworks with organisational capabilities and threat scenarios.
Developed a comprehensive identity and access management strategy for a Queensland clean energy generator, establishing a unified approach to identity governance across corporate IT and operational technology environments. The engagement delivered an IAM relationship model, persona-based access controls, and a roadmap aligned to AESCSF and IEC 62443 requirements.
Related Reading
Zero trust has become a marketing term often divorced from practical implementation. Cut through the hype to understand what the ISM actually requires and how to implement zero trust principles pragmatically.
Multiple security frameworks exist, each with different strengths. Understand when to use NIST CSF, ISO 27001, or Essential Eight, and how to combine them effectively for Australian organisations.
A practical guide to implementing NIST SP 800-37 Rev. 2 Risk Management Framework in Australian organisations. Learn how to integrate the seven RMF steps with local frameworks like the ISM, AESCSF, and Essential Eight.