by Graeme Pyper, Cyber Security, Thales Australia
Protecting the Australian energy sector against increasingly sophisticated cyber threats is a matter of national importance – not only to ensure the security and reliability of electricity supply, but also for economic stability and national security. In 2018 AEMO, in collaboration with industry and government partners, developed a tailored cyber security framework for the Australian energy sector, the Australian Energy Sector Cyber Security Framework (AESCSF). Here, we’ll take a closer look at AESCSF, and consider the ways businesses should optimally respond to their findings to prevent business risks.
AEMO’s framework enables participants to undertake assessments of their own cyber security capability and maturity, and use the results to inform and prioritise investment to improve cyber security posture.
The framework was developed through collaboration with industry and government stakeholders, including AEMO, the Australian Cyber Security Centre (ACSC), the Critical Infrastructure Centre (CIC) and the Cyber Security Industry Working Group (CSIWG), which includes representatives from Australian energy organisations.
The AESCSF leverages recognised industry frameworks such as the US Department of Energy’s Cybersecurity Capability Maturity Model (ES-C2M2) and the NIST Cyber Security Framework (CSF), and references global best-practice control standards (such as ISO/IEC 27001, NIST SP 800-53 and COBIT). The AESCSF also incorporates Australian-specific control references, such as the ACSC Essential 8 Strategies to Mitigate Cyber Security Incidents, the Australian Privacy Principles, and the Notifiable Data Breaches scheme (NDB).
Other cyber security assessment standards that Australian energy networks service providers may be certified or aligned to include, but are not limited to:
- ISO 27000 (International Standards Organisation series for Information Security Management Systems);
- Payment Card Industry Data Security Standard (PCI-DSS); and
- North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection Standards
Australian energy companies also utilise publically available resources such as:
- The Australian Government Department of Defence Intelligence and Security Information Security Manual
- The Australian Signals Directorate (ASD) Top 35 strategies for Mitigating Targeted Cyber
- Intrusions
- SANS Institute 20 Critical Controls
- Centre for Internet Security (CIS) Security Benchmarks
- Open Web Application Security Project (OWASP) guidance
First assess, then what?
The reality is, there are a number of tools and standards that Australian energy companies can use to assess the maturity of their cyber security strategies.
AEMO makes clear in its framework that it considers ES-C2M2 to be the gold standard for cyber security assessment.
The important thing is that once assessment has been undertaken, energy companies use this assessment to identify the risks that they face – and more specifically, where these risks move beyond being cyber risks, to being genuine business risks.
Jeremy Hulse, from global cyber-security experts Thales, recommends working backwards to find the “sweet spot” of intervention when it comes to cyber security that will prevent catastrophic risks, such as reputational damage, asset damage and loss of life, without over-engineering the solution your organisation requires.
“Businesses need to do a thorough analysis, such as an ES-C2M2 analysis, understand their risks, and act appropriately to manage these risks.
“Do businesses need to fix every air gap in their network? Not necessarily. It’s about identifying the gaps that are critical, and dealing with them appropriately.”
Thales Critical Infrastructure Cyber Security is a comprehensive expert-led approach to develop safe and resilient cyber secure systems. Their offering delivers security planning, cyber security risk management, cyber security architecture and design that leads to an outcome tailored to an organisation’s specific business and critical infrastructure needs.
The Thales approach is designed to minimise the uncertainty in developing and integrating cyber security controls in safety-critical production environments. They provide business-appropriate evidence that security controls and associated expenditure are both warranted and effective.
The team from Thales works with business stakeholders to architect cyber security needs into the system in the early stages of system development, and balance the needs of security with other system requirements.
Interested in learning more about how your organisation can guard itself against cyber security threats? Click here to download the Report on Cyber Threats to Operational Technologies in the Energy Sector.