Introduction
There are numerous cyber security regulations, frameworks and standards which are used to govern cyber security within an organisation, ranging from general information security standards such as ISO27001, NIST CSF and industry specific standards and frameworks such as ES-C2M2, AESCSF. An organisation may choose to adopt any of these or just practice basic cyber security hygiene similar to ACSC’s Essential Eight.
In majority of the situations an organisation is pushed to a point where they need to comply with a certain standard or a regulation which are advance cyber security best practices by governments or by organisations themselves to gain trust.
Do all organisations have the resources such as funding and people to carry out these processes? is there a way where Small and Medium Businesses (SMBs) can get through this with minimum effort but with optimum outcome? Well, there is a solution but before we move onto the solution lets understand the problem through AESCSF.
AESCSF
It is proven that Industrial Control Systems (ICS) and other critical infrastructures are vulnerable to cyber-attacks, e.g. Stuxnet, hence a general cyber security framework is insufficient when it comes to protecting specialised systems. When we consider critical infrastructures like the energy sector, it is not only the IT (Information Technology) systems that we need to take care of but also OT (operational Technology) systems.
Having all these in mind AEMO and other Australian government entities developed a cyber security framework that can protect Electricity and Gas industry from malicious attacks. AESCSF is largely derived from ES-C2M2 which is a cyber security framework developed by the Department of Energy (DOE) in the United States and also leverages many other industry standards such as NIST CSF. What is special about AESCSF is that it is customised for the Australian Energy and Gas sectors.
AESCSF consists of 282 controls including poor practices which are called Anti-patterns, spanning across 11 domains. All 282 controls have their own indicators to assess an organisation’s current state, termed Maturity Indicator Level (MIL) and a target state termed Security Profiles (SP) both ranging from 1 to 3. It is important to note that an organisation must follow a flow of assessment.
Flow of assessment
- Criticality assessment must be assessed to determine the SP
- SP-1 – Low criticality
- SP-2 – Medium criticality
- SP-3 – High criticality
- Assess your organisation using the self-assessment
An organisation’s security perspective
Security posture of different organisations differ vastly. Some organisations adopt a cyber security aware culture from inception, and some incorporate it along the development of the organisation. Where your organisation stand at present determines the effort that you need to put into AESCSF, on a high-level if you fall under low criticality you need to satisfy approximately 30%, and if you fall under medium criticality you need to satisfy approximately 70% and if you are a high criticality organisation you need to satisfy almost all the requirements.
If you are an organisation which has already adopted basic security practices or has been following other standards and frameworks, majority of your work is done. Most AESCSF practices which are categorised under MIL-1 are basic cyber security practices, which means that your organisation has covered almost 20% of the requirements and depending on how you have implemented such practices, e.g., whether you regularly review and update or continuously monitor implemented practices, you will be able to achieve another 10% which will fulfil SP-1 completely. If you are Low criticality organisation, this then assures you that you have achieved required level of compliance. It will be easier for your organisation keep up with the requirements as you grow and fall into SP-2 or 3.
On the other hand, if you are an organisation that is new or has not considered cyber security aspects, working your way through AESCSF not only will solidifies your basic security requirements but also lay the foundation for industry specific security controls which are essential in MIL-2 & 3. Once you have started implementing AESCSF you can also meet compliance requirements of other standards and frameworks as well.
Difficulties organisations face and how to overcome them
Most organisations want to secure their systems physically and digitally, there are many aspects that hold them back, below are three main reasons,
- Time and funding; organisations which are in the energy sector are specialised in providing services related to energy and frameworks such AESCSF add additional overhead to their resources, and some SMBs don’t have a dedicated cyber security team to manage such security requirements.
- Visibility over third parties and suppliers.
- Extension of current compliance to other standards and frameworks
How AR Innovations Solve these issues
- AR Innovations provides you with extensive consultancy which tracks your compliance from end-to-end. Our team of experts will guide your organisation from writing your first information security policy till you get compliant.
- We design our approach according to what our clients require. Our primary approach to AESCSF is through threat intelligence. We do a comprehensive study what the business is and analyse specific threat vectors to provide solutions to our clients.
- Regulations, standards and frameworks evolve according to the ever-changing threat landscape. There are plenty of such documentations available and you may need to be compliant with many of these at once. For example, if you choose to assess yourself with AESCSF, at the end of the assessment AR Innovations can also guide and provide you with an overall view of other related industry standards (e.g., ISO27001, SOC2) and frameworks and where your organisation stands within those requirements as well. This drastically reduces the time you need to spend.