As the Australian financial year 2023-2024 concluded, it is crucial for Responsible Entities to be aware of upcoming compliance deadlines. Responsible Entities must submit an Annual Report relating to their Risk Management Program (RMP) to the relevant Regulator between July 1, 2024, and September 28, 2024. This requirement is part of the Security of Critical Infrastructure (SOCI) Act, mandating that Responsible Entities for critical infrastructure assets have and comply with a Risk Management Program (RMP).
The Cyber Security Framework obligation comes into effect on August 17, 2024, for the 2024-2025 CIRMP Annual Report. From this date, Responsible Entities subject to this obligation must comply with Section 8 of the SOCI CIRMP Rules, which outlines five designated cybersecurity frameworks, including the AESCSF. This includes achieving the specified level of maturity for one of the selected frameworks or an equivalent alternative framework.
As of August 17, 2023, the Critical Infrastructure Risk Management Program (CIRMP) grace period has concluded. Critical infrastructure operators in Australia are in a race for time to establish and enforce a risk management program as required by the rule.
The CIRMP outlines several framework options required for compliance, including:
The deadline to fulfill the cyber security framework specifications as laid out in this program is 18 August 2024. Additionally, the inaugural board-approved annual report must be submitted by 28 September 2024.
This is all ultimately enforced with regulatory obligations by the Cyber and Infrastructure Security Centre (CISC)
In recent developments, the Australian Government has significantly expanded the scope of the Security of Critical Infrastructure Act (SOCI Act) through the introduction of two key amendments: the Security Legislation Amendment (Critical Infrastructure) Act 2021 (SLACI) and the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (SLACIP). The preparedness and resilience of Australia's critical infrastructure are set to become stronger in the face of changing cyber threats and intricate interdependencies through these legislative changes.
The Security of Critical Infrastructure Act (SOCI Act) casts a wide net over a diverse range of sectors deemed critical to national security and economic stability. Understanding the breadth of its application is essential for entities across various industries to gauge their compliance responsibilities. As per recent expansions and clarifications, the SOCI Act now encompasses 22 asset classes within 11 critical sectors. These sectors include:
Each of these sectors is required to adhere to specific regulations that are tailored to address the unique risks associated with their operations. This sector-specific approach ensures that the protective measures implemented are both appropriate and effective, enhancing the overall security posture of Australia's critical infrastructure.
The regulation of critical infrastructure under the Security of Critical Infrastructure Act 2018 (the SOCI Act) places obligations on responsible entities for certain critical infrastructure assets in relevant critical infrastructure sectors.
Within this act is the requirement to “produce and comply with a Critical Infrastructure Risk Management Program (CIRMP).”
The CIRMP sets form a set of “CIRMP Rules” where this is a set of requirements geared toward “Cyber and Information Security Hazards”
More specific guidance and definition can be found in the CISC’s Critical Infrastructure Asset Class Definition Guidance fact sheet here: https://www.cisc.gov.au/critical-infrastructure-centre-subsite/Files/cisc-factsheet-asset-class-definition-guidance.pdf
The cybersecurity framework requirement in CIRMP rules avoids recreating the wheel by leveraging known, established standards and industry frameworks to ensure maturity, consistency, and effectiveness. Utilizing these frameworks provides a common language and understanding, helping organisations align with recognized best practices.
Across these established cybersecurity frameworks, core foundational elements that remain consistent. Though these frameworks may combine or delineate security controls and programs differently, at their core, they are universal areas of best practices.
(Before digging into framework areas, it's worth noting that in addition to providing key security controls directly, Industrial Defender also automates compliance reporting for full frameworks and policies. This eases the burden on preparing audit-ready reports and gathering regulatory evidence.)
The AESCSF stands for the Australian Energy Sector Cyber Security Framework. It is a framework designed specifically for the Australian energy sector to provide a consistent foundation for evaluating and enhancing cybersecurity maturity across the sector. It was developed by the Australian Energy Market Operator (AEMO).
The Australian Energy Sector Cyber Security Framework (AESCSF) is organised around specific domains, each covering a distinct area of cybersecurity. The domains serve as categories or clusters of related cybersecurity practices and controls, guiding organisations within the Australian energy sector in their cybersecurity efforts.
DOMAIN 1: Asset, Change, and Configuration Management (ACM)
DOMAIN 2: Cybersecurity Program Management (CPM)
DOMAIN 3: Supply Chain and External Dependencies Management (EDM)
DOMAIN 4: Identity and Access Management (IAM)
DOMAIN 5: Event and Incident Response, Continuity of Operations (IR)
DOMAIN 6: Information Sharing and Communications (ISC)
DOMAIN 7: Risk Management (RM)
DOMAIN 8: Situational Awareness (SA)
DOMAIN 9: Threat and Vulnerability Management (TVM)
DOMAIN 10: Workforce Management (WM)
DOMAIN 11: Australian Privacy Management (APM)
Keep reading for summary explanations of the domain and how Industrial Defender helps. You can also download our detailed AESCSF Mapping Guide here: https://www.industrialdefender.com/resources/aescsf-mapping-guide-industrial-defender
This concerns the management of the organisation’s OT and IT assets, considering both hardware and software, relative to risks to critical infrastructure and organisational aims. Domain 1 of the AESCSF prioritises a current inventory of these assets, each categorised by its importance to function delivery. It's crucial to establish configuration baselines for consistency across assets and for deployments. These baselines, shaped by cybersecurity goals, are regularly reviewed and updated as determined by the organisation.
Change management in this domain ensures modifications to assets are evaluated, logged, and, where possible, tested for cybersecurity impacts before deployment. To maintain transparency, change logs record modifications that might influence the cybersecurity status (availability, integrity, confidentiality) of these assets.
Industrial Defender stands as the industry's forerunner in these capabilities, specialising in delivering the most comprehensive, in-depth OT asset data. Through a blend of active and passive techniques, coupled with manual data entry for network isolation scenarios, Industrial Defender delivers the most detailed asset inventory. Alongside this, it offers a superior capability to detect changes and furnish historical context. Users enjoy unparalleled visibility into asset functionalities. Setting itself distinctly apart from other "asset visibility" platforms, Industrial Defender delves deeper into endpoint configurations and changes, covering device information, software inventories, active services, network port utilisation, and user-designated specifications. Industrial Defender enables users to establish and maintain baselines, track deviations from policies, and ensure compliance and secure states using comprehensive OT asset data.
Domain 2 focuses on establishing and maintaining an enterprise cybersecurity program. The program aims to align the organisation's strategic objectives with its cybersecurity actions, considering risks to critical infrastructure. The organisation must have a defined cybersecurity strategy that outlines its objectives. This strategy should be well-documented and align with the organisation's overall strategic goals and risk considerations. The strategy also sets out the governance and oversight approach for cybersecurity activities. Active engagement and sponsorship from senior management are essential for the program's success.
Industrial Defender offers a broad suite features that support a robust cybersecurity program. Recognising the importance of a comprehensive cybersecurity approach, it not only provides a wide range of tools but also an extensive API for integration. The platform has a detailed asset classification mechanism and risk scoring system, ensuring critical assets and their risk levels are clearly identified for resource allocation. Industrial Defender stands as a foundational element for any cybersecurity strategy, offering real-time operational capabilities and historical data insights for program refinement and compliance with standards and policies. Moreover, users are equipped with high-level dashboards, diverse reports, and an API for custom reporting, all fostering continuous monitoring and improvement.
Domain 3 revolves around managing cybersecurity risks linked to dependencies on external entities, aligned with the threat to critical infrastructure and the organisation's goals. This domain emphasises identifying significant IT and OT supplier and customer dependencies, prioritising these based on the organisation’s risk criteria. Cybersecurity risks from suppliers and third-party affiliations are pinpointed and addressed. The criteria involve considering cybersecurity requirements when forming third-party relations, embedding these requirements in contracts, and selecting third parties based on their cybersecurity proficiency. The domain also necessitates periodic third-party reviews, manages risks using the organisation's risk management procedures, and mandates suppliers to report vulnerabilities in products. Lastly, procured assets undergo cybersecurity acceptance testing, and information sources are scrutinised for potential supply chain threats.
Industrial accumulates detailed software inventory and firmware data, allowing users to assess and monitor dependencies by vendor. Through our collaboration with FoxGuard, the platform offers insights into supplier software, patch availability, and authenticity. The system vigilantly monitors logs for both authorized and unauthorized user access, raising notifications for unusual activity patterns. User accounts are cataloged as a fundamental part of the baselining, facilitating the detection of new account creations or modifications. Moreover, the platform's vulnerability and patch management features identify known vulnerabilities and procure available patches from OT vendors. Lastly, our platform conducts exhaustive inventories of software, firmware, and hardware, making it indispensable for reviewing supplier vulnerabilities and defects.
Domain 4 focuses on Identity and Access Management (IAM). IAM is about the creation and management of identities that can be granted access, either logically or physically, to the organisation’s assets. This process involves provisioning identities for those who need access to specific assets and ensuring they're appropriately deprovisioned once not required. Regular reviews of identities and associated credentials are undertaken to maintain their validity. Determining and controlling access is paramount; it is granted based on set requirements, invoking principles like least privilege and separation of duties. Notably, access requests undergo scrutiny by the asset owner. Particularly sensitive privileges, like root or administrative access, receive enhanced oversight. The frequency of access privilege reviews is set by the organisation, and any unusual access attempts are monitored as potential cybersecurity threats.
For Domain 4, the Industrial Defender platform monitors authentication activity to validate compliance with cybersecurity policies. The platform collects user configurations across assets and applications, highlighting deviations or conformance to identity provisioning policies. Industrial Defender checks password and account policies against security benchmarks. Role-based and asset-based access controls within the platform support principles of least privilege and separation of duties. Industrial Defender maintains asset owner information for managing access requests. It also monitors authentication activity for anomalies, generating alerts. Finally, the platform reviews user configurations for account status, usage, and privilege levels.
This domain mandates that organisations have plans and technologies to detect, analyse, and respond to cybersecurity events, ensuring ongoing operations during such events. Key aspects include having a designated contact for event reports, consistent logging and reporting of detected events, set criteria for event detection, and a central repository for event logs. Event data should be analysed to identify patterns and trends. Additionally, event detection should adapt based on the organisation's risk and threat assessments, with continuous monitoring to quickly identify cybersecurity incidents.
Industrial Defender identifies vulnerabilities in software, firmware, and operating systems at a level that supports event and incident response processes. The platform's administrative properties detail the point of contact, owner organisation, location, and criticality for each asset. It actively monitors OT and IT systems for cyber events using various mechanisms, such as host-based agents, remote log monitoring, and passive network traffic observation. Additionally, it standardises event streams from all assets for efficient analysis and offers event notification mechanisms like email and API. The platform can detect patterns across assets, identify deviations from asset baselines or cybersecurity policies, and facilitates external integration through APIs, database views, and reports. Furthermore, it employs a risk-based approach to analyse events, offers integrations for data sharing with SIEM systems, and utilises both rule-based and machine learning threat detection techniques.
This domain pertains to the structured approach of establishing and fostering connections with both internal and external entities, centred on the efficient collection and dissemination of crucial cybersecurity information, spotlighting threats and vulnerabilities. It aims to mitigate potential risks, fortify critical infrastructure, and ensure that organisational objectives are met with resilience. Within this framework, selected individuals or organisations become pivotal points of information exchange, with dedicated personnel handling cybersecurity reporting. Moreover, this domain prioritises consulting expert technical sources, securely transmitting sensitive data, and emphasising swift and comprehensive information-sharing, whether in routine or emergent situations. An underpinning principle of Domain 6 is the cultivation of a trust-based network that spans both internal and external contacts, streamlining the verification of cyber event information.
Industrial Defender enables external integration to other entities and applications through an API, asynchronous events via email, and scheduled reports. The platform has custom integrations for sharing data with SIEM systems, ensuring deep OT asset context for analysts. Its administrative properties list point of contact information for each asset, owner organisation, physical location, and criticality level. Industrial Defender's external integration points guarantee secure and encrypted data transfer, with proper tagging as sensitive or classified. Additionally, the platform offers granular control of integration points, managing the recipient and content of shared information.
Domain 7, Risk Management (RM) revolves around the establishment, operation, and maintenance of a comprehensive enterprise cybersecurity risk management program. This program is designed to identify, analyse, and mitigate cybersecurity risks to the organisation, covering its business units, subsidiaries, interconnected infrastructure, and stakeholders. It mandates a documented cybersecurity risk management strategy that outlines an approach for risk prioritisation. Risks are identified and then either mitigated, accepted, tolerated, or transferred. These identified risks undergo assessments in line with the management strategy, ensuring they're documented, analysed, and then prioritised for response activities. Continuous monitoring of these risks is paramount, with the analysis further enriched by understanding the network architecture, be it IT and/or OT. To encapsulate, the risk management program clearly defines and enforces policies and procedures which are the embodiment of the overarching cybersecurity risk management strategy.
Industrial Defender supports Risk Management requirement described by AESCSF by overseeing asset types, classifications, criticality, network and physical locations, organisation, and ownership; these factors are pivotal in forming a risk management strategy. The platform calculates real-time risk factors for assets, an essential aspect of risk prioritisation, combined with a static risk analysis for each asset. Industrial Defender's vulnerability monitoring identifies vulnerabilities in software, firmware, and operating systems. Additionally, it offers visibility into the risk mitigation process and allows for custom risk scoring based on the properties of network assets.
Domain 8, titled Situational Awareness (SA), sets out guidance for establishing robust procedures and technologies that systematically gather, analyse, and present operational and cybersecurity data. It emphasises the creation of a holistic common operating picture (COP), which draws on summaries from other model domains. The guidance underscores logging pivotal assets associated with the function where feasible, with clear requirements for these assets, aggregation of log data, and their alignment based on the function's inherent risk. Concurrently, monitoring demands the consistent oversight of OT environments for anomalies, expedited event data reviews, and the integration of alerts designed to detect cybersecurity disruptions. Monitoring should not only reflect the function's threat landscape and prioritise risk but also seamlessly align with other business and security operations. Continuous surveillance of the OT environment, supplemented by a risk register, ensures any deviations are instantly recognised and flagged by tailored alerts.
Industrial Defender's comprehensive OT asset data enhances situational awareness within the OT environment. The platform employs diverse monitoring mechanisms, from host-based agents to passive network traffic analysis, to oversee both OT and IT systems for cyber events. This event data is unified for seamless analysis and correlation. Leveraging an extensive rule library, Industrial Defender's active and passive scanning methods cater to a wide range of devices and support custom additions. The platform's nuanced log scanning is tailored per asset for flexibility. Monitoring includes configuration changes, key performance indicators, and removable media activity. An event review system with annotation capabilities aids analysis, while unreviewed event age is used as a risk factor for assets, bolstering risk assessment.
Domain 9 highlights the imperative of establishing and maintaining plans, procedures, and technologies to effectively detect, identify, analyze, manage, and respond to cybersecurity threats and vulnerabilities. This encompasses identifying information sources for threat management, interpreting cybersecurity threat information, addressing significant threats, and forming a comprehensive threat profile. It also involves prioritizing and monitoring information sources covering the entire threat profile, as well as analyzing, prioritizing, and addressing identified threats according to assigned priorities. Simultaneously, the domain stresses the importance of reducing vulnerabilities by identifying sources for cybersecurity vulnerability discovery, gathering and interpreting vulnerability information, addressing crucial vulnerabilities, and performing assessments. This includes analyzing and prioritizing vulnerabilities, considering operational impact before patch deployment, conducting independent vulnerability assessments at defined frequencies, and integrating vulnerability information into the risk register to inform decision-making.
Another of Industrial Defender's core strengths is vulnerability management. The platform adeptly addresses this domain by employing various strategies, including preemptive vulnerability monitoring to identify known vulnerabilities in software, firmware, and operating systems using ICS Cert Advisories and OSINT. Collaborating with Foxguard's patch management system, Industrial Defender identifies vendor-approved patches for OT systems. Additionally, the platform offers transparency into the process of threat remediation.
Furthermore, Industrial Defender vigilantly monitors both OT and IT systems for cyber events, utilizing mechanisms such as host-based agents, remote log monitoring, and passive network traffic analysis. The platform updates asset risk scoring to reflect evolving conditions and support ongoing improvement initiatives. Industrial Defender also streamlines the vulnerability assessment process and provides raw vulnerability information to facilitate informed prioritization of mitigation efforts.
Again, you can also download our full detailed AESCSF Mapping Guide here: https://www.industrialdefender.com/resources/aescsf-mapping-guide-industrial-defender
Managing security programs and adhering to frameworks can be daunting. We can swiftly guide you towards compliance and assist you in its continuous maintenance. Remember, this isn't a one-time task; maintaining compliance and a robust security posture is a round-the-clock commitment
Industrial Defender possesses deep OT domain expertise and has an extensive history of catering to the distinct requirements of industrial companies — from the control room to the boardroom. Our team can help yours align with every domain in the AESCSF and enhance maturity across various stringent cybersecurity frameworks. With the experience of hundreds of successful audits under our belt, Industrial Defender can lessen the strain and bolster your confidence when audit time rolls around.
Schedule a demo with our OT security architects to dive deeper into our capabilities: https://www.industrialdefender.com/demo/demo-request
You can also download our detailed AESCSF mapping guide here: https://www.industrialdefender.com/resources/aescsf-mapping-guide-industrial-defender