Do you know how your plants map against the various Maturity Level Indicators and Security Profiles outlined in the Australian Energy Cyber Security Framework (AECSF)? How prepared is your organisation to progress along this roadmap? Do you have access to the right skillsets and resources? How quickly could you respond to changes from AEMO?

Whilst compliance to the base AECSF requirements is a bare minimum target, it may be more strategic to proactively progress compliance further along the projected compliance roadmap. Taking into consideration your organisations current priorities, risk appetite and access to resource will often help in this exploration.

A well designed plan may also result in a number of additional easy wins. With skills and expertise involved, it’s often easy to configure a piece of hardware or software to serve additional benefits other than just that prescribed by the desired project outcome. This may also be achievable with no extra cost. For example you may want to monitor hardware to alert for a security breach, for minimal extra effort you could also use that same new monitoring capacity to improve that hardwares performance or make maintaining it easier.

Much about good compliance is not necessarily specific to a particular plant. Whether you own or manage one plant, or a large network, you shouldn’t need to start your compliance journey from scratch. We can provide existing, approved and future-proof compliance practices, procedures and other documentation to make your compliance journey as easy as possible. Even without our support, good compliance is scalable and you can benefit by building this philosophy into your compliance approach.

After understanding where you are and where you want to be, it’s time to develop an optimal plan to get there. This plan will determine how likely you are to fully reach your target, how quickly you get there, how easy the journey is, and how much it costs.

Good compliance is not just about having acceptable hardware, software and documentation, but also considers your organisational culture. If you can create a culture where compliance more naturally and effortlessly occurs, this will not just make your compliance efforts more reliable, but often cheaper as well.

Achieving a level of desired compliance is an important exercise. Yet so is maintaining compliance. One of the tasks important to this is maintaining various documentation. It is unlikely your software, hardware, practices, processes or personnel will stay static. As these things change, your documentation will need to be updated. Although this sounds basic, it’s an activity that often gets lost amongst other competing priorities.

The practices involved in identifying, analysing and mitigating cybersecurity risk to the organisation

The administration of a cybersecurity program providing governance, strategic planning, and sponsorship for the organisation’s cybersecurity activities

Managing and maintaining the organisation’s technological assets with regards to infrastructural risk factors

Managing access to the organisation’s assets by the creation and maintenance of secure user identities with relevant access privileges

Managing the logging and analysis of cybersecurity information across different areas of the plant, contributing to overall situational awareness

Addressing cybersecurity threats and vulnerabilities through a process of identification, analysis, management and incident response

The creation and maintenance of a common operating picture (COP) by collecting, analysing, communicating, and making best use of operational and cybersecurity information

Putting processes in place to detect, analyse and respond to cybersecurity events