Cyber Security Work Plan
On 11 June 2021, the Energy Ministers Meeting agreed to add cyber security as a priority action on their work program.
The Cyber Security Work Plan will complement ongoing jurisdictional government cyber security reforms and focus on measures to improve cyber preparedness, response and recovery in the energy sector.
To oversee the progress of the work plan, a Cyber Security Working Group has been established with representatives from all Australian state and territory governments. The working group will focus on enabling a co-ordinated, comprehensive, and non-duplicative uplift in cyber security across the energy sector, to achieve a cyber resilient sector.
Australian Energy Sector Cyber Security Framework
The department is working in partnership with the Australian Energy Market Operator (AEMO) to deliver the 2022 Australian Energy Sector Cyber Security Framework (AESCSF) program.
The AESCSF, established in 2018, enables energy market participants to assess their cyber security maturity and uplift capability, which strengthens the energy sector’s resilience. The AESCSF includes an assessment program and a report to Energy Ministers.
The AESCSF leverages recognised industry frameworks such as the US Department of Energy’s Cybersecurity Capability Maturity Model (ES-C2M2) and the NIST Cyber Security Framework (CSF), and references global best-practice control standards.
The department is working with energy companies and other Australian government agencies to deliver a national energy sector cyber security exercise in 2022, called GridEx VI.
Malicious cyber activity is an emerging threat to the security of Australia’s energy systems. The national exercise will test response capabilities to a major cyber security incident.
Review of cyber incident and emergency management arrangements
In the event of a serious cyber incident, the energy sector has emergency response arrangements in place to manage any potential supply and operational impacts.
The Australian Government is working with state and territory governments, AEMO and industry to review existing emergency management arrangements during complex cyber incidents. This will ensure the energy sector is able to efficiently communicate and respond to increasingly sophisticated cyber threats.