Getting the Most Value from the Australian Energy Sector Cyber Security Framework in NZ

The energy sector doesn’t need another framework to read about. It needs a framework it can use.

Whether you’re in Melbourne or Manawatū, the cyber security threats that energy sector operators are facing are the same.

Attackers know no borders when it comes to operational assets to exploit. And that's why Overcyte believes the Australian Energy Sector Cyber Security Framework (AESCSF) has real value for New Zealand companies wanting to drive their security programme forward.

Developed through collaboration with industry and government stakeholders, we've written before about the benefits of the AESCSF where successful attacks on Australia’s critical energy infrastructure could put essential services at risk.

Instead of working alone and applying a less suitable cyber security framework, together, as a community of electricity distribution businesses, New Zealand can be more secure in measuring readiness against an established cybersecurity framework than figuring it out alone.

Reviewing the problems the AESCSF was built to solve

The AESSCF is quite novel when compared with other international approaches – it comprises a set of security practices for Australia’s energy sector and a methodology for organisations to 1). assess their criticality within the national energy system and 2). their maturity against the security practices listed.

Without the tailored energy framework, two distributors in the same state could report radically different postures because they were measuring against different yardsticks.

What the AESCSF provides is ways to measure maturity and risk profile (MIL 1-3 and 3 x Security Profiles). And with central management of reporting by AEMO, aggregation of reporting can provide sector-wide benchmarking. And reporting to Ministers.

No more generic IT controls either, the Australian Energy Sector Cyber Security Framework is OT-native across all 11 domains.

NIST CSF indirectly touches on OT controls; CIS has minimal coverage and ISO 27001 is also limited in depth.

Whilst IEC 62443 is a dedicated ICS cyber security framework, it's not so energy-specific and has anti-patterns built in too:

‍

Where Overcyte has been used to assess current state against the AESCSF, we find consistent issues across these most underestimated domains:

• Supply Chain (EDM) - No supplier register, no cyber clauses in contracts, no vendor visibility
• Asset Management (ACM) - Incomplete OT inventories, undocumented configs, informal change management
• Threat & Vulnerability (TVM) - No threat modelling, no actor TTPs mapped to your environment, MITRE ATT&CK underutilised or ignored

Is AESCSF Right for Kiwi Orgs?

For us, there are reasons why AESCSF work and things that do need to be adapted for NZ:

• GOOD:
• No NZ energy-specific cyber framework exists
• Shared Five Eyes threat landscape (Volt/Salt Typhoon)
• Similar market structure (gen, Tx, Dx, retail, DER)
• NZ regulation heading in the same direction (PSR, NCSC)
  ‍
• WHAT TO CHANGE:
• Swap AU regulatory refs for NZ Privacy Act, PSR, NZISM
• Adapt Criticality Assessment Tool for NZ energy market
• SP-1 at 123 practices isn’t light - NZ needs a small business entry ramp
• SA domain assumes AEMO threat intel NZ has NCSC monitoring but no energy specific threat intelligence sharing

Powering collaboration

There are 29 electricity distribution businesses (EDBs) that take power from the national grid and deliver it to homes and businesses in New Zealand, represented by Electricity Networks Aotearoa (ENA).

The industry membership body recently submitted a response to the latest government CNI consultation, that highlighted how in "Over recent years, EDBs have increased collaboration on cyber security, including sharing threat information and aligning practices across parts of the sector. Many EDBs are also progressing toward adoption of the Australian Energy Sector Cyber Security Framework (AESCSF)."

And major operators like Meridian Energy and PowerCo have made public commitments to align with the Australian framework.‍

As PowerCo noted, for cyber risk management, setting a baseline measure for cyber security using the Australian Energy Sector Cyber Security Framework (AESCSF) can help establish key areas for improvement and ensure a reliable energy supply.

Measuring compliance with the AESCSF

At Overcyte, we believe that whilst the Australian Energy Sector Cyber Security Framework wasn’t built for New Zealand, it was built for the problems New Zealand has.

We have the AESCSF available in the platform today.

We're here to help operators of critical infrastructure continuously assess their cybersecurity maturity so reach out to our experts for a demo.

‍This blog is adapted from our original February 2026 webinar - "Getting the Most Value from the Australian Energy Sector Cyber Security Framework in NZ".

‍Check out our upcoming webinars for more timely cybersecurity information for CNI operators and read more posts from our founder Aaron Gayton.