AESCSF: The Cyber Security Framework for Australia's Energy Sector

The Australian Energy Sector Cyber Security Framework is the annual self-assessment program that energy sector operators use to measure, benchmark and improve their cyber security maturity. Completing it feeds directly into your SOCI Critical Infrastructure Risk Management Program obligations. Overcyte automates the assessment workflow and tracks maturity continuously, so when the annual submission window opens, you're not starting from scratch.

Get in touch

What the AESCSF is and who it applies to

The AESCSF was developed collaboratively by the Australian Energy Market Operator (AEMO), the Australian Cyber Security Centre (ACSC), and the Cyber and Infrastructure Security Centre (CISC). It's not a vendor framework; it's a government and industry initiative designed specifically for the Australian energy sector.

The framework applies to electricity, gas and liquid fuels sub-sectors. Version 2, released in October 2023, expanded the framework from 282 to 354 practices and anti-patterns, placed greater emphasis on operational technology and supply chain security, and is now explicitly recognised by CISC as compatible with SOCI CIRMP obligations, making it relevant to all 11 regulated sectors under the Act, not just energy.

The AESCSF is built on internationally recognised foundations, the US Department of Energy's ES-C2M2 and NIST CSF,with Australian-specific additions including the Essential Eight, Australian Privacy Principles, and the Notifiable Data Breaches scheme.

The 2026 AESCSF program is currently open. The assessment portal opened on 16 March 2026.

How the AESCSF Assessment Works

The AESCSF assessment has two components that work in sequence. The first determines your criticality. The second measures your cybersecurity maturity against that criticality baseline.

Criticality Assessment

The Criticality Assessment Tool (CAT) determines your organisation's criticality relative to your peers in the sector. There are separate versions for electricity, gas and liquid fuels sub-sectors. The outcome of your criticality assessment determines which Security Profile applies to your organisation; this is the starting point for everything thatfollows.

Maturity Self-Assessment

The self-assessment measures your cybersecurity capability and maturity across 11 domains. The Full assessment covers all 354 practices and anti-patterns and is designed for medium and high-criticality entities. The Lite assessment, 29 questions, is suited to low criticality entities, smaller DER/CER operators, or organisations new to the framework. Both versions are available through the AEMO assessment portal during the annual program window.

How Maturity is Measured: MILs and Security Profiles

The AESCSF uses two distinct measurement dimensions. Understanding both is essential for setting a target state and tracking progress year on year.

Maturity Indicator Levels (MILs)

MILs run from MIL-0 to MIL-3 and are applied independently to each domain. This system means an organisation can score differently across domains, MIL-2 in Risk Management and MIL-1 in Supply Chain, for example. The overall MIL is determined by the lowest score across all domains. One weak domain pulls the whole score down. MILs are cumulative within each domain; all practices at a given level must be met before progressing.

Security Profiles (SPs)

Security Profiles are unique to the AESCSF; they don't exist in the C2M2 model, the framework on which the AESCSF is built. There are three SPs, aligned to the three criticality levels determined by the CAT. SPs are cumulative; SP-2 requires SP-1 to be achieved first. Where MILs measure domain-level maturity, SPs represent the target state maturity for your organisation based on its criticality to the sector. Achieving your designated SP is the primary compliance objective of the annual self-assessment.

How AESCSF feeds into your SOCI obligations

OCI obligations are one of the most common questions from energy sector compliance teams, and one of the most important to get right. SOCI is the legal obligation. The AESCSF is the recognised framework for meeting the cybersecurity requirements within your CIRMP. AESCSF V2 is explicitly recognised by CISC as compatible with SOCI CIRMP obligations, which means completing your annual AESCSF self-assessment directly satisfies the framework alignment requirement under SOCI. For energy sector operators, these are not two separate workstreams. The AESCSF self-assessment generates the evidence and maturity scoring that your CIRMP cybersecurity obligations require. Treating them as separate exercises doubles the effort for no additional compliance benefit. If your organisation is subject to both SOCI and AESCSF obligations, the most efficient path is a single integrated program, assess once, report to both.

The Eleven AESCSF Domain Insights

The self-assessment of AESCSF covers 354 practices and anti-patterns organised across eleven domains. Each domain has an independent MIL score; your program needs to address all eleven to achieve your target Security Profile.

Asset, Change and Configuration Management: Manage OT and IT assets commensurate with risk to critical infrastructure.

Identity and Access Management: Control access to systems and data based on least-privilege principles.

Threat and Vulnerability Management: Identify, prioritise and remediate vulnerabilities across IT and OT environments.

Situational Awareness: Establish monitoring and logging to maintain visibility of the operational environment.

Informational Sharing and Communications: Share cyber security information with relevant stakeholders and government bodies.

Risk Management: Establish and maintain an enterprise cyber security risk management program.

Event and Incident Response: Detect, escalate and respond to cyber security events and incidents.

Supply Chain and Dependencies Management: Manage cyber security risks introduced through suppliers and third parties.

Workforce Management: Develop and maintain a workforce with the cyber security skills the organisation requires.

Cybersecurity Program and Management: Provide governance, strategic planning and sponsorship for cybersecurity activities.

Australian Privacy Management: Manage personal information in accordance with the Australian Privacy Principles.

How Overcyte Supports Your Annual AESCSF Program

The AESCSF's offline toolkit, spreadsheets, PDFs, and manual evidence collection work for a once-a-year exercise. It doesn't work for an organisation that needs to know where it stands between annual submissions, track improvement over time, or demonstrate progress to a board asking increasingly specific questions about cyber maturity.

Overcyte replaces the offline toolkit with a structured, guided self-assessment mapped to all 11 AESCSF domains, all practices and anti-patterns. Evidence is collected in the platform as you go, not assembled retrospectively the week before the portal closes. Exportable reports map to AESCSF Security Profiles and MILs, giving your board and your CIRMP the documentation they need.

Trending insights across previous assessments show you where you've improved, where you've drifted, and what to prioritise next. For operators managing both AESCSF and SOCI obligations, Overcyte supports both in a single platform, alongside Essential Eight, ISO 27001, NIST CSF, ISA/IEC 62443 and more.