AESCF Compliance with Passkey Authentication

Energy powers every aspect of our modern world. That is why this sector is part of the so called critical infrastructure. If it goes down everything comes to a stop: online shopping and medical procedures to transportation networks. Unfortunately, cyber-attacks aimed at energy providers are escalating, driven by opportunistic hackers who find weak points in these essential systems.

Thousands of devices connect to power grid control systems every day through the Internet of Things (IoT), and the lines between traditional IT and OT continue to blur. As a result, attackers have more ways to infiltrate and disrupt the flow of electricity than ever before. To combat these problems the Australian government takes on measures with the Australian Energy Sector Cyber Security Framework (AESCSF)

In this blog post, we’ll explore:

• What is the AESCSF and who is impacted by it?

• Which domains does it cover and what regulations are there?

• How do passkeys help stay compliant with the IAM domain of AESCSF?

The Australian Energy Sector Cyber Security Framework (AESCSF) is a cybersecurity framework designed for the Australian energy sector, providing guidelines and best practices to assess, evaluate and improve cybersecurity capabilities. It helps organizations in the energy sector assess, prioritize and improve their cybersecurity capabilities and maturity and is tailored to the unique needs of Australia’s energy covering a broad range of entities

The Australian Energy Sector Cyber Security Framework (AESCSF) was developed by the Australian Energy Market Operator (AEMO) in collaboration with the Australian Cyber Security Centre (ACSC) and the Cyber and Infrastructure Security Centre (CISC), in 2018.

Since its creation, AESCSF’s scope has expanded beyond Australia’s energy sector to other critical infrastructure areas, such as liquid fuel, electricity generation, transmission, distribution, gas production, energy retail, market operations, and other critical service providers. The framework’s is incorporated within the Security of Critical Infrastructure Act 2018 (SoCI Act), which highlights the national importance of safeguarding secure and reliable energy supplies to protect economic stability and national security.

Table 3. Recommended AESCSF participants

The framework contains two distinct sections for the assessment of every company:

• Determination of company criticality in the energy sector: This assessment is performed with a sector Criticality Assessment Tool (CAT) each criticality rating is aligned to a respective Security Profile (SP) rating, from 1 (lowest) to 3 (highest)

• Determination of company maturity: This assessment is done across 11 domains and rated with the Maturity Indicator Level or MIL (MIL-1, MIL-2 or MIL3)

The domains incude the following content:

Establish, operate, and maintain an enterprise cybersecurity risk management program.

Establish and maintain an enterprise cybersecurity program that provides governance, strategic planning, and sponsorship for the organisation’s cybersecurity activities

Manage the organisation’s OT and IT assets, including both hardware and software, commensurate with the risk to critical infrastructure and organisational objectives.

Create and manage identities for entities that may be granted logical or physical access to the organisation’s assets. Control access to the organisation’s assets

Establish and maintain relationships with internal and external entities to collect and provide cybersecurity information, including threats and vulnerabilities

Establish and maintain plans, procedures, and technologies to detect, identify, analyse, manage and respond to cybersecurity threats

Establish and maintain activities and technologies to collect, analyse, alarm, present, and use operational and cybersecurity information

Establish and maintain plans, procedures, and technologies to detect, analyse, and respond to cybersecurity events and to sustain operations throughout a cybersecurity event

Establish and maintain controls to manage the cybersecurity risks associated with services and assets that are dependent on external entities

Establish and maintain plans, procedures, technologies, and controls a culture of cybersecurity and to ensure that ongoing suitability and competence of personnel

Establish and maintain plans, procedures, and technologies to reduce privacy related risks and manage personally identifiable information through its lifecycle

Apart from the domains there are also three versions of the AESCSF which participants can select based on their criticality to the energy sub-sectors in which they operate:

1. AESCSF version 2, full assessment (v2): suited to medium and high criticality organisations and lower criticality organisations who are experienced with the AESCSF

2. AESCSF version 1, full assessment (v1): minimum standard for medium and high criticality organisations. May also suit lower criticality organisations that are still maturing or that don’t have the resources to complete the v2 assessment

3. AESCSF version 2, full assessment (v2 lite): minimum standard for medium and high criticality organisations. May also suit lower criticality organisations that are still maturing or that don’t have the resources to complete the v2 assessment

From the domains used in the AESCSF, passkeys most directly and obviously improve your Identity and Access Management (IAM) domain. In practice, however, rolling out a phishing‐resistant login solution (like passkeys) also creates positive ripple effects in several other domains:

• Passkeys strengthen access control by moving away from shared-secret (password) authentication to a cryptographic approach

• Authentication via passkeys relies on multifactor authentication that is seamless for the user (no waiting for OTPs to arrive or authenticator apps to load) and provides phishing

• Passkeys are unique to each service so bad habits users tend to have with passwords (reuse, sharing, using easy passwords) is avoided completely

The AESCSF’s Identify & Access Management domain explicitly calls for “secure authentication” and ensuring “access to the organization’s assets is commensurate with risk.” By removing a major threat vector (password compromise) and enforcing strong cryptographic authentication, passkeys directly meet this requirement.

By replacing passwords with cryptographic passkeys, you greatly reduce the risk of credential compromise. This aligns precisely with AESCSF’s focus on ensuring only the right people (or machines) have access to sensitive OT/IT assets.

Adopting passkeys is often part of an overarching modernization effort or “passwordless” initiative, which signals a more mature cybersecurity program.

Similar to other attempts of the Australian government (Australias Scam Safe Accord, Essential Eight Framework, Cyber Security Bill) to secure infrastructure from cyber attacks, the AESCS framework is another step in the right direction. In this blog post, we analyzed the AESCS framework that is currently present in the energy sector. The main questions we answered:

• What is the AESCSF and who is impacted by it? The Australian Energy Sector Cyber Security Framework (AESCSF) is a cybersecurity framework designed for the Australian energy sector, impacting organizations within the energy, gas, and liquid fuel sectors by providing guidelines to assess, evaluate, and improve their cybersecurity capabilities and maturity.

• Which domains does it cover and what regulations are there? The AESCSF covers 11 domains, including Identity and Access Management while aligning with various regulations and standards such as the Australian Privacy Principles, Notifiable Data Breaches scheme, and international frameworks like NIST CSF and ISO/IEC 27001.

• How do passkeys help stay compliant with the IAM domain of AESCSF Passkeys help organizations stay compliant by providing a secure, phishing-resistant authentication method that aligns with best practices for multi-factor authentication, thereby enhancing the security and integrity of access controls within the energy sector.