.png)
If you operate in Australia's energy sector, the Australian Energy Sector Cyber Security Framework (AESCSF) is the most important cybersecurity standard you've probably never fully read. It's the framework that underpins your CIRMP cybersecurity obligations under the SOCI Act, and it's the benchmark CISC auditors will use when assessing your compliance posture.
This guide explains what the AESCSF is, how it works, who it applies to, and what you need to do to align with it — updated for the current regulatory environment in mid-2026.
What is the AESCSF?
The Australian Energy Sector Cyber Security Framework is a purpose-built cybersecurity maturity framework developed specifically for organisations operating in Australia's electricity, gas, and liquid fuels sectors. It was developed collaboratively by the Australian Energy Market Operator (AEMO), the Australian Cyber Security Centre (ACSC), and energy sector regulators, and it is designed for the operational technology (OT) environments that characterise energy infrastructure — environments where a standard IT security framework like the Essential Eight may not fully address the risks involved.
The AESCSF is structured around capability profiles and maturity levels, allowing organisations to assess where they currently sit and build a roadmap toward their target level. It is updated periodically to reflect changes in the threat landscape and regulatory environment.
Who does the AESCSF apply to?
The AESCSF is relevant to any organisation operating in the electricity, gas, or liquid fuels sectors in Australia, including:
- Electricity generators (including renewable energy operators)
- Electricity network businesses (transmission and distribution)
- Gas producers, transmitters, and distributors
- Liquid fuels suppliers and pipeline operators
- Market operators and system operators
If your organisation owns or operates assets in these sectors and those assets qualify as critical infrastructure under the SOCI Act, you are a responsible entity with CIRMP obligations. The AESCSF is one of five designated cybersecurity frameworks you can adopt to meet the cybersecurity component of your Critical Infrastructure Risk Management Program (CIRMP) — and for energy sector operators, it is almost always the most appropriate choice.
How does the AESCSF relate to the SOCI Act?
Under the Security of Critical Infrastructure Act 2018, responsible entities in the energy sector must have a CIRMP in place that covers four hazard categories: cyber and information security, physical security and natural hazards, personnel security, and supply chain risks.
For the cybersecurity component of your CIRMP, you must adopt one of five designated frameworks:
- The AESCSF
- The Australian Signals Directorate's Essential Eight
- NIST Cybersecurity Framework
- ISO 27001
- An equivalent alternative (subject to approval)
For energy sector operators, the AESCSF is the most directly relevant because it was built for your environment. It accounts for the specific risks of operational technology — SCADA systems, industrial control systems, energy management systems — in a way that frameworks designed for general IT environments do not.
What's changing in 2026: The regulatory environment is becoming more demanding, not less. Following the first Independent Review of the SOCI Act delivered by Dr Jill Slay AM in January 2026, the Minister for Home Affairs opened consultation in March 2026 on enhanced CIRMP Rules — with proposed changes that specifically affect energy sector asset classes including electricity, gas, and liquid fuels. These reforms signal that AESCSF alignment expectations will only increase. The CISC has been actively auditing compliance since the 2024–25 financial year, and 2025–26 audits are underway.
How is the AESCSF structured?
The AESCSF is built around a set of cybersecurity capability profiles, each corresponding to a different type of participant in the energy sector. The profiles account for the fact that a large electricity transmission business has very different risk exposure and technical complexity to a small liquid fuels retailer.
Within each profile, the framework assesses capability across five cybersecurity domains:
Identify — understanding your assets, business environment, governance structures, risk management strategy, and supply chain risks.
Protect — implementing safeguards to ensure delivery of critical energy services, covering access control, awareness and training, data security, information protection processes, maintenance, and protective technology.
Detect — developing the capability to identify cybersecurity events, including anomalies, continuous monitoring, and detection processes.
Respond — having the capability to contain the impact of a cybersecurity incident, including response planning, communications, analysis, mitigation, and improvement.
Recover — maintaining plans for resilience and restoring capabilities and services impaired by a cybersecurity incident.
These domains will be familiar to anyone who has worked with the NIST Cybersecurity Framework — the AESCSF draws on NIST as a foundation and adapts it for the Australian energy context.
What are the AESCSF maturity levels?
The AESCSF defines maturity levels that allow organisations to understand their current capability and set meaningful targets. The maturity progression runs from an initial or ad hoc state through to an optimised, continuously improving state.
In practical terms, most energy sector operators entering the AESCSF process for the first time find themselves at the lower maturity levels — controls may exist but are not consistently applied, documented, or tested. The CIRMP obligation requires organisations to be actively progressing toward a defined target maturity level, not simply declaring where they currently sit.
For critical infrastructure operators assessed as having higher risk, regulators will expect higher target maturity levels and faster progression timelines. The defining compliance challenge in 2026 is the shift from documentation to evidence — regulators are looking for proof that controls are actually operating, not just written into a policy document.
What does an AESCSF assessment involve?
An AESCSF assessment typically follows this process:
1. Scoping — determining which profile applies to your organisation and which assets are in scope.
2. Current state assessment — evaluating your existing controls across the AESCSF domains and assigning maturity scores to each area.
3. Gap analysis — identifying where your current maturity falls short of your target level, and prioritising gaps by risk and effort to remediate.
4. Roadmap development — building a prioritised, time-bound remediation plan that maps directly to your CIRMP obligations and reporting calendar.
5. Ongoing assurance — maintaining visibility of your maturity level through continuous monitoring and annual review aligned to CIRMP reporting requirements.
Working with an experienced managed security provider ensures the process is objective, thorough, and directly linked to your CIRMP documentation requirements. ASE Tech's SOCI compliance services include AESCSF gap assessments, maturity uplift programs, and ongoing managed security aligned to the framework.
How does the AESCSF relate to OT security?
One of the AESCSF's most important features for energy sector operators is its recognition that operational technology security is fundamentally different from IT security. OT environments — the SCADA systems, distributed control systems, and programmable logic controllers that physically control energy infrastructure — have different availability requirements, longer asset lifecycles, and different threat models than corporate IT.
A standard IT security framework applied to an OT environment can actually cause operational harm. Patching cycles appropriate for a corporate laptop may be completely incompatible with the operational requirements of a power station control system. The AESCSF accounts for this by incorporating OT-specific controls and risk considerations into its maturity model.
For energy operators with significant OT environments, AESCSF alignment should be complemented by a dedicated OT security program. You can read more about how ASE Tech approaches OT and industrial cybersecurity for critical infrastructure operators on our cybersecurity services page.
Common mistakes organisations make with AESCSF alignment
Treating it as a documentation exercise. The AESCSF requires demonstrable capability, not just written policies. CISC auditors will look for evidence that controls are actually implemented and operating effectively — this is the defining focus of 2026 compliance audits.
Underestimating OT scope. Many organisations assess their IT environment thoroughly but fail to include OT assets in scope. The AESCSF explicitly covers OT, and so does your CIRMP obligation.
Not factoring in the enhanced CIRMP Rules. The proposed 2026 CIRMP Rules enhancements specifically affect energy sector asset classes. Organisations that have just got their CIRMP across the line need to monitor these reforms closely — implementation timelines will be tight once the consultation period closes.
Not linking AESCSF to CIRMP documentation. Your CIRMP must demonstrate that you have adopted a cybersecurity framework and are progressing within it. AESCSF assessment results need to feed directly into your CIRMP documentation and annual report.
Doing it once and not revisiting. The AESCSF is not a one-off compliance exercise. Annual review is a minimum — and mid-year reviews are prudent given the pace of regulatory change in 2026.
Getting started
If you're an energy sector operator who hasn't yet conducted an AESCSF assessment, or you have one in place but aren't confident it would hold up to a CISC audit, the starting point is a structured gap assessment.
ASE Tech works with Australian energy, water, transport, and telecommunications operators to implement and manage the security controls that underpin AESCSF and CIRMP compliance. Contact our team to book an initial assessment, or visit our SOCI Act compliance services page to learn more about how we support critical infrastructure operators.
