Energy & Utilities

Client: Renewable Energy Company

Location: Australia and Europe

Situation: Since operating in Australia, the organisation had to comply with Australian Energy Market Operator’s (AEMO) Australian Energy Sector Cyber Security Framework (AESCSF). At the same time, considering that they are a global company, they had adopted NIST CSF as their information security control framework.

Ask: The organisation asked ARInnovate to achieve the following:

• To conduct an assessment to identify gaps between their current IT/OT environment and AESCSF requirements.
• Establish a common control framework that will help them comply with both NIST CSF and AESCSF requirements
  1. Remediate the gaps identified through the assessment.

Our Solution: We delivered our solution in 3 phases:

Phase 1: To identify the gaps between IT/OT environment and AESCSF requirements, we adopted a 6-step approach:

• Conducted a threat assessment to identify threat scenarios that will impact the organisation
• Identified controls that will defend if the threat scenarios were to materialise
• Conducted a risk assessment to identify gaps between current control implementation and the desired control implementation.

Phase 2: Established a common control framework based on the controls identified in the previous step. The controls are mapped with AESCSF and NIST frameworks.

Phase 3: Implemented the gaps. The gaps implemented were in the following domains:

• Security awareness training
• Asset Management
• Vulnerability identification and remediation
• Security Monitoring
• Risk Management