Client: Renewable Energy Company
Location: Australia and Europe
Situation: Since operating in Australia, the organisation had to comply with Australian Energy Market Operator’s (AEMO) Australian Energy Sector Cyber Security Framework (AESCSF). At the same time, considering that they are a global company, they had adopted NIST CSF as their information security control framework.
Ask: The organisation asked ARInnovate to achieve the following:
- To conduct an assessment to identify gaps between their current IT/OT environment and AESCSF requirements.
- Establish a common control framework that will help them comply with both NIST CSF and AESCSF requirements
- Remediate the gaps identified through the assessment.
Our Solution: We delivered our solution in 3 phases:
Phase 1: To identify the gaps between IT/OT environment and AESCSF requirements, we adopted a 6-step approach:
- Conducted a threat assessment to identify threat scenarios that will impact the organisation
- Identified controls that will defend if the threat scenarios were to materialise
- Conducted a risk assessment to identify gaps between current control implementation and the desired control implementation.
Phase 2: Established a common control framework based on the controls identified in the previous step. The controls are mapped with AESCSF and NIST frameworks.
Phase 3: Implemented the gaps. The gaps implemented were in the following domains:
- Security awareness training
- Asset Management
- Vulnerability identification and remediation
- Security Monitoring
- Risk Management