--- url: 'https://www.corbado.com/blog/AESCSF-compliance-passkeys' title: 'AESCSF Compliance with Passkey Authentication' description: 'Learn how Australian companies in the energy sector can stay compliant with the AESCS framework and how passkeys help to comply with IAM requirements.' lang: 'en' author: 'Alex' date: '2025-03-14T19:36:09.417Z' lastModified: '2026-03-27T07:01:13.650Z' keywords: 'AESCSF passkeys, aescsf, energy passkeys, Australia energy, energy compliance, compliance in energy sector' category: 'Authentication' --- # AESCSF Compliance with Passkey Authentication ## Key Facts - Passkeys directly satisfy AESCSF's **Identity and Access Management** domain by replacing password-based authentication with cryptographic, phishing-resistant multifactor authentication that requires no OTPs. - AESCSF was developed by AEMO with the ACSC and CISC in 2018, covering 11 domains across electricity, gas and liquid fuel sectors in Australia. - Organizations are rated using a **Criticality Assessment Tool** (Security Profile 1-3) and Maturity Indicator Levels (MIL-1, MIL-2 or MIL-3) assessed across all 11 domains. - AESCSF is incorporated within the **Security of Critical Infrastructure Act 2018**, giving it national legal weight for Australian energy providers and critical service operators. - Passkeys also strengthen the **Risk Management** and Cybersecurity Program Management domains by eliminating credential compromise risks and signaling a mature passwordless security initiative. ## 1. Introduction [Energy](https://www.corbado.com/passkeys-for-energy) powers every aspect of our modern world. That is why this sector is part of the so called [critical infrastructure](https://www.corbado.com/glossary/critical-infrastructure). If it goes down everything comes to a stop: online shopping and medical procedures to transportation networks. Unfortunately, cyber-attacks aimed at [energy](https://www.corbado.com/passkeys-for-energy) providers are escalating, driven by opportunistic hackers who find weak points in these essential systems. Thousands of devices connect to power grid control systems every day through the Internet of Things ([IoT](https://www.corbado.com/blog/how-to-use-passkeys-apple-watch)), and the lines between traditional IT and OT continue to blur. As a result, attackers have more ways to infiltrate and disrupt the flow of electricity than ever before. To combat these problems the Australian [government](https://www.corbado.com/passkeys-for-public-sector) takes on measures with the [Australian Energy Sector Cyber Security Framework (AESCSF)](https://aemo.com.au/initiatives/major-programs/cyber-security/aescsf-framework-and-resources) In this blog post, we’ll explore: - What is the AESCSF and who is impacted by it? - Which domains does it cover and what regulations are there? - How do passkeys help stay compliant with the IAM domain of AESCSF? ## 2. What is the AESCSF? The Australian [Energy](https://www.corbado.com/passkeys-for-energy) Sector Cyber Security Framework (AESCSF) is a cybersecurity framework designed for the Australian energy sector, providing guidelines and best practices to assess, evaluate and improve cybersecurity capabilities. It helps organizations in the energy sector assess, prioritize and improve their cybersecurity capabilities and maturity and is tailored to the unique needs of Australia’s energy covering a broad range of entities ### 2.1 Who developed AESCSF? The Australian Energy Sector Cyber Security Framework (AESCSF) was developed by [the Australian Energy Market Operator (AEMO)](https://aemo.com.au/) in collaboration with the [Australian Cyber Security Centre (ACSC)](https://www.cyber.gov.au/) and the [Cyber and Infrastructure Security Centre (CISC)](https://www.cisc.gov.au/), in 2018. ### 2.2 Who is impacted by AESCSF? Since its creation, AESCSF’s scope has expanded beyond Australia’s energy sector to other [critical infrastructure](https://www.corbado.com/glossary/critical-infrastructure) areas, such as liquid fuel, electricity generation, transmission, distribution, gas production, energy [retail](https://www.corbado.com/passkeys-for-e-commerce), market operations, and other critical service providers. The framework’s is incorporated within the Security of [Critical Infrastructure](https://www.corbado.com/glossary/critical-infrastructure) Act 2018 (SoCI Act), which highlights the national importance of safeguarding secure and reliable energy supplies to protect economic stability and national security. **Table 3. Recommended AESCSF participants** | **Electricity** | **Gas** | **Liquid Fuels** | | ----------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------- | | Generation
Transmission
Independent Interconnectors
Distribution
Retail
Market operations | Production
Transmission
Bulk Storage
Distribution
Retail
Market operations | Extraction and production
Transport and import
Storage
Refinement
Wholesale and retail | ## 3. Which contents and domains does AESCSF cover? The framework contains two distinct sections for the assessment of every company: - **Determination of company criticality in the energy sector:** This assessment is performed with a sector Criticality Assessment Tool (CAT) each criticality rating is aligned to a respective Security Profile (SP) rating, from 1 (lowest) to 3 (highest) - **Determination of company maturity**: This assessment is done across 11 domains and rated with the Maturity Indicator Level or MIL (MIL-1, MIL-2 or MIL3) The domains incude the following content: ### 3.1 Risk management(RM) Establish, operate, and maintain an enterprise cybersecurity risk management program. ### 3.2 Cybersecurity program management (CPM) Establish and maintain an enterprise cybersecurity program that provides governance, strategic planning, and sponsorship for the organisation’s cybersecurity activities ### 3.3 Asset, change, and configuration management (ACM) Manage the organisation’s OT and IT assets, including both hardware and software, commensurate with the risk to critical infrastructure and organisational objectives. ### 3.4 Identify and access management (IAM) Create and manage identities for entities that may be granted logical or physical access to the organisation’s assets. Control access to the organisation’s assets ### 3.5 Information Sharing and Communication (ISC) Establish and maintain relationships with internal and external entities to collect and provide cybersecurity information, including threats and [vulnerabilities](https://www.corbado.com/glossary/vulnerability) ### 3.6 Threat and Vulnerability Management (TVM) Establish and maintain plans, procedures, and technologies to detect, identify, analyse, manage and respond to cybersecurity threats ### 3.7 Situational Awareness (SA) Establish and maintain activities and technologies to collect, analyse, alarm, present, and use operational and cybersecurity information ### 3.8 Event and Incident Response, Continuity of Operations (IR) Establish and maintain plans, procedures, and technologies to detect, analyse, and respond to cybersecurity events and to sustain operations throughout a cybersecurity event ### 3.9 Supply Chain and External Dependencies Management (EDM) Establish and maintain controls to manage the cybersecurity risks associated with services and assets that are dependent on external entities ### 3.10 Workforce Management (WM) Establish and maintain plans, procedures, technologies, and controls a culture of cybersecurity and to ensure that ongoing suitability and competence of personnel ### 3.11 Australian Privacy Management (APM) Establish and maintain plans, procedures, and technologies to reduce privacy related risks and manage personally identifiable information through its lifecycle Apart from the domains there are also three versions of the AESCSF which participants can select based on their criticality to the energy sub-sectors in which they operate: ### 3.12 Versions of the AESCSF 1. **AESCSF version 2, full assessment (v2):** suited to medium and high criticality organisations and lower criticality organisations who are experienced with the AESCSF 2. **AESCSF version 1, full assessment (v1):** minimum standard for medium and high criticality organisations. May also suit lower criticality organisations that are still maturing or that don’t have the resources to complete the v2 assessment 3. **AESCSF version 2, full assessment (v2 lite):** minimum standard for medium and high criticality organisations. May also suit lower criticality organisations that are still maturing or that don’t have the resources to complete the v2 assessment ![AESCF implementation steps](https://www.corbado.com/website-assets/AESCF_0869dcdd3c.png) ## 4. How can Passkeys help with AESCSF compliance? From the domains used in the AESCSF, passkeys most directly and obviously improve your **Identity and Access Management (IAM)** domain. In practice, however, rolling out a [phishing](https://www.corbado.com/glossary/phishing)‐resistant login solution (like passkeys) also creates positive ripple effects in several other domains: ### 4.1 Improvement of Identity and Access Management - Passkeys strengthen access control by moving away from shared-secret (password) authentication to a cryptographic approach - Authentication via passkeys relies on multifactor authentication that is seamless for the user (no waiting for OTPs to arrive or [authenticator](https://www.corbado.com/glossary/authenticator) apps to load) and provides [phishing](https://www.corbado.com/glossary/phishing) - Passkeys are unique to each service so bad habits users tend to have with passwords (reuse, sharing, using easy passwords) is avoided completely The AESCSF’s Identify & Access Management domain explicitly calls for “secure authentication” and ensuring “access to the organization’s assets is commensurate with risk.” By removing a major threat vector (password compromise) and enforcing strong cryptographic authentication, passkeys directly meet this requirement. ### 4.2 Improvement of Risk Management By replacing passwords with cryptographic passkeys, you greatly reduce the risk of credential compromise. This aligns precisely with AESCSF’s focus on ensuring only the right people (or machines) have access to sensitive OT/IT assets. ### 4.3 Improving Cybersecurity Program Management Adopting passkeys is often part of an overarching modernization effort or “passwordless” initiative, which signals a more mature cybersecurity program. ## 5. Conclusion Similar to other attempts of the Australian [government](https://www.corbado.com/passkeys-for-public-sector) (Australias [Scam Safe Accord](https://www.corbado.com/blog/australia-scam-safe-accord), Essential Eight Framework, [Cyber Security Bill](https://www.corbado.com/blog/cyber-security-bill-australia)) to secure infrastructure from cyber attacks, the AESCS framework is another step in the right direction. In this blog post, we analyzed the AESCS framework that is currently present in the energy sector. The main questions we answered: - **What is the AESCSF and who is impacted by it?** The Australian Energy Sector Cyber Security Framework (AESCSF) is a cybersecurity framework designed for the Australian energy sector, impacting organizations within the energy, gas, and liquid fuel sectors by providing guidelines to assess, evaluate, and improve their cybersecurity capabilities and maturity. - **Which domains does it cover and what regulations are there?** The AESCSF covers 11 domains, including Identity and Access Management while aligning with various regulations and standards such as the Australian Privacy Principles, Notifiable Data Breaches scheme, and international frameworks like [NIST](https://www.corbado.com/blog/nist-passkeys) CSF and ISO/IEC 27001. - **How do passkeys help stay compliant with the IAM domain of AESCSF** Passkeys help organizations stay compliant by providing a secure, [phishing](https://www.corbado.com/glossary/phishing)-resistant authentication method that aligns with best practices for multi-factor authentication, thereby enhancing the security and integrity of access controls within the energy sector. ## Frequently Asked Questions ### What does AESCSF's IAM domain specifically require for authentication? AESCSF's IAM domain explicitly requires 'secure authentication' and access controls 'commensurate with risk.' Passkeys satisfy this by using cryptographic credentials instead of shared-secret passwords, eliminating credential reuse and phishing attack vectors without adding friction from OTPs or authenticator apps. ### Which organizations are required to participate in AESCSF assessments? AESCSF applies to organizations across electricity (generation, transmission, distribution and retail), gas (production, transmission, bulk storage and retail) and liquid fuels (extraction, transport, refinement and wholesale). Its incorporation into the Security of Critical Infrastructure Act 2018 gives it national legal significance for Australian energy entities. ### What are the three AESCSF assessment versions and how does an organization choose between them? AESCSF offers v2 full assessment for medium and high criticality or experienced organizations, v1 full assessment as the minimum standard for medium and high criticality organizations and v2 lite for lower criticality organizations still maturing. Selection is based on the Sector Criticality Assessment Tool rating, which ranges from 1 (lowest) to 3 (highest). ### How do passkeys improve AESCSF compliance beyond just the IAM domain? Passkeys create compliance benefits across multiple AESCSF domains. Replacing passwords with cryptographic authentication reduces credential compromise risk under the Risk Management domain, and adopting a passwordless initiative signals program maturity under the Cybersecurity Program Management domain.