Giovanna Dondossola*, Goran Ericsson**, Age Torkilseng***, Marc Tritschler****, Ludovic Pietre-Cambacedes***** CIGRE’ Session 43 Parigi, 22-24 Agosto 2010 *RSE SPA **SWEDISH NATIONAL GRID *** SALTEN KRAFTSAMBAND, NORWAY ****KEMA, UNITED KINGDOM *****EDF, FRANCE This paper reflects the content of the Technical Brochure (TB), covering the efforts of Working Group WG D2.22 “Treatment of Information Security for Electric Power Utilities (EPUs)”. The TB is published during 2010. The work has been carried out between 2006 and 2009. The WG D2.22 is the successor of Joint Working Group (JWG) D2/B3/C2-01 on “Security for Information Systems and Intranets in Electric Power System” (2003 – 2006/2007). The WG D2.22 has focussed and deepened the study on the following three issues: • Frameworks for EPUs on how to manage information security, • Risk assessment (RA) and Risk Management (RM): Common models and methods for treating vulnerabilities, threats and attacks, and • Security technologies for SCADA (Supervisory Control And Data Acquisition) systems/control systems including real time control networks. As intermediate results, the WG D2.22 has produced six papers, published in Electra and at Cigré Session and Colloquium. It is concluded that an overall security framework should be based on existing standards and “best practices”, taking into account legal and regulatory requirements. A framework should be based on risk assessment. The technical solution should be based on a domain model and technical security controls consistently assigned with the domain definition. The selection of the “proper” standard(s) is delicate, and an up-to-date and critical vision of the fast-moving landscape is necessary. It is evident that information security for an EPU will continue to be an important issue, in both the short and long run. As natural further works, the following are proposed: 1) To improve methods for use of security frameworks and deploying risk assessment and management methods; 2) To provide guidance on how to more deeply involve and get acceptance from top level management regarding the importance of information and IT security; 3) To provide guidance on how to embed information security as a natural and mandatory part through all phases of a project, from specification through acceptance, and throughout the operational life of a system.