EMERGING STANDARDS AND METHODOLOGICAL ISSUES FOR TUE SECURITY ANALYSIS OF POWER SYSTEM INFORMATION INFRASTRUCTURES G. Dondossola (*), O. Lamquet (*), M. Masera (+) (*) CESI- Centro Elettrotecnico Sperimentale Italiano, Milano, ltaly (+) JRC – Joint Research Centre of the European Commission, Ispra, ltaly 1. Introduction Security issues deriving from the massive usage of information and communication devices are an unavoidable concern of modern infrastructures. There is a generalized perception (aIthough no big related catastrophe has happened yet) that the probability and potentiaI impact of security breaches have grown heavily in recent years due 10 the increasing interconnectedness among systerns and organisations. It is also recognised that potentiaI chains of events, concatenated across interlinked infrastructures, could propagate magnifying the effects of perhaps minor triggering glitches. Ultimately, the welfare and prosperity of our society depend on the proper operation of criticaI infrastructures. The primary role played by electric energy and the highly dynamic context that characterises the new economie and organisational models of national deregulated energy markets, put highly criticaI security issues on the power systerns. This requires on the one hand robust technologies and architectures, and on the other effective methodologies for the assessment of the security risks. Risk assessments need to consider: a.) the potentiaI threats to system assets, of accidental and intentionaI origin, with direct effect on the assets or through dependencies with other infrastructures; b.) the security policy regime, including roles of and authorisations given to the different actors allowed to interact with the system, c.) the way in which threats might exploit vulnerabilities and affect power system assets, and eventually the business objectives of the power company; and d.) their ultimate impact on the electric power provision. According to the results of the security risk assessment of their installations, power organisations should produce and enforce an adequate security policy, taking into account organisationaI and technical issues. This should result in a continuous evaluation of threats and vulnerabilities, of the functionaI countermeasures and assurance capabilities put in pIace, and of their operational effectiveness. The importance of the security aspects in the electric power field is confirmedby the constitution of securityworkinggroupsby standardorganisations, such as the Working Group 15 "Data and communication security" inside the Technical Committee No. 57 "Power system control and associated communications" of the IEC InternationalElectro-technicalCommissiono IEC TC57 WG 15 has published a Technical Report 62210 "Power system control and associated communications- Data and communicationsecurity" [1] which represents a valuable approach for introducingsecurityin power systemcontrol. In this paper we present a contribution to the security analysis of power systems. Section 2 describes and comments on the IEC TR 62210 report; section 3 illustrates key aspects of our methodology under development, and section 4 discusses foreseeable architectural patterns of future Distribution Management Systems, examining some of the security issues. The full methodology and its application to the architecturaI patterns, proposed in section 4, is out of the scope of this paper and is the object of future work. 2. Security analysis or Power Systems: The work or emerging standards The application of computer and communication systems for the control and protection of power installations requires the assurance that, in addition to their intended operation, they will not induce failures or aIlow the intrusion of malicious agents (e.g. hackers, virus). In this context, until recently information and communication security analyses were concentrated on internaI causes (technicaI components and human operators), and aImost exclusively on accidental faults. The increasing use of public information networks requires the systematic consideration of deliberate threats, and as a consequence a more comprehensive view of security encompassing all relevant elements (organisational, technical, etc.) of an electric utility. The new risks that can be incurred due to the potenti al violation of the integrity, confidentiaIity and availability of information, need to be analysed for ensuring proper countermeasures. These anaIyses need to examine: . The stakeholders involved in the business and technicaI processes, and the business processes that interconnect them. The physical and 10gicaI assets 10be assured. .