Progress Report from Cigré WG D2.22 Giovanna Dondossola*, Goran Ericsson**, Andrei Bartels***, Age Torkilseng**** CIGRE 2008 Session 42 Parigi, 24-29 Agosto 2008 * CESI RICERCA ** SWEDISH NATIONAL GRID, SWEDEN *** AEGIS TECHNOLOGIES, USA **** SALTEN KRAFTSAMBAND, NORWAY Since the beginning of this new millennium, the need for treating Information Security for Electric Power Utilities (EPUs) has become more evident among utilities, vendors, consultants, standards and regulatory bodies, etc., around the globe. Within Cigré, the first steps were taken in 2002 when the Joint Working Group (JWG) D2/B3/C2-01 – “Security for Information Systems and Intranets in Electric Power Systems” – was launched. The JWG delivered its Technical Brochure (TB) in 2006, where the purpose was to raise the awareness of information/cyber security in Electric Power Systems. Also, the “domain concept” for managing information security was introduced. The focus of the TB was mostly on the management issues, rather than on technical details. It was concluded that there is a need for a comprehensive Information and Control Systems Security Framework for electric utilities. Management of Information Security must be an essential and natural part of daily operations of various tasks in an EPU. As a successor of the JWG D2/B3/C2-01, the WG D2.22 “Treatment of Information Security for Electric Power Utilities” was formed in 2006. Here, the scope is narrowed in order to focus on and study certain aspects and solve specific questions raised in the former JWG. The following three issues are studied: Frameworks for EPUs, Risk Assessment, and Security Technologies. The purpose of this paper is to provide an intermediate progress report on work of WG D2.22. The WG will deliver its Technical Brochure in 2008/2009 and about five papers will be published, where this paper is one of them. So far, the results are mostly in the areas of security frameworks and risk assessment. The security technologies part will be covered more in the later parts of the WG. In the paper, it is concluded that among the various security approaches, an EPU must be competent to select and implement the best and adequate pieces and have in-depth knowledge of SCADA/Control domain requirements. The findings of a risk assessment survey show a clear lack of a reference method and itconfirms the need for methodologies combining power and information security knowledge. KEYWORDS Electric Power Industry, Electric Power Utility, IT Security, Information Security, SCADA, Framework, Risk Assessment, Security Technology.