Giovanna Dondossola, Olivier Lamquet CESI On behalf of JWG D2/B3/C2-01 “Security for Information Systems and Intranets in Electric Power Systems”. Summary This paper is the third in a series prepared through the efforts of the CIGRÉ Joint Working Group (JWG) D2/B3/C2-01 “Security for Information Systems and Intranets in Electric Power Systems”. The paper introduces the key aspects that a methodology for the security analysis of power utility information systems should cover. The elements that need to be identified in the preliminary system assessment are described. Then the paper discusses one method that can be used to correlate asset vulnerabilities, potential threats and the possibility of attacks; the definition of indexes to compute a qualitative estimate of the relevant properties of the system; the exploitation of correlation and indexes for scoring security failures and building the System Security Profile. The findings of the methodology support the system hardening activity and the verification of the adequacy of the adopted countermeasures. PUBBLICATO A5030415 (PAD – 684183)PUBBLICATO A5030415 (PAD – 684183)