Asset Analysis of Risk Assessment for IEC 61850-Based Power Control Systems—Part I: Methodology

Abstract

Information security risk assessment of IEC 61850-based power control systems is currently an unsolved problem. One of the reasons is a lack of methodology for asset analysis, which is an important process of risk assessment. As the features of IEC 61850-based power control systems are different from general IT systems, a specific methodology of asset analysis is introduced. Based on the requirements of risk assessment proposed in the BS ISO/IEC 27005 standard, the methodology for asset analysis is separated into asset identification and valuation. For asset identification, a structured asset model is defined to distinguish the assets, and a function-oriented business process model is defined to identify the business process and describe the relations between assets and business processes. For asset valuation, in order to objectively reflect the consequence incurred due to the loss of security properties, three levels of value are defined, which is value of information exchange, asset value of function level, and asset value of system level, respectively. Finally, the implementation procedure of the methodology is described. In the companion paper (Part II), an application instance is presented to support the usefulness of the methodology.