Abstract: In accordance with the information security of supervisory control and data acquisition（SCADA） system, a quantitative evaluation method based on evidence reasoning is proposed. In this method, a certain abnormality found by the system is taken as a root node, and a certain number of hypothesis events that result in abnormality or events caused by hypothesis events are used as hypothesis points to construct an interpretable hypothesis chain of system security vulnerability and to reason all attack paths.Then, each attack path is calculated to find the critical path of the system vulnerability. The evidence related to the hypothesis is regarded as evidence point and the link function is used to connect the evidence and hypothesis point to build the vulnerability Bayesian network of each path. The conditional probability of nodes in Bayesian network is calculated by applying the graded response model. The critical path is utilized as a basis for measuring the system vulnerability, and the probability of hypothesis is utilized as the criterion of security vulnerability evaluation, so the credibility of each evidence point is quantified, and the vulnerability of SCADA system is deduced through Bayesian network. Finally, an example is given to illustrate the specific application. It is proven that the method can effectively analyze the security vulnerability of SCADA systems in wind farms, and can find the weak components of system information security. The method can also quantify the evaluation value of information security vulnerability, and has high evaluation accuracy.