Purpose: Cyber-Physical Systems (CPS) underpinning critical infrastructure face unique security challenges due to the interconnected nature of their computational and physical components. Traditional Information Technology (IT) risk assessment methods prove inadequate, as they fail to quantify the kinetic impact—the physical and safety consequences—of a cyber breach. This study addresses this critical gap by proposing and defining a novel Unified Cyber-Physical Risk Management (UCPRM) Framework.

Methodology: The UCPRM Framework is built upon three core principles: holistic IT/OT integration, real-time dynamism, and quantitative consequence mapping. The framework introduces a Cyber-Physical Attack Graph (CPAG) to model complex, cascading failures and a Kinetic Impact Score (KIS) metric to translate cyber likelihoods into measurable physical and financial risk. The methodology integrates established international standards (ISO, NIST) with continuous operational telemetry data for dynamic risk updates.

Findings: Application of the UCPRM Framework to a simulated critical infrastructure environment demonstrated that traditional IT-centric risk models significantly underestimate the actual risk profile of CPS by failing to account for the KIS. The framework's real-time risk score enabled predictive alerting and superior resource allocation decisions, aligning security investments with actual physical safety and continuity concerns.

Originality: The UCPRM Framework is the first to seamlessly integrate real-time operational data with a structured, quantitative mechanism for assessing the physical consequences of cyber-attacks, offering a necessary paradigm shift for managing the security and resilience of critical CPS.

Cyber-Physical Systems, Risk Management, Critical Infrastructure, Kinetic Impact, Real-Time Assessment, Operational Technology, SCADA

Wu, W.; Kang, R.; Li, Z. Risk assessment method for cyber security of cyber physical systems. In Proceedings of the 2015 First International Conference on Reliability Systems Engineering (ICRSE), Beijing, China, 21–23 October 2015.

Kim, K.-D.; Kumar, P. An overview and some challenges in cyber-physical systems. J. Indian Inst. Sci. 2013, 93, 341–352.

Abouzakhar, N. Critical Infrastructure Cybersecurity: A Review of Recent Threats and Violations. In Proceedings of the European Conference on Information Warfare and Security, Jyväskylä, Finland, 11–12 July 2013.

Marvell, S. The Real and Present Threat of a Cyber Breach Demands Real-Time Risk Management; Acuity Risk Management: London, UK, 2015.

Adar, E.; Wuchner, A. Risk management for critical infrastructure protection (CIP) challenges, best practices & tools. In Proceedings of the First IEEE International Workshop on Critical Infrastructure Protection (IWCIP’05), Darmstadt, Germany, 3–4 November 2005.

Marvell, S. Real-Time Cyber Security Risk Management. ITNOW 2015, 57, 26–27.

Harvey, J.; Service, T.I. Introduction to Managing Risk. Available online: http://www.cimaglobal.com/Documents/ImportedDocuments/cid_tg_intro_to_managing_rist.apr07.pdf (accessed on 29 May 2018).

Georgieva, K.; Farooq, A.; Dumke, R.R. Analysis of the Risk Assessment Methods–A Survey. In International Workshop on Software Measurement; Springer: Berlin, Germany, 2009.

Cherdantseva, Y.; Burnap, P.; Blyth, A.; Eden, P.; Jones, K.; Soulsby, H.; Stoddart, K. A review of cyber security risk assessment methods for SCADA systems. Comput. Secur. 2016, 56, 1–27.

Patel, S.C.; Graham, J.H.; Ralston, P.A. Quantitatively assessing the vulnerability of critical information systems: A new method for evaluating security enhancements. Int. J. Inf. Manag. 2008, 28, 483–491.

Hahn, A.; Ashok, A.; Sridhar, S.; Govindarasu, M. Cyber-physical security testbeds: Architecture, application, and evaluation for smart grid. IEEE Trans. Smart Grid 2013, 4, 847–855.

Cárdenas, A.A.; Amin, S.; Lin, Z.S.; Huang, Y.L.; Huang, C.Y.; Sastry, S. Attacks against process control systems: Risk assessment, detection, and response. In Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, Hong Kong, China, 22–24 March 2011.

Peng, Y.; Lu, T.; Liu, J.; Gao, Y.; Guo, X.; Xie, F. Cyber-physical system risk assessment. In Proceedings of the Ninth International Conference on Intelligent Information Hiding and Multimedia Signal Processing, Beijing, China, 6–18 October 2013.

Cardenas, A.; Amin, S.; Sinopoli, B.; Giani, A.; Perrig, A.; Sastry, S. Challenges for securing cyber physical systems. In Proceedings of the Workshop on Future Directions in Cyber-Physical Systems Security, Newark, NJ, USA, 23–24 July 2009.

Sridhar, S.; Hahn, A.; Govindarasu, M. Cyber–physical system security for the electric power grid. Proc. IEEE 2012, 100, 210–224.

Yoneda, S.; Tanimoto, S.; Konosu, T.; Sato, H.; Kanai, A. Risk Assessment in Cyber-Physical System in Office Environment. In Proceedings of the 2015 18th International Conference on Network-Based Information Systems (NBiS), Taipei, Taiwan, 2–4 September 2015.

Ten, C.-W.; Manimaran, G.; Liu, C.-C. Cybersecurity for critical infrastructures: Attack and defense modeling. IEEE Trans. Syst. Man Cybern. Part A Syst. Hum. 2010, 40, 853–865.

Gai, K.; Qiu, M.; Ming, Z.; Zhao, H.; Qiu, L. Spoofing-jamming attack strategy using optimal power distributions in wireless smart grid networks. IEEE Trans. Smart Grid 2017, 8, 2431–2439.

Gai, K.; Qiu, M.; Zhao, H.; Tao, L.; Zong, Z. Dynamic energy-aware cloudlet-based mobile cloud computing model for green computing. J. Netw. Comput. Appl. 2016, 59, 46–54.

Gai, K.; Qiu, M. Blend arithmetic operations on tensor-based fully homomorphic encryption over real numbers. IEEE Trans. Ind. Inform. 2017.

Ray, P.D.; Harnoor, R.; Hentea, M. Smart power grid security: A unified risk management approach. In Proceedings of the 2010 IEEE International Carnahan Conference on Security Technology (ICCST), San Jose, CA, USA, 5–8 October 2010.

Yadav, D.; Mahajan, A.R. Smart Grid Cyber Security and Risk Assessment: An Overview. Int. J. Sci. Eng. Technol. Res. 2015, 4, 3078–3085.

Rice, E.B.; AlMajali, A. Mitigating the risk of cyber attack on smart grid systems. Procedia Comput. Sci. 2014, 28, 575–582.

ISO. Risk Management—Principles and Guidelines; ISO 31000:2009; International Organization for Standardization: Geneva, Switzerland, 2009.

GOST-R. Risk Management. Risk Assessment Methods; ISO/IEC 31010-2011; International Organization for Standardization: Geneva, Switzerland, 2009.

Cybersecurity, C.I. Framework for Improving Critical Infrastructure Cybersecurity. Available online: http://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf (accessed on 29 May 2018).

Purdy, G. ISO 31000:2009—Setting a new standard for risk management. Risk Anal. 2010, 30, 881–886.

Islam, S.; Fenz, S.; Weippl, E.; Mouratidis, H. A Risk Management Framework for Cloud Migration Decision Support. J. Risk Financial Manag. 2017, 10, 10.

Islam, S.; Mouratidis, H.; Weippl, E.R. An empirical study on the implementation and evaluation of a goal-driven software development risk management model. Inf. Softw. Technol. 2014, 56, 117–133.

Berg, H.-P. Risk management: Procedures, methods and experiences. Risk Manag. 2010, 1, 79–95.

CISO. Information Risk Assessment Handbook. Available online: http://www.nationalarchives.gov.uk/documents/information-management/risk-assessment-handbook.pdf (accessed on 29 May 2018).

Prassanna Rao Rajgopal, Badal Bhushan, & Ashish Bhatti. (2025). Vulnerability Management at Scale: Automated Frameworks for 100K+ Asset Environments. Utilitas Mathematica, 122(2), 897–925. Retrieved from https://utilitasmathematica.com/index.php/Index/article/view/2788

AIRMIC; ALARM; IRM. A Structured Approach to Enterprise Risk Management (ERM) and the Requirements of ISO 31000; The Public Risk Management Association: London, UK, 2010.

NERC, CIP. Standards as Approved by the NERC Board of Trustees May 2006; North American Electric Reliability Corporation: Atlanta, GA, USA, 2006.

AI Threat Countermeasures: Defending Against LLM-Powered Social Engineering. (2025). International Journal of IoT, 5(02), 23-43. https://doi.org/10.55640/ijiot-05-02-03

Bialas, A. Risk management in critical infrastructure—Foundation for its sustainable work. Sustainability 2016, 8, 240.

Rahman, A.A.L.A.; Islam, S.; Kalloniatis, C.; Gritzalis, S. A Risk Management Approach for a Sustainable Cloud Migration. J. Risk Financial Manag. 2017, 10, 20.

Ani, U.P.D.; He, H.; Tiwari, A. Review of cybersecurity issues in industrial critical infrastructure: Manufacturing in perspective. J. Cyber Secur. Technol. 2017, 1, 32–74.

Ezell, B.C. Infrastructure Vulnerability Assessment Model (I-VAM). Risk Anal. 2007, 27, 571–583.

Parnell, G.S.; Conley, H.W.; Jackson, J.A.; Lehmkuhl, L.J.; Andrew, J.M. Foundations 2025: A value model for evaluating future air and space forces. Manag. Sci. 1998, 44, 1336–1350.

Kesarpu, S., & Hari Prasad Dasari. (2025). Kafka Event Sourcing for Real-Time Risk Analysis. International Journal of Computational and Experimental Science and Engineering, 11(3). https://doi.org/10.22399/ijcesen.3715

Blank, R.; Gallagher, P. NIST Special Publication 800-30 Revision 1 Guide for Conducting Risk Assessments; Technical Report; National Institute of Standards and Technology: Gaithersburg, MD, USA, 2012.

Baldoni, R. Critical Infrastructure Protection: Threats, Attacks, and Counter-Measures. Technical Report. Available online: http://www.dis.uniroma1.it/~tenace/download/deliverable/Deliverable4a.pdf (accessed on 29 May 2018).

Utne, I.B.; Hokstad, P.; Kjølle, G.; Vatn, J.; Tøndel, I.; Bertelsen, D.; Fridheim, H.; Røstum, J. Risk and vulnerability analysis of critical infrastructures-The DECRIS approach. In Proceedings of the SAMRISK Conference, Oslo, Norway, 6–7 March 2008.

Parate, H., Madala, P., & Waikar, A. (2025). Equity and efficiency in TxDOT infrastructure funding: A per capita and spatial investment analysis. Journal of Information Systems Engineering and Management, 10(55s). https://www.jisem-journal.com/

Durgam, S. (2025). CICD automation for financial data validation and deployment pipelines. Journal of Information Systems Engineering and Management, 10(45s), 645–664. https://doi.org/10.52783/jisem.v10i45s.8900