Critical Infrastructure Risk Assessment

Operators of critical infrastructures face a rapidly evolving, hybrid threat landscape under tight budgetary and staffing constraints. This paper focuses on the prerequisite for effective defense - "you cannot protect what you do not know" - and the practical difficulty of mapping threats to both internal assets and supplier networks to prioritize mitigation. We combine a state-of-the-art review of asset/configuration and risk management with an exploratory mixed‑methods study: 11 semi‑structured interviews with IT security and procurement stakeholders from large European CI operators (e.g., international airports). Using a hybrid coding approach in MAXQDA and thematic analysis, we surface organizational, technical, and governance challenges across IT/OT and deep-tier supply chains. We synthesize requirements and propose [Project Name], a BMBF‑funded demonstrator that integrates automated asset discovery, supplier intelligence, and
risk‑value scoring to generate prioritized, evidence‑based mitigation actions aligned to resource constraints and support more trustworthy, auditable risk decisions in digitally connected CI ecosystems.