Integrated Risk Scoring and Exploit Prediction for Cyber-Physical Power System Vulnerabilities

Cyber-Physical Power Systems (CPPS) face a rapidly growing number of cybersecurity vulnerabilities, yet no structured dataset or unified risk scoring method exists to prioritize these CVEs. This paper presents a cohesive methodology for collecting, enriching, and modeling CPPS-related CVEs to predict their risk and prioritize remediation. We aggregate over 4,030 ICS-relevant CVEs from public sources (2020--2025) and enrich each with industry-standard severity (CVSS), exploitation data (CISA Known Exploited Vulnerabilities, Exploit Prediction Scoring System), and contextual ICS attributes. We then develop a two-stage machine learning pipeline using gradient-boosted decision trees and linear regression models to estimate a ''CPPS risk score'' for each CVE and the probability of exploitation, leveraging both structured features and CVE textual descriptions. The novelty of our work lies in building one of the first structured CPPS vulnerability datasets and integrating OT-specific context with threat intelligence for risk prediction, bridging a gap not covered by existing severity metrics alone. Our results show that the proposed models achieve high predictive performance (up to R ₂ =0.93 for risk regression and PR--AUC ≈ 0.98 with Brier score ≈ 0.0018 for exploit prediction), enabling accurate ranking of vulnerabilities. Applied to the CPPS dataset, the framework concentrates attention on roughly 30% of CVEs classified as Extreme or High priority while demoting about half of the vulnerabilities to Low priority, and it surfaces several high-risk issues in critical products such as protection relays and SCADA servers that are not yet listed in CISA's KEV catalog. The curated dataset and risk scoring pipeline provide a reusable foundation for data-driven vulnerability management in power systems.