This work addresses the challenge of security assessment in cyber-physical systems caused by missing or outdated architectural documentation. It proposes ASTRAL, a novel approach that uniquely integrates multimodal large language models with architectural modeling to automatically reconstruct system architectures from fragmented data. By leveraging prompt chaining, few-shot learning, and architectural reasoning, ASTRAL enables the identification of attack surfaces and supports quantitative analysis of risk propagation pathways. Evaluated on multiple real-world systems, the method demonstrates strong efficacy and has received endorsement from 14 cybersecurity experts, significantly enhancing the reliability and decision-support capability of architecture-driven security assessments.

Cyber-physical systems often contend with incomplete architectural documentation or outdated information resulting from legacy technologies, knowledge management gaps, and the complexity of integrating diverse subsystems over extended operational lifecycles. This architectural incompleteness impedes reliable security assessment, as inaccurate or missing architectural knowledge limits the identification of system dependencies, attack surfaces, and risk propagation pathways. To address this foundational challenge, this paper introduces ASTRAL (Architecture-Centric Security Threat Risk Assessment using LLMs), an architecture-centric security assessment technique implemented in a prototype tool powered by multimodal LLMs. The proposed approach assists practitioners in reconstructing and analysing CPS architectures when documentation is fragmented or absent. By leveraging prompt chaining, few-shot learning, and architectural reasoning, ASTRAL extracts and synthesises system representations from disparate data sources. By integrating LLM reasoning with architectural modelling, our approach supports adaptive threat identification and quantitative risk estimation for cyber-physical systems. We evaluated the approach through an ablation study across multiple CPS case studies and an expert evaluation involving 14 experienced cybersecurity practitioners. Practitioner feedback suggests that ASTRAL is useful and reliable for supporting architecture-centric security assessment. Overall, the results indicate that the approach can support more informed cyber risk management decisions.