Abstract: The cyber security in industrial control system is becoming increasingly serious. By considering the characteristics of industrial control system cyber security, a new method integrating D S evidence theory and AHP is proposed in this work. Firstly, the risk assessment hierarchy is established and the experts’ linguistic assessment is quantified. Then, the synthetic evaluation is realized using D S evidence theory such that the influence of subjective factors can be reduced. Finally, all security threats are sorted according to their importance using the confidence interval of probability, and then, the related cyber security protection measures are proposed. The experimental results in industrial control system of thermal power plant show that the proposed method can quantify the effect of security threats, and effectively cope with uncertainties in the cyber security risk assessment of industrial control system.