The modeling of scenarios of complex multistep targeted cyber attacks is considered. To determine all scenarios for the implementation of an attack, the FSTEC of Russia Methodology for assessing threats to information security and CAPEC attack patterns are used. Attack vector is presented in the form of an attack graph with further formalization in the form of a hierarchical fuzzy cognitive map for the possibility of multiple scale analysis. Automated modeling of a set of possible attacks allows extract information about infrastructure weaknesses, the most dangerous vulnerabilities and potential weaknesses of system components, identify the most successful attack scenarios and assess their consequences for the enterprise. The calculation of the quantitative assessment of the local relative risk is conducted based on the vulnerability severity levels, considering the CVSS environmental metrics for the industrial control system for the transport of commercial oil.