Cyber-physical system such as automatic metering infrastructure (AMI) are overly complex infrastructures. With myriad stakeholders, real-time constraints, heterogeneous platforms and component dependencies, a plethora of attacks possibilities arise. Despite the best of available technology countermeasures and compliance standards, security practitioners struggle to protect their infrastructures. At the same time, it is important to note that not all attacks are same in terms of their likelihood of occurrence and impact. Hence, it is important to rank the various attacks and perform scenario analysis to have an objective decision on security countermeasures. In this paper, we make a comprehensive security risk analysis of AMI, both qualitatively and quantitatively. Qualitative analysis is performed by ranking the attacks in terms of sensitivity and criticality. Quantitative analysis is done by arranging the attacks as an attack tree and performing Bayesian analysis. Typically, state-of–the-art quantitative security risk analysis suffers from data scarcity. We acknowledge the aforementioned problem and circumvent it by using standard vulnerability database. Different from state-of-the-art surveys on the subject, which captures the big picture, our work is geared to is provide the prioritized baselines in addressing most common and damaging attacks.