Securing critical infrastructure against attack presents significant challenges. As new infrastructure is built and existing infrastructure is maintained, a method to assess the vulnerabilities and support decision makers in determining the best use of security resources is needed. In response to this need, this research develops a methodology for performing vulnerability assessment and decision analysis of critical infrastructure using model‐based systems engineering, an approach that has not been applied to this problem. The approach presented allows architects to link regulatory requirements, system architecture, subject matter expert opinion and attack vectors to a Department of Defense Architecture Framework (DoDAF)‐based model that allows decision makers to evaluate system vulnerability and determine alternatives to securing their systems based on their budget constraints. The decision analysis is done using an integer linear program that is integrated with DoDAF to provide solutions for how to allocate scarce security resources. Securing an electrical substation is used as an illustrative case study to demonstrate the methodology. The case study shows that the method presented here can be used to answer key questions, for example, what security resources should a decision maker invest in based on their budget constraints? Results show that the modeling and analysis approach provides a means to effectively evaluate the infrastructure vulnerability and presents a set of security alternatives for decision makers to choose from, based on their vulnerabilities and budget profile.