This paper describes a simulation-based approach for automated risk assessment of complex cyber-physical systems to support implementers of ISO 27005. The approach is based on systematic causeand-effect modelling of threats, their causes and effects, and the ways in which the effects of one threat can lead to other threats. In this way, the approach deals with inter-dependencies within the target system, automatically finding attack paths and secondary effect cascades, which generally are very complex and the source of many challenges for implementation of ISO 27005. The approach uses a knowledgebase describing classes of system assets and their possible relationships, along with the associated threats, causes and effects in a generic context. A target system can then be modelled in terms of related assets, describing the intended system structure and purpose (in the absence of any deviations). The knowledgebase is then used to identify which threats are relevant and create a cause-and-effect simulation of those threats. This allows threat likelihoods and risk levels to be found based on input concerning trust assumptions and the presence of controls in the system. The approach has been implemented by the open source Spyderisk project and validated by modelling a published case study of an attack on a steel mill. Given reasonable assumptions about security controls in place, the shortest, highest likelihood attack path found coincides with the published analysis. The case study demonstrates the strengths of the approach: transparency, reproducibility, and performance.