Critical infrastructure (CIs) such as power gridslink a plethora of physical components from many differentvendors to the software systems that control them. Thesesystems are constantly threatened by sophisticated cyberattacks. The need to improve the cybersecurity of such CIs,through holistic system modeling and vulnerability analysis,cannot be overstated. This is challenging since a CIincorporates complex data from multiple interconnectedphysical and computation systems. Meanwhile, exploitingvulnerabilities in different information technology (IT) andoperational technology (OT) systems leads to variouscascading effects due to interconnections between systems.The paper investigates the use of a comprehensive taxonomyto model such interconnections and the implieddependencies within complex CIs, bridging the knowledgegap between IT security and OT security. The complexityof CI dependence analysis is harnessed by partitioningcomplicated dependencies into cyber and cyber-physicalfunctional dependencies. These defined functionaldependencies further support cascade modeling for vulnerabilityseverity assessment and identification of criticalcomponents in a complex system. On top of the proposedtaxonomy, the paper further suggests power-grid referencemodels that enhance the reproducibility and applicability ofthe proposed method. The methodology followed wasdesign science research (DSR) to support the designing andvalidation of the proposed artifacts. More specifically, thestructural, functional adequacy, compatibility, and coveragecharacteristics of the proposed artifacts are evaluatedthrough a three-fold validation (two case studies and expertinterviews). The first study uses two instantiated powergridmodels extracted from existing architectures andframeworks like the IEC 62351 series. The second studyinvolves a real-world municipal power grid. © 2023, The Author(s).