SCADA is one of a set of manufacturing-and-control systems that are used to monitor and control critical infrastructure. Such systems extensively utilise communications network protocols such as TCP/IP to interconnect a diverse array of components. A major forthcoming change within TCP/IP is the adoption of the IPv6 protocol and inevitably this change will affect SCADA systems. However IPv6 introduces its own set of vulnerabilities. Hence, given the scale and complexity of current SCADA systems, there is a need for organisations to be able to model and review the risks emanating from the propagation of identifiable vulnerabilities in IPv6 prior to actual operational deployment. This work shows how the required tools can be constructed by complementing the Information Security Management (ISM) risk modelling tool with the formal technique of Coloured Petri Nets (CPN). The results of the application of the tools in a case study confirm the utility of the approach.