To solve the problems of uncertain influence factors and indicator quantification difficulty in the risk assessment of industrial control networks, a method based on fuzzy theory and attack tree was proposed, and the proposed method was tested and verified on Chinese Train Control System (CTCS). First, an attack tree model for CTCS was constructed based on network security threats and system vulnerability. α-cut Triangular Fuzzy Number (TFN) was used to calculate the interval probabilities of leaf nodes and attack paths. Then, Analytic Hierarchy Process (AHP) was adopted to establish the mathematical model for security event losses and get the final risk assessment result. Finally, the experimental result demonstrates that the proposed method implements system risk assessment effectively, predicts the attack paths successfully and reduces the influence of subjective factors. By taking advantage of the proposed method, the risk assessment result would be more realistic and provides reference and basis for the selection of security protection strategies.