In this paper, a systematic assessment of cyber-physical security on the energy management system for connected and automated electric vehicles is proposed, which, to our knowledge, has not been attempted before. The generalized methodology of impact analysis of cyber-attacks is developed, including novel evaluation metrics from the perspectives of steady-state and transient performance of the energy management system and innovative index-based resilience and security criteria. Specifically, we propose a security criterion in terms of dynamic performance, comfortability, and energy, which are the most critical metrics to evaluate the performance of an electronic control unit (ECU). If an attack does not impact these metrics, it perhaps can be negligible. Based on the statistical results and the proposed evaluation metrics, the impact of cyber-attacks on ECU is analyzed comprehensively. The conclusions can serve as guidelines for attack detection, diagnosis, and countermeasures.