OT Risk Math

How to Calculate OT Cyber Risk: Downtime Loss, Asset Risk Score, and Segmentation ROI

Work through the core OT cybersecurity formulas with real inputs and numbers: downtime loss per hour, asset risk scores, ransomware exposure, and segmentation ROI.

Start with downtime loss because it feeds every other number. The OT Downtime Cyber Loss formula is Loss = (lost production units per hour x contribution margin per unit) + fixed burn per hour + restart cost, summed over outage hours. Say a line runs 480 units per hour at $12 margin, so $5,760 per hour. Add fixed burn of $2,400 per hour (labor you still pay, plus energy and standing overhead) for $8,160 per hour. A 14-hour ransomware-induced stop is $114,240 in variable and fixed loss, before a one-time restart and requalification cost of roughly $9,000. Total single-event impact: about $123,240.

Asset risk scoring turns a messy inventory into a ranked list. The OT Asset Risk Score model multiplies Likelihood x Impact x Exposure, each on a 1 to 5 scale, giving a 1 to 125 range. Likelihood pulls from known CVE count and patch age, impact from the downtime dollars above, exposure from connectivity. A Windows 7 HMI with 6 unpatched criticals (likelihood 5), controlling the $8,160 per hour line (impact 5), reachable from IT VLAN (exposure 4) scores 5 x 5 x 4 = 100. Anything above 60 is your remediation short list; normalize by dividing by 125 to express as a 0 to 1 index if you prefer.

Ransomware exposure is a probabilistic expected-value calculation, not a worst case. The Ransomware Exposure Cost approach is Annual Loss Expectancy = probability of a successful event per year x total single-event cost. Combine the $123,240 downtime figure with ransom demand exposure and recovery labor. If single-event total cost lands at $640,000 (downtime, ransom or rebuild, IR retainer, forensics, notification) and your annualized probability is 8 percent based on sector incident rates, ALE = 0.08 x $640,000 = $51,200 per year. That per-year number is what you compare against control spending, not the headline $640,000.

Network Segmentation ROI compares avoided loss to project cost. ROI = (reduction in ALE per year minus annual control cost) divided by control cost. Suppose segmenting IT from OT with a firewall and conduit design drops event probability from 8 percent to 3 percent. Avoided ALE = (0.08 minus 0.03) x $640,000 = $32,000 per year. If the segmentation project costs $90,000 up front amortized over 5 years ($18,000 per year) plus $6,000 annual upkeep, net benefit is $32,000 minus $24,000 = $8,000, an ROI of 33 percent. Payback period is $90,000 divided by $32,000, about 2.8 years.

Coverage and compliance rates are simple ratios but people get the denominator wrong. Backup Coverage Rate = protected critical assets divided by total critical assets, times 100. If 62 of 80 PLCs, HMIs, and historians have tested, offline-verified backups, coverage is 77.5 percent. The denominator must be critical assets, not the full 400-device inventory, or you inflate the number. Patch Compliance Rate uses the same shape: assets patched within your SLA window divided by assets requiring the patch. 210 of 260 devices patched inside a 30-day window equals 80.8 percent compliance.

The OT Vulnerability Backlog quantifies remediation debt as a flow, not a snapshot. Backlog at period end = opening backlog + new vulns discovered minus vulns remediated. Open with 340 findings, add 95 from a quarterly scan, close 120, and you end at 315. Compute burn-down rate as remediated divided by (opening + new) = 120 / 435 = 27.6 percent per quarter. At that rate against steady inflow, the backlog barely moves, which is the signal to raise remediation throughput before scoring individual assets with the OT Asset Risk Score tool.

Remote access is a weighted score, useful for third-party and vendor connections. The Remote Access Risk Score sums weighted factors: authentication strength, session monitoring, privilege level, and network reach. Score each 0 to 10, apply weights (privilege 0.35, reach 0.30, auth 0.20, monitoring 0.15), and a jump-host with shared credentials might read auth 3, monitoring 4, privilege 9, reach 8, giving 3(0.20) + 4(0.15) + 9(0.35) + 8(0.30) = 6.75 out of 10. Above 6 flags a connection for MFA and session recording before it becomes an incident.

Chain the outputs so the math tells one story. Downtime loss per hour feeds single-event cost, single-event cost times probability feeds ALE, ALE change feeds segmentation ROI, and asset scores plus backlog burn-down tell you where to spend. Keep units consistent: dollars per hour, events per year, and dimensionless 0 to 1 or 0 to 125 indexes. Recompute quarterly using the OT Downtime Cyber Loss, Ransomware Exposure Cost, and Network Segmentation ROI calculators so a changing patch compliance rate or new CVE flows through to a defensible risk number, not a gut feel.

Published 2026-07-01.