OT Risk Mistakes
OT Cyber Risk Calculations: The Costly Mistakes That Skew Your Numbers
The eight errors that quietly inflate or deflate OT cyber risk numbers, each with the symptom that gives it away and the correction that puts the figure back in range.
The most common OT downtime loss error is pricing an outage at plant-average revenue instead of the bottleneck line rate. Symptom: your OT Downtime Cyber Loss figure looks flat regardless of which asset is hit. Root cause is using $12,000 per hour blended margin across all lines when the constrained line actually runs $47,000 per hour of contribution. The fix: build the rate from the specific line's throughput times unit margin, then add restart cost. A 6 hour ransomware stop on that line is $282,000, not the $72,000 the blended rate implies, a 3.9x understatement.
A frequent unit slip is mixing annualized loss expectancy with single-event cost. Symptom: your Ransomware Exposure Cost and Cyber Insurance Exposure numbers disagree by an order of magnitude for the same scenario. Root cause is multiplying single-event impact of $1.8M by an annual event probability of 0.15 to get $270,000, then treating that $270,000 as the per-incident payout. Keep them separate. ALE of $270,000 per year is a budgeting figure. The insurance retention decision uses the $1.8M single-event severity. Label every output either per event or per year, never both.
Backup Coverage Rate gets inflated by counting assets that have a backup job configured rather than a backup that restores. Symptom: coverage reads 94 percent but a tabletop restore fails on the historian and two PLCs. Root cause: the denominator counts scheduled jobs, not verified restores within RTO. The fix: only credit an asset if a restore test succeeded in the last 90 days. Sites that switch to restore-verified counting typically drop from a reported 90 percent to a real 60 to 70 percent, which is the number that actually predicts recovery time.
Patch Compliance Rate errors come from a denominator that silently excludes the riskiest assets. Symptom: compliance shows 88 percent yet your OT Vulnerability Backlog keeps climbing. Root cause is scoping the calculation to IT-managed Windows nodes while 40 percent of the fleet, the PLCs, RTUs, and embedded HMIs, sits outside the patch tool and is never counted. Put every asset in the denominator, then split the metric: patchable-asset compliance versus fleet-wide compliance. A site at 88 percent on 300 servers can be at 52 percent across 900 total OT assets.
OT Asset Risk Score gets distorted when exposure and consequence are averaged instead of multiplied. Symptom: a safety-critical PLC with a low exposure score ranks below a non-critical office switch. Root cause: adding a criticality of 9 and an exposure of 2 gives 5.5, which buries the high-consequence asset. Risk is exposure times consequence times likelihood, not their mean. Multiplied, the PLC scores 9 times 2 equals 18 against the switch at 3 times 6 equals 18, and once you weight consequence heavier the safety asset correctly floats to the top of the remediation queue.
Remote Access Risk Score undercounts because dormant and vendor accounts are excluded from the population. Symptom: the score looks acceptable at 4 out of 10, then an audit finds 22 standing vendor VPN accounts with no MFA. Root cause: the calculation only samples active employee sessions from the last 30 days. Count every credential that can reach the OT network, including service accounts and integrator logins. A cell that shows 8 active users often has 30-plus total access paths, and each unmanaged path with shared credentials and no session recording can add 1.5 to 2 points.
Network Segmentation ROI goes wrong when the benefit is booked as total breach cost avoided rather than the marginal reduction in blast radius. Symptom: a $400,000 segmentation project shows a 20x return that no one believes. Root cause: crediting the full $8M worst-case loss as avoided, when segmentation realistically cuts lateral spread and reduces expected loss by 35 to 55 percent. Model it as probability-weighted loss before minus after. If expected annual loss falls from $900,000 to $470,000, the $430,000 benefit against $400,000 spend is a credible 1.07x first-year return that survives scrutiny.
Incident Response Cost estimates omit the long tail past the first 72 hours. Symptom: your Incident Response Cost total clusters around $150,000 while peer data shows OT incidents running $500,000 and up. Root cause: capturing only the acute containment window, forensic retainer, and overtime, while dropping regulatory notification, extended manual operations, engineering revalidation of touched logic, and 3 to 6 weeks of degraded throughput. The fix: add a recovery-phase line that runs 2 to 4 times the containment cost. An $80,000 containment event with proper accounting lands near $320,000 all-in.
Published 2026-07-01.