OT Security Cost
Pricing OT Cybersecurity: What Drives Cost Per Protected Asset and How to Quote It
What actually drives OT security cost per asset, how to build a defensible quote, and where estimates blow the budget, from monitoring seats to IR retainers.
Price OT security per protected asset, not per site, because that unit scales with the quote. A defensible number runs $180 to $650 per critical asset per year for monitoring, patching labor, and backup verification, before capital projects. For a 200-asset plant, that is $36,000 to $130,000 annually. The spread depends on asset heterogeneity: a fleet of identical PLCs costs far less per unit than a mix of legacy HMIs, RTUs, and vendor appliances, each needing its own patch path and playbook. Quote the mix, not the count.
Labor is the largest line and the easiest to underbid. A fully burdened OT security engineer costs $95 to $150 per hour loaded. Patching a legacy system with a change window, backout plan, and requalification runs 4 to 8 hours per asset per cycle, not the 20 minutes an IT patch takes. At $120 per hour and 6 hours, that is $720 per legacy asset per patch cycle. Estimators who copy IT patch labor rates undershoot by 5x to 10x. Use the Incident Response Cost and Patch Compliance Rate tools to anchor labor hours against your real device population.
Tooling and monitoring are recurring, not one-time. Passive OT network monitoring platforms license by asset or by site, typically $30 to $120 per monitored asset per year, plus a sensor appliance at $8,000 to $25,000 per plant that amortizes over 5 years. A SOC watching OT telemetry adds $40,000 to $180,000 per year depending on whether it is shared or dedicated. Build these as fixed annual overhead, then divide across assets to get the per-unit monitoring cost that belongs in every quote line.
Incident response is a cost you provision for before it happens. A retainer buys guaranteed response hours: expect $25,000 to $75,000 per year for a mid-tier retainer covering 40 to 100 hours. An actual OT incident burns far more. The Incident Response Cost calculator typically lands a mid-size event at $250,000 to $1.2M once you add forensics ($350 to $600 per hour), downtime from the OT Downtime Cyber Loss model, and rebuild labor. Quote the retainer as a fixed cost and carry the event cost as a risk-adjusted contingency, not a line item.
Insurance is priced off your control posture, so it belongs in the cost model. Cyber premiums for a manufacturer commonly run 1.2 to 3.5 percent of the coverage limit; a $5M policy is $60,000 to $175,000 per year. Insurers now discount 10 to 25 percent for demonstrated MFA, tested backups, and segmentation. Run the Cyber Insurance Exposure and Backup Coverage Rate tools before renewal: moving backup coverage from 60 to 90 percent and adding segmentation can shift you a tier and recover $15,000 to $40,000 in annual premium, which offsets part of the control spend.
Segmentation and architecture projects are capital, and they distort quotes when spread wrong. A firewall-and-conduit segmentation project runs $60,000 to $250,000 depending on cell count and cabling. Amortize over the equipment life, 5 to 7 years, and add 8 to 12 percent annual maintenance. Do not load the full capital cost into year one of a service quote or you will look 3x more expensive than a competitor who amortizes correctly. Use the Network Segmentation ROI tool to show the buyer the avoided-loss payback rather than just the sticker price.
The three biggest estimate misses are scope creep on asset count, ignored requalification time, and forgotten decommissioning. Discovery routinely finds 20 to 40 percent more OT devices than the asset register showed, so quote a discovery phase and price the remainder as a per-asset unit rate rather than a fixed sum. Requalification and validation after any change can double the labor on regulated lines. And end-of-life migration of an unsupported HMI is a $5,000 to $30,000 project per asset that buyers forget until it blocks a patch.
Build the quote as a stack: per-asset recurring (monitoring plus patch labor), fixed annual overhead (SOC, tooling, IR retainer, insurance), and amortized capital (segmentation, sensors, EOL migration). Divide the total by protected asset count to publish a per-unit rate, and show the risk-adjusted contingency separately using ALE from the Ransomware Exposure Cost tool. A transparent quote that separates recurring, fixed, capital, and contingency wins against a lump sum because the buyer can see which lever moves the number and trace it back to the OT Asset Risk Score priorities.
Published 2026-07-01.