Industrial Cybersecurity & OT Risk calculator
OT Asset Risk Score Calculator
OT Asset Risk Score is a multiplicative ranking that combines how badly an OT asset hurts you if compromised, how likely it is to be reached, and how weak its controls are. OT security and reliability engineers use it to triage hundreds of controllers, HMIs, and historians into a defensible remediation order instead of relying on gut feel. It mirrors the FMEA risk-priority approach — impact, occurrence, detection — adapted for industrial cyber, so cross-functional teams already understand the logic. Because the factors multiply, one extreme dimension (a safety-critical asset, or a glaring control gap) lifts an asset's score sharply, which is exactly how you want triage to behave.
What this calculator does
- Rank risk for a critical OT asset using operational impact, exposure likelihood, and control or detection weakness.
- Use it when prioritizing protection work for PLCs, HMIs, SCADA servers, DCS nodes, historians, or engineering workstations.
- It computes a single comparative risk score for an OT asset by multiplying impact, exposure likelihood, and control weakness on a common scale.
Formula used
- OT asset risk score = OT asset impact score × OT exposure likelihood score × control weakness score
- Use the same scoring scale across comparable OT assets.
Inputs explained
- OT asset impact if compromised:
- OT exposure likelihood:
- Control weakness / detection gap:
How to use the result
- Use it to rank a fleet of OT assets for remediation, segmentation, or monitoring investment when you cannot fix everything at once.
- It is relative, not a probability or a dollar figure; scores are only comparable when every asset is rated on the same scale by consistent raters.
Common questions
- How do you calculate an OT asset risk score? Multiply the impact score by the exposure likelihood score by the control weakness score, using one consistent scale across assets. With factors of 9, 5, and 4 on the configured scale, this calculator returns a risk score of 6.35.
- Why multiply the factors instead of adding them? Multiplication makes a single severe dimension dominate, which matches real risk — a safety-critical asset with a wide-open control gap should outrank an asset that is merely middling on every axis. Adding would flatten those extremes.
- What is a good OT asset risk score? There is no universal threshold because the scale is yours; what matters is rank order. Sort the fleet, set a remediation cut line, and treat the top tier as immediate-action assets. The 6.35 here is meaningful only against your other assets' scores.
- How is this different from FMEA RPN? It is the same structure — severity, occurrence, detection — retargeted at OT cyber. Impact maps to severity, exposure likelihood to occurrence, and control weakness to detection/preventability of compromise.
- How should I score control weakness? High when the asset is unsegmented, unpatched, shares credentials, or lacks monitoring; low when it sits behind a firewall with logging and tested backups. It captures how easily a compromise succeeds and goes unseen.
Last reviewed 2026-05-12.