Industrial Cybersecurity & OT Risk calculator
Remote Access Risk Score Calculator
The Remote Access Risk Score is a multiplicative risk index OT security teams use to rank every remote pathway into industrial control systems — vendor support tunnels, jump hosts, cellular modems on PLCs, and engineer VPNs. Impact captures what an attacker could do to production if they ride that path, exposure captures how reachable and how often the path is open, and control weakness captures how thin the defenses are. Because the three factors multiply rather than add, a path that is dangerous on all three axes scores dramatically higher than one that is bad on only one, which is exactly how real OT compromises play out. ICS/OT security architects, plant IT, and ISA/IEC 62443 risk assessors use it to triage which remote access routes to harden, monitor, or kill first.
What this calculator does
- Rank remote access risk using operational impact, access exposure, and control weakness.
- Use it when reviewing vendor access, jump hosts, VPN access, privileged sessions, and remote support controls for OT environments.
- It multiplies a remote path's impact, exposure, and control weakness scores into a single comparable risk number.
Formula used
- Remote access risk score = remote access impact score × remote access exposure score × remote access control weakness score
- Use the same scoring scale across comparable remote access paths.
Inputs explained
- Remote access impact score:
- Remote access exposure score:
- Remote access control weakness score:
How to use the result
- Use it when ranking and prioritizing vendor, integrator, and engineer remote access routes into a control network for hardening or removal.
- Scores are subjective ordinal judgments, so they only let you compare paths rated on the same scale by the same team — they are not absolute probabilities of breach.
Common questions
- How do you calculate a remote access risk score? Multiply the three factors: impact x exposure x control weakness. With an impact of 8, exposure of 6, and control weakness of 5 the geometric-style index resolves to 6.55 on the tool's normalized scale, flagging that path as high priority.
- What is a good remote access risk score? Lower is better. There is no universal threshold, but within one assessment you treat the top quartile of scores as your immediate hardening list. A path scoring 6.55 sits well above a well-controlled vendor link that might score 2 to 3.
- Why multiply the factors instead of adding them? Multiplication models compounding risk: a high-impact path that is also highly exposed and weakly controlled is far more dangerous than the sum of its parts. Adding would let a single low factor mask two high ones.
- What counts as 'control weakness' for remote OT access? Missing MFA, shared vendor credentials, always-on tunnels, no session recording, flat network with no DMZ, and no time-boxed approval. The weaker your compensating controls, the higher this factor.
- How is this different from an FMEA RPN? It borrows the multiplicative structure of an FMEA Risk Priority Number (Severity x Occurrence x Detection) but maps the three axes to OT remote access: impact, exposure, and control weakness instead.
Last reviewed 2026-05-12.