Industrial Cybersecurity & OT Risk calculator

Security Control Gap Calculator

The Security Control Gap quantifies how far an OT environment is from its target security baseline by comparing required controls against what is actually implemented plus any formally accepted compensating controls. OT security leads, GRC analysts, and assessors use it to translate a sprawling IEC 62443 or NIST CSF assessment into a single, defensible coverage percentage. It is the number that drives remediation roadmaps, budget requests, and audit conversations. Tracking the gap rate over time shows whether your hardening program is actually closing exposure or just standing still.

What this calculator does

  • Estimate the percentage gap between required OT security controls and implemented controls.
  • Use it when preparing audit remediation, IEC 62443 program reviews, NIST CSF mapping, or site security roadmaps.
  • It computes the absolute number of unaddressed controls and expresses that gap as a percentage of the required control set.

Formula used

  • Security control gap = required OT security controls - implemented OT security controls - accepted compensating controls or exceptions
  • Security control gap rate = security control gap ÷ required OT security controls × 100

Inputs explained

  • Required OT security controls:
  • Implemented OT security controls:
  • Accepted compensating controls or exceptions:

How to use the result

  • Use it after a controls assessment to size remediation scope, or quarterly to trend coverage against your security baseline.
  • It counts controls equally and does not weight by risk, so a gap rate can look small while leaving a few critical safety-related controls open; always pair the number with a risk view.

Common questions

  • How do you calculate a security control gap rate? Subtract implemented controls and accepted compensating controls from required controls to get the absolute gap, then divide by required controls and multiply by 100. The defaults give a 36-control gap against a 120-control baseline.
  • What counts as an accepted compensating control? It is a formally documented and risk-accepted alternative that offsets a missing primary control, such as strict network segmentation standing in for a patch that cannot be applied to a legacy PLC. Only count exceptions that have sign-off, not informal workarounds.
  • What is a good security control gap rate for OT? Lower is better; mature programs target a single-digit percentage gap on their defined baseline. A double-digit gap rate usually means several control families still need a remediation owner and timeline.
  • Why subtract compensating controls from the gap? Because a risk-accepted compensating control means the exposure is being managed even though the primary control is absent. Subtracting them gives a truer picture of residual, unaddressed gap rather than raw missing controls.
  • How is this different from a vulnerability count? A vulnerability count measures discovered weaknesses in your systems; the control gap measures missing defensive measures against a chosen framework. You can have zero open controls and still have vulnerabilities, and vice versa.

Last reviewed 2026-05-12.