Industrial Cybersecurity & OT Risk calculator
Vendor Remote Session Risk Calculator
Vendor remote session risk scores the danger of a third-party maintaining remote access into your industrial control environment, the way an OEM, integrator, or remote-support contractor typically does. It multiplies how bad a compromise would be, how exposed the access path is, and how weak the controls around that access are, giving OT security and plant engineering teams a single comparable number per vendor. This matters because vendor remote access is one of the most common initial-access vectors in industrial incidents, and most plants have a dozen or more standing vendor connections that nobody has ranked. A consistent score lets you decide which vendor sessions get jump-host enforcement, MFA, and session recording first, instead of treating every connection as equally risky.
What this calculator does
- Rank vendor remote session risk using operational impact, session exposure, and control weakness.
- Use it when reviewing remote support sessions for integrators, OEMs, machine builders, and service providers.
- It computes a single comparable risk score for a vendor's remote access path by multiplying compromise impact, path exposure, and access-control weakness.
Formula used
- Vendor remote session risk score = vendor session impact score × vendor session exposure score × vendor access control weakness score
- Use the same scoring scale across comparable vendor access scenarios.
Inputs explained
- Vendor session impact score:
- Vendor session exposure score:
- Vendor access control weakness score:
How to use the result
- Use it to rank standing OEM, integrator, and support connections so you harden the most dangerous sessions first.
- The score is a relative prioritization signal, not a probability of breach, and it is only comparable when every vendor is scored on the same anchored scale.
Common questions
- How do you calculate vendor remote session risk? Multiply the three factors: impact times exposure times access-control weakness. With scores of 8, 7, and 4 the model returns a risk score of 6.65 on its normalized scale, which you then compare against your other vendors.
- Why multiply the scores instead of adding them? Multiplication mirrors RPN-style risk scoring: a vendor that is high on every dimension should score far worse than one that is high on just one. A single low factor, such as strong access controls, meaningfully pulls the whole score down.
- What is a high vendor remote access risk score? Interpret it relative to your fleet. Because each factor maxes out, the top of the scale represents a high-impact, fully-exposed, no-controls vendor. The example's 6.65 sits in the upper-middle band and warrants near-term hardening.
- What makes the access-control weakness score worse? Shared credentials, always-on VPN tunnels, no MFA, no jump host, and no session recording all raise the weakness score. A vendor reaching the OT network through a brokered, MFA-protected, recorded jump host scores much lower.
- How is this different from a generic vendor risk assessment? This focuses specifically on the remote-session attack path into OT, not the vendor's overall security posture. A financially solid vendor can still hold a dangerous always-on connection into your control network.
Last reviewed 2026-05-12.