Operational Technology (OT) is becoming more connected for understandable reasons: efficiency, real-time analytics, predictive maintenance, and remote operations. The same connectivity also expands the attack surface and raises the stakes: OT compromise can translate into physical harm, environmental impact, and disruption of essential services.
The Secure Connectivity Principles for OT (produced by UK NCSC and co-distributed by partner agencies) set out what “good” looks like architecturally and operationally, from limiting exposure to establishing an isolation plan. The recurring theme across the principles is decision-making under constraints: legacy systems, third-party access, complex dependencies, and limited time and budget.
That is precisely why OT leaders increasingly need cyber risk quantification (CRQ): a disciplined way to translate secure connectivity and control decisions into comparable, auditable risk terms. Not because every risk can be measured perfectly, but because OT organizations must routinely decide what to connect, what to segment, what to replace, and what to monitor—while defending those decisions to senior accountable owners, regulators, and operators.
Below is how the guidance implicitly “calls for” financial quantification, and how to build an OT-focused CRQ (cyber risk quantification) capability that complements the secure connectivity principles.
1) OT connectivity decisions require explicit risk thresholds
Before undertaking OT connectivity design, the guidance stresses the need to make risk-informed decisions that are documented and auditable. It recommends a formal business case for each connection, including: what is required, the business benefit, risk tolerance, potential impacts of compromise, introduced dependencies, and senior accountability.
That set of requirements is, in practice, a mandate for quantification.
“Risk tolerance” is not actionable unless it is expressed as thresholds that can be tested. The guidance even advises defining risk thresholds so future decisions can be measured against agreed limits.
“Potential impacts” in OT are multidimensional (safety, environmental, operational continuity, and sometimes national-level interdependencies). Without quantification, these impacts tend to be described qualitatively (“high,” “critical”), which makes trade-offs opaque and inconsistent.
What Cyber Risk Quantification (CRQ) enables: a repeatable way to state, for example, “this remote access path introduces $K increase in annualized loss exposure, dominated by downtime and safety risk, and exceeds our defined threshold unless we implement brokered access + MFA + segmentation + monitoring.”
2) Scarcity forces prioritization — quantification prevents “loudest risk wins”
The guidance acknowledges limited resources and recommends prioritizing systems based on operational role, fail-safes/redundancy, implementation time/cost/complexity, and active threat activity context.
These are all prioritization inputs. But without a financial quantification model, prioritization often becomes subjective:
- High-visibility assets get attention over high-consequence assets.
- Projects could get funded based on fear, not measurable risk reduction.
- “Cheapest mitigation” gets selected despite limited risk reduction impact—explicitly cautioned against.
What CRQ enables: a defensible portfolio view: expected loss reduction per unit cost, plus criticality modifiers for safety and essential service continuity. This makes it easier to justify why, for example, replacing an obsolete boundary device beats adding a minor monitoring tool, even if the tool is cheaper.
Want a concrete way to operationalize this?
Explore how OT Cyber Risk Quantification translates exposures and control choices into decision-ready risk terms:
3) Obsolescence is a risk multiplier — and a budgeting problem
OT environments frequently contain obsolete products that no longer receive security updates, lack modern mitigations (authentication, cryptography), and require compensating controls and specialized skills. The guidance is blunt: obsolete products should be treated as untrusted and not used to implement security controls; segmentation may be temporary while a replacement timeline is established.
This is where financial quantification becomes essential for capital planning:
- Residual risk after segmentation/compensating controls can remain high.
- Cost of controls (engineering time, operational overhead, monitoring burden) can exceed replacement cost over time.
- Recovery complexity rises when expertise is scarce, increasing outage duration and business impact.
What CRQ enables: a transparent comparison between (a) keeping legacy assets with compensating controls and (b) modernization—expressed as risk exposure over time and total cost of risk ownership.
4) Exposure management demands measurable attack surface outcomes
The principles emphasize limiting exposure (including admin interfaces), using just-in-time access, avoiding inbound port exposure by initiating outbound connections from within OT, and brokered access via a DMZ for external parties. They also recommend external attack surface management (EASM) to detect unintended internet exposure and treat discovered assets as at-risk and urgently investigated.
Exposure is measurable—so it should be quantified:
- How many internet-visible endpoints exist today?
- What services/ports/protocols are exposed, and for how long?
- What is the incremental risk of a new remote access path versus a brokered DMZ pattern?
What CRQ enables: “attack surface risk accounting”—tying exposure metrics (externally discoverable assets, inbound services, vendor pathways) to probability of compromise and expected impact. It also supports “reduce time of exposure” decisions by quantifying the risk delta of always-on vs just-in-time connectivity.
5) Standardization and segmentation reduce risk — CRQ proves the value
The guidance argues for centralizing and standardizing connections to reduce complexity and misconfiguration risk, and for designing connectivity to be flexible, repeatable, and categorized (human-to-machine vs machine-to-machine, etc.). It also stresses layered defenses against contamination and lateral movement, including segmentation and micro-segmentation.
These are controls with real cost and change implications. OT leaders often need to justify why segmentation projects matter more than point solutions.
What CRQ enables: quantifying the reduction in “blast radius” and lateral movement likelihood when moving from a flat network to zoned/micro-segmented design—especially where vendor VPN access could otherwise become effectively “access to everything.”
6) Logging, monitoring, and isolation plans should be funded based on quantified resilience gaps
The guidance calls monitoring the “last line of defence” and emphasizes comprehensive logging to establish normal baselines and detect abnormalities, along with special treatment for break-glass events and continuous monitoring of data flows between segments. It also stresses establishing and regularly testing an isolation plan, accounting for business continuity and contractual impacts (e.g., shifting vendors from remote to onsite support).
In OT, resilience investments often compete with production investments. Quantification helps answer:
- What is the cost of delayed detection (dwell time) in this environment?
- What is the business impact of isolating a site, and which data flows must persist safely (potentially via hardware-enforced unidirectional controls)?
- What is the risk reduction from better monitoring versus better segmentation versus better boundary hardening?
What CRQ enables: aligning detection and isolation capabilities to the modeled “loss magnitude” of key scenarios—so monitoring and isolation are funded proportionately to consequence, not treated as generic compliance items.
What to financially quantify cybersecurity risk in OT: a practical model tied to connectivity
A useful OT CRQ program is scenario-based and explicitly anchored in connectivity decisions (because connectivity is the recurring lever throughout the principles).
- Start with a definitive architecture view
The guidance notes you need a definitive view of OT architecture to assess dependencies and impacts effectively. Your quantification model will be only as credible as your understanding of zones, conduits, trust boundaries, data flows, and inter-dependencies.
- Define “connectivity-driven” risk scenarios
Examples aligned to the principles include:
- Vendor remote access compromise via exposed or poorly brokered pathways (DMZ/jump host misuse, weak authentication).
- Internet-exposed OT asset discovered and exploited (unintended exposure found via EASM).
- Lateral movement after initial foothold in a flat or weakly segmented OT network.
- Contamination event from infected engineering laptop or update mechanism.
- Isolation-triggering incident where operations must sever external dependencies, with measurable downtime and recovery duration.
- Quantify frequency and impact in OT terms
Even if you use ranges rather than single numbers, quantify:
- Frequency drivers: exposure level, prevalence of obsolete devices, third-party pathways, threat activity context, monitoring coverage.
- Impact drivers: safety outcomes, environmental impact, outage duration, production loss, recovery complexity, regulatory consequences, contractual penalties, reputational cost.
- Convert results into decision triggers
Use the business case concept from Principle 1 to define thresholds and required mitigations. For instance:
- If a new connection exceeds threshold X, it must use outbound-only initiation, brokered DMZ access, MFA, and enhanced monitoring—or it is rejected.
- If residual risk on an obsolete boundary asset remains above tolerance after compensating controls, it triggers a funded replacement timeline.
FAQ
- What is OT cyber risk quantification (CRQ)?
OT cyber risk quantification is a disciplined way to translate connectivity and control decisions into comparable, auditable risk terms—so decisions can be defended to accountable owners, regulators, and operators.
- How does CRQ complement secure connectivity principles?
Secure connectivity principles provide the blueprint for “good” connectivity. CRQ provides the management layer that makes trade-offs consistent—connecting risk tolerance, impacts, dependencies, and investment choices to measurable thresholds.
- What should OT teams quantify first for connectivity decisions?
Start with scenarios explicitly tied to connectivity decisions—third-party access pathways, internet exposure, lateral movement in weak segmentation—then quantify frequency and impact drivers in OT terms.
- How do risk thresholds improve OT decision-making?
Thresholds make “risk tolerance” testable. A common threshold in CRQ is the maximum catastrophic loss value of a rare 1-in-20 year event. They turn connectivity changes into auditable business cases and prevent prioritization from becoming subjective or driven by the loudest risk.
- The outcome: OT cyber decisions that survive scrutiny
The secure connectivity principles provide an excellent blueprint for how to design and manage OT connectivity. OT cyber risk quantification provides the missing management layer: a way to consistently decide where to invest first, how much control is enough, and when to accept residual risk—with traceability to explicit thresholds, business impacts, and senior accountability.
If you adopt only one takeaway: treat every meaningful OT connectivity decision as a quantified, auditable business case—because the guidance already expects you to justify requirements, benefits, risk tolerance, impacts, and dependencies. Quantification is what makes that expectation operational.
If your organization is trying to turn OT connectivity guidance into measurable, defensible decisions, CRQ is the bridge. Learn more about DeNexus DeRISK CRQ