BifrostConnect Blog
BifrostConnect's Blog
Who, what, when, how, why. Can you answer all five about your vendor access?
Who, what, when, how, why. Can you answer all five about your vendor access?
When we talk about cybersecurity in OT and critical infrastructure, the conversation often drops straight into tools, protocols, and products. But the most important questions are far more fundamental. They all come back to the same thing: the vendor's access to your systems.
Not on paper, but in reality. Vendors, integrators, former employees, service partners. Can you name them all?
A single PLC, or the entire production network? Most VPN solutions grant broad access, because it is easier to administer than precise access.
Only during the window the task requires, or around the clock because that is easier to maintain.
of all OT intrusions begin with forgotten or misused remote access
Dragos, 2026
It comes down to both technology and process. A robust model rests on three layers:
The three-layer access model
The connection is outbound from OT, not inboud. No open ports, no persistent tunnel.
Access is hardware-enforced, ad-hoc and time-bound. The vendor reaches exactly the device the task requires, not broadly into the whole segment. MFA is mandatory, and sessions terminate on their own.
Every session is recorded, logged and reviewable afterwards. Screen, keystrokes, actions. What you need when the regulator asks, or when an incident has to be reconstructed.
The model that no longer meets the requirements for critical infrastructure relies on standing VPN tunnels, shared passwords, and trust that the vendor's PC is in order. The first can be documented when the regulator asks. The second cannot.
Is there a concrete, documented task behind it, or is access standing because that has always been easiest? Every session should be explainable with a ticket, a time window, and a specific device.
The technical asnwers exist. NIS2, IEC 62443, and BEK 260 all point the same way: segmentation, traceability, least privilege, just-in-time access, and out-of-band connections where they make sense.
What matters is whether the organisation can answer the five questions without hesitation — and whether the chosen technology actually supports those answers in practice"
Which of the five is hardest to answer in your organisation right now?
About the Author:
Emilie Lerche Fenger is the Head of Sales and Marketing at BifrostConnect, where she leads the company’s commercial strategy and cybersecurity aligned market positioning. With eight years of experience working with remote access and critical infrastructure, she focuses on understanding real operational challenges, shaping thought leadership and driving strategic initiatives that support NIS2 readiness and resilient IT OT collaboration.
Can you answer all five questions about vendor access to your OT systems? Discover what secure, auditable remote access looks like for critical infrastructure.
BifrostConnect Blog BifrostConnect’s Blog Subscribe Turn Off the Lights When You Leave: Why Ad-Hoc Access Is the Future of OT Security Turn Off the Lights When You Leave: Why Ad-Hoc Access Is the Future of OT Security Imagine a door...
