Company
Support
Login
BifrostConnect BifrostConnect
  • How it Works
    Zero Trust by design
    How it Works
    Direct Native Access (DNA)
    Direct Tunnel Access (DTA)
    Clientless Tunnel Access (CTA)
    Clientless IP Tunnel

    Create a Zero Trust network without VPN Tunneling

    Clientless Serial Tunnel

    Establish a Serial (RS232) connection without borders

    Offline File Transfer

    Transfer files without exposing endpoints to the internet

  • Who We Help
    Case Studies
    Damgaard Automatik Case Study
    SGS Case Study
    Luságua Case Study
    Operational Technology
    Engineering & Commissioning
    Cybersecurity & Compliance
    Industries
    Energy & Utilities
    Water Management
    Vandværker
    Industrial Automation & Manufacturing
    Pharma, Life Science & Healthcare
    Testing, Inspection & Certification
    Logistics, Transportation & Maritime
    Banking & Financial Services
  • Resources
    Company
    Zero Trust by design
    Release Notes
    Knowledge Center
    Tours & Tutorials
    FAQ
    Blog
    NIS2
  • Pricing
  • OT Cybersecurity
    Best-practice Guide for Secure 3rd party remote access in OT
    OT Cybersecurity Landscape: Denmark 2027
    NIS2 Remote Access WHITE PAPER
Contact Us
BifrostConnect
  • How it Works
    Zero Trust by design
    How it Works
    Direct Native Access (DNA)
    Direct Tunnel Access (DTA)
    Clientless Tunnel Access (CTA)
    Clientless IP Tunnel
    Clientless Serial Tunnel
    Offline File Transfer
  • Who We Help
    Cybersecurity & Compliance
    Engineering & Commissioning
    Operations
    Industries
    Energy & Utilities
    Water Management
    Vandværker
    Industrial Automation & Manufacturing
    Pharma, Life Science & Healthcare
    Testing, Inspection & Certification
    Logistics, Transportation & Maritime
    Banking & Financial Services
  • Resources
    Company
    Zero Trust by design
    Release Notes
    Knowledge Center
    Tours & Tutorials
    FAQ
    Blog
  • Pricing
  • Support
  • OT Cybersecurity
    OT Cybersecurity Landscape: Denmark 2027
    Best-practice Guide for Secure 3rd party remote access in OT
    NIS2 Remote Access WHITE PAPER
Book a Demo
Contact Us

Getting Started

12
  • Admin
    • Set up your organization
    • User roles and permissions
  • Onsite User Guides
    • Onsite Step Guide
    • Connect KVM
    • Connect IP Tunnel
    • Connect Offline File Transfer
    • Connect USB Tunnel
    • Connect Serial Tunnel
    • Connect SSH
    • Connect Serial Terminal (Console Access)
  • Datasheets
    • Technical Specifications
    • Requirements

Technical Support

2
  • Feedback & Feature requests
    • Share your ideas and feedback
  • Report a bug
    • Reporting Bugs 

Release Notes

21
  • 2026
    • Remote Access Interface Release 25 June 2026
    • Direct Tunnel Release 1 June 2026
    • Bifrost Release 13 January 2026
  • 2025
    • Bifrost Release 30 Oktober 2025
    • Bifrost Release 19 August 2025
    • Bifrost Release 30 June 2025
    • Bifrost Release 11 February 2025
  • 2024
    • Bifrost Release 04 December 2024
    • Bifrost Release 16 November 2024
    • Bifrost Release 2 Oktober 2024
    • Bifrost Release 14 August 2024
    • Bifrost Release 7 May 2024
    • BifrostConnect Firmware V4.8.0
  • 2023
    • BifrostConnect Firmware V4.7.0
    • BifrostConnect Firmware V4.6.0
    • BifrostConnect Firmware V4.5.0
    • BifrostConnect Firmware V4.4.0
  • 2022
    • BifrostConnect Firmware V.4.3.2
    • BifrostConnect Firmware V.4.3.1
    • BifrostConnect Firmware V.4.2.0
  • 2021
    • BifrostConnect Firmware V.4.0.0

Best Practice Guide

14
  • About this guide
  • Core Framework
  • Architecture & Principles
  • Threat Context
  • Zero Standing Privilege
  • Four OT Access Patterns
  • Degraded Mode & Legacy Equipment
  • Defence in Depth
  • Compliance & Implementation
  • Residual Risks
  • Definitions
  • References
  • Operational Lifecycle 
  • Procurement Appendix

Implementing the OT Best Practice Framework with BifrostConnect

6
  • Overview and Framework Mapping
  • Threat Model
  • Scenario Implementation – Scenario 1
  • Scenario Implementation – Scenario 2
  • Scenario Implementation – Scenario 3
  • Scenario Implementation – Scenario 4
  • Home
  • Knowledge Center
  • Implementing the OT Best Practice Framework with BifrostConnect
  • Threat Model
View Categories

Threat Model

THREAT MODEL
How does BifrostConnect reduce the remote-access attack surface for each class of threat actor?

Part 1 identifies a threat model consisting of named threat actors, attack vectors and reference incidents. This section maps each to the control layer in BifrostConnect that addresses it.

Part 1 names five classes of threat actor relevant to OT third-party access. Nation-state APTs (e.g. Volt Typhoon, Sandworm) pursue strategic pre-positioning in critical infrastructure. Ransomware operators monetise disruption and exfiltration. Hacktivists target utilities for political messaging. Malicious insiders abuse authorised access. Supply-chain attackers weaponise the vendor relationship itself.

Threat actor (Part 1)How BifrostConnect reduces the remote-access attack surface for this actor
Nation-state actors (e.g. Volt Typhoon, Sandworm)Removes the always-on remote-access tunnel that LOTL-style intrusions reuse. Hardware trust boundary, no local web services, signed firmware only, OTA-only updates, and non-reversible fuse-enforced secure boot reduce the Unit’s own exploitable surface. Does not address SOHO-router compromise, spear-phishing, or other entry vectors these actors are known to use.
Ransomware groups targeting OT (e.g. ALPHV/BlackCat)Closes the always-on remote-access path that ransomware operators have used to reach OT (Colonial Pipeline pattern). No persistent tunnel, no broad network access, session-based teardown. SessionGuard provides post-incident reconstruction when deployed and active. Does not address phishing, IT-side compromise, or backup destruction; ransomware response requires a complete IR programme.
Insider threat (authorised user acting beyond scope)Individual identity (no shared accounts), session recording where SessionGuard or AccessGuard is deployed, SIEM forwarding (Dedicated Cloud tier), JIT time-boxing, and least-privilege role model in Bifrost Manager raise the cost and traceability of insider misuse during the approved session window. Does not prevent misuse during a legitimately approved session; that residual risk is addressed in the Part 1 residual-risk section through procedural controls.
Compromised vendor (supply chain)Physical broker isolates vendor PC from OT network. For KVM sessions, vendor PC has no network access to OT at all. For IP tunnel sessions, vendor PC IP never appears on the OT LAN; masquerading enforces address translation. Does not address compromise inside the vendor session itself (e.g. malicious code already present on the vendor laptop being executed during a legitimate session); SessionGuard recording supports detection and forensics, not prevention.
Opportunistic external scannerEndpoints never exposed to the internet; endpoint IP addresses hidden; port scans through Bifrost interface are impossible because no inbound port is open.
ATTACK VECTORS
Which OT attack vectors does BifrostConnect mitigate, and how?

The attack vectors that recur across published OT incidents cluster into five patterns: exposed remote access (VPN or RDP left reachable), credential theft and reuse, supply-chain compromise via vendor tooling, unpatched OT endpoints exploited through living-off-the-land techniques, and shared bastion or jump hosts that become persistent footholds. Each vector is addressed below.

Attack vector (Part 1)Bifrost mitigation
Credential theft / reuseMandatory MFA (Auth0); TOTP tied to the Bifrost Unit in attended mode; no credentials pass through the Bifrost Service in the clear.
Lateral movement from vendor PCFor KVM: no network-layer connectivity exists. For IP tunnels: operator PC does not receive a local IP on the OT network – masquerading translates source addresses. Subnet mappings are scoped to specific endpoints.
Persistent access paths / forgotten tunnelsDirect Native Access sessions terminate on browser close; Direct Tunnel Access subnet mappings can be configured as time-bound on the Advanced plan and Dedicated Cloud tier. No standing IP path exists by default.
Man-in-the-middle on transportTLS for signalling, DTLS-SRTP end-to-end for WebRTC, WireGuard encryption for Direct Tunnel; private keys never leave the client.
Living-off-the-Land techniques in OTSession recording captures all vendor tool usage regardless of whether the tool is ‘legitimate’. Protocol-level detection requires OT-IDS co-deployment (see Co-deployment categories).
Untracked vendor software on OT stationAccessGuard is designed to scope which applications the vendor can launch; session video captures all activity regardless of application.
REFERENCE INCIDENTS
What real-world OT security incidents does BifrostConnect’s architecture address?

Five publicly documented incidents illustrate the failure modes that Part 1’s framework is designed to prevent: Colonial Pipeline (2021, exposed credential on a legacy VPN); TRITON / TRISIS (2017, safety-system compromise via engineering workstation); Oldsmar water treatment (2021, attribution disputed, shared TeamViewer credential); Ukrainian grid (2015, BlackEnergy against utilities via phishing and VPN abuse); and the Danish energy-sector campaign (SektorCERT, attacks May 2023, public report November 2023; 22 energy companies impacted across two waves via Zyxel firewall vulnerabilities, CVE-2023-28771 and the zero-days CVE-2023-33009 and CVE-2023-33010). Part 1 highlights three of these (Colonial Pipeline, the SektorCERT campaign, and TRITON / TRISIS) as its core reference incidents; Part 2 expands the set to five to cover the failure modes most often raised in OT procurement and audit reviews.

Incident class (Part 1)What Bifrost would have constrained
Oldsmar, Florida (2021, attribution disputed)Individual accounts, MFA, closed-by-default, session video would have given a named operator, a recording, and a bounded window – none of which existed.
Pipeline incident via exposed credentialsNo persistent credential path; sessions require TOTP; SIEM export would have flagged anomalous authentication attempts in real time.
Supply chain malware via vendor laptopFor KVM sessions: vendor PC never has network access to OT assets. For IP tunnel sessions: vendor PC IP never appears on the OT network.
Engineering station compromise via shared admin passwordAccessGuard is designed to enforce individual accounts and mandatory MFA; the architecture is designed so shared admin credentials cannot be configured.
Danish energy sector attack (2023, 22 companies via firewall vulnerabilities)Bifrost Unit does not require inbound firewall rules on the OT network. The attack exploited exposed firewall management interfaces; the Bifrost Unit exposes none.
Updated on July 14, 2026
Overview and Framework MappingScenario Implementation – Scenario 1
Essentials Logo
Islands Brygge 55
2300 Copenhagen S, Denmark
+45 70 60 20 56
[email protected]
About Us
Release Notes
Privacy Policy
Terms & Conditions
FAQ
Book a Demo
Book a Demo

Subscribe to Our Newsletter

Copyright BifrostConnect ApS. 2026
All Rights Reserved