Company
Support
Login
BifrostConnect BifrostConnect
  • How it Works
    Zero Trust by design
    How it Works
    Direct Native Access (DNA)
    Direct Tunnel Access (DTA)
    Clientless Tunnel Access (CTA)
    Clientless IP Tunnel

    Create a Zero Trust network without VPN Tunneling

    Clientless Serial Tunnel

    Establish a Serial (RS232) connection without borders

    Offline File Transfer

    Transfer files without exposing endpoints to the internet

  • Who We Help
    Case Studies
    Damgaard Automatik Case Study
    SGS Case Study
    Luságua Case Study
    Operational Technology
    Engineering & Commissioning
    Cybersecurity & Compliance
    Industries
    Energy & Utilities
    Water Management
    Vandværker
    Industrial Automation & Manufacturing
    Pharma, Life Science & Healthcare
    Testing, Inspection & Certification
    Logistics, Transportation & Maritime
    Banking & Financial Services
  • Resources
    Company
    Zero Trust by design
    Release Notes
    Knowledge Center
    Tours & Tutorials
    FAQ
    Blog
    NIS2
  • Pricing
  • OT Cybersecurity
    Best-practice Guide for Secure 3rd party remote access in OT
    OT Cybersecurity Landscape: Denmark 2027
    NIS2 Remote Access WHITE PAPER
Contact Us
BifrostConnect
  • How it Works
    Zero Trust by design
    How it Works
    Direct Native Access (DNA)
    Direct Tunnel Access (DTA)
    Clientless Tunnel Access (CTA)
    Clientless IP Tunnel
    Clientless Serial Tunnel
    Offline File Transfer
  • Who We Help
    Cybersecurity & Compliance
    Engineering & Commissioning
    Operations
    Industries
    Energy & Utilities
    Water Management
    Vandværker
    Industrial Automation & Manufacturing
    Pharma, Life Science & Healthcare
    Testing, Inspection & Certification
    Logistics, Transportation & Maritime
    Banking & Financial Services
  • Resources
    Company
    Zero Trust by design
    Release Notes
    Knowledge Center
    Tours & Tutorials
    FAQ
    Blog
  • Pricing
  • Support
  • OT Cybersecurity
    OT Cybersecurity Landscape: Denmark 2027
    Best-practice Guide for Secure 3rd party remote access in OT
    NIS2 Remote Access WHITE PAPER
Book a Demo
Contact Us

Getting Started

12
  • Admin
    • Set up your organization
    • User roles and permissions
  • Onsite User Guides
    • Onsite Step Guide
    • Connect KVM
    • Connect IP Tunnel
    • Connect Offline File Transfer
    • Connect USB Tunnel
    • Connect Serial Tunnel
    • Connect SSH
    • Connect Serial Terminal (Console Access)
  • Datasheets
    • Technical Specifications
    • Requirements

Technical Support

2
  • Feedback & Feature requests
    • Share your ideas and feedback
  • Report a bug
    • Reporting Bugs 

Release Notes

21
  • 2026
    • Remote Access Interface Release 25 June 2026
    • Direct Tunnel Release 1 June 2026
    • Bifrost Release 13 January 2026
  • 2025
    • Bifrost Release 30 Oktober 2025
    • Bifrost Release 19 August 2025
    • Bifrost Release 30 June 2025
    • Bifrost Release 11 February 2025
  • 2024
    • Bifrost Release 04 December 2024
    • Bifrost Release 16 November 2024
    • Bifrost Release 2 Oktober 2024
    • Bifrost Release 14 August 2024
    • Bifrost Release 7 May 2024
    • BifrostConnect Firmware V4.8.0
  • 2023
    • BifrostConnect Firmware V4.7.0
    • BifrostConnect Firmware V4.6.0
    • BifrostConnect Firmware V4.5.0
    • BifrostConnect Firmware V4.4.0
  • 2022
    • BifrostConnect Firmware V.4.3.2
    • BifrostConnect Firmware V.4.3.1
    • BifrostConnect Firmware V.4.2.0
  • 2021
    • BifrostConnect Firmware V.4.0.0

Best Practice Guide

14
  • About this guide
  • Core Framework
  • Architecture & Principles
  • Threat Context
  • Zero Standing Privilege
  • Four OT Access Patterns
  • Degraded Mode & Legacy Equipment
  • Defence in Depth
  • Compliance & Implementation
  • Residual Risks
  • Definitions
  • References
  • Operational Lifecycle 
  • Procurement Appendix

Implementing the OT Best Practice Framework with BifrostConnect

6
  • Overview and Framework Mapping
  • Threat Model
  • Scenario Implementation – Scenario 1
  • Scenario Implementation – Scenario 2
  • Scenario Implementation – Scenario 3
  • Scenario Implementation – Scenario 4
  • Home
  • Knowledge Center
  • Implementing the OT Best Practice Framework with BifrostConnect
  • Scenario Implementation – Scenario 1
View Categories

Scenario Implementation – Scenario 1

SCENARIO OVERVIEW
What are the four OT access scenarios, and which BifrostConnect products map to each?

Part 1 defines four scenarios derived from two axes: where the programming software is located (engineering station vs vendor PC) and the scale of the OT operation (small with no SOC vs large with SOC, PAM, SIEM). Each scenario maps to a specific BifrostConnect product mix.The figure below shows the four implementations side by side. The detailed configuration for each scenario follows in the next four sections.

SCENARIO 1 · PATTERN C
How is BifrostConnect implemented for Scenario 1 (small OT, software on the engineering station)?

Part 1 requirement recap: Small utility, two IT staff, standalone engineering station with PLC programming software. Vendor needs screen-level access. No AD, no server infrastructure, no security staff. Security must be architectural.

BifrostConnect implementation. Minimum-viable floor: AccessGuard, installed directly on the engineering station and reached over the site’s existing remote-access path. The configuration below details this floor; the canonical best-practice target adds an unattended Bifrost Unit at the boundary (see Recommended hardening, below).

Configuration:

  • AccessGuard agent installed on the Windows engineering station (Windows XP SP3+ to Windows 11 (incl. Server 2003+), 2 GB RAM free, port 7531).
  • Localhost-only binding (127.0.0.1:7531). No network exposure of the agent.
  • Mandatory TOTP enrolment for every vendor technician account. TOTP cannot be disabled.
  • Application launch scope: only the programming software the vendor needs. No general shell or Explorer access.
  • H.264 session recording enabled by default. Recordings encrypted at rest using Windows DPAPI.
  • Recordings stored locally on the OT network. No cloud dependency.
  • Time-window configured per vendor engagement. Access expires automatically at the end of the window.

Compliance evidence mapping (Part 1, Scenario 1 regulatory alignment):

Requirement (source)Technical evidence BifrostConnect providesOrganisational control still required
NIS2 Art. 21(2)(d): supply chain securityAudit trail of all vendor sessions with individual identity, MFA proof, H.264 session recording.Vendor contractual obligations, supplier risk assessment, incident notification clauses, regular access reviews.
NIS2 Art. 21(2)(i): access control for privileged accessPer-vendor accounts in AccessGuard with mandatory TOTP; application-scoped access.Access control policy document, periodic review, process for revoking access when vendor relationship ends.
NIS2 Art. 21(2)(j): MFA where appropriateMandatory TOTP on every AccessGuard session (cannot be disabled).Risk assessment documenting where MFA is proportionate (NIS2 requires assessment, not blanket MFA).
Danish NIS2 Act §6: identity-bound, MFA; BEK 260 §55 stk. 2 time-limited, §§64-67 loggedIndividual accounts, TOTP, time-windowed access, DPAPI-encrypted session recordings.Written access control policy, staff awareness of vendor session governance.
IEC 62443-2-4:2024 SP.07 Remote access (BR.01-04)Session recording, authentication events, scoped application access.Supplier qualification process, documented security requirements for vendors.
BEK 260 §§51-53 and §55 stk. 2: remote access identity, MFA, time-boundAccessGuard TOTP, individual identity, time-window configuration.Written remote access policy, training of operations staff on vendor session procedures.

Implementation requirements for Scenario 1. Deploy AccessGuard with the following operational decisions in mind so the control envelope is what is documented in compliance evidence:

  • Network connectivity: AccessGuard is designed to reach the engineering station over the OT network. For fully air-gapped stations, plan vendor work either on-site or via a Bifrost Unit out-of-band path (see Scenario 3) – both produce equivalent recording and identity evidence.
  • Delivery channel discipline: AccessGuard is the only authorised vendor delivery path. KVM switches, TeamViewer and AnyDesk are out of scope; remove or block them as part of the access policy so the recorded path is the only path.
  • Station-level vs network-level isolation: AccessGuard is the application-and-recording control on the station. Pair it with a station-level network segmentation (VLAN or local firewall) so a compromised station cannot reach other OT assets. The two controls together close the boundary.

Recommended hardening: add a Bifrost Unit at the boundary. Where AccessGuard is paired with an existing remote-access path, it delivers the Scenario 1 minimum viable control envelope as a compensating posture. For organisations that want a stronger boundary – for example sites that handle drinking water, district heating, or other critical infrastructure where the regulator looks for hardware-enforced segmentation – adding an unattended Bifrost Unit at the boundary of the engineering station’s network is the recommended next step (the canonical Scenario 1 best-practice combination). The Unit gives you outbound-only OT posture, an out-of-band 4G/LTE access path for incident response, and the option to add SessionGuard recording later without re-architecting.

The canonical Scenario 1 best-practice combination is Direct Tunnel Access + AccessGuard + Bifrost Manager + an unattended Bifrost Unit at the boundary. AccessGuard with disciplined operational controls and an existing remote-access path satisfies NIS2 Art. 21(2)(d), (i), (j); BEK 260 §§29-32 (supplier procedures and remote-access procedures for direct suppliers); and BEK 260 §§51-53 and §55 stk. 2 (access control, MFA, time-bounded remote access) as a compensating posture; the full combination is the recommended target.

Maturity profile: minimum viable vs target state (Scenario 1). The table below distinguishes the floor (what the guide treats as required) from the ceiling (what mature deployments aim for). Read the guide’s recommendations as a floor, not a ceiling: hitting minimum viable closes the audit gap; reaching target state is the operationally-resilient deployment.

CapabilityMinimum viable (Scenario 1 floor)Target state (Scenario 1 ceiling)
IdentityPer-vendor account in AccessGuard, mandatory TOTP per session.Federated to enterprise IdP via Bifrost Manager (Dedicated Cloud / on-premises tier).
RecordingAccessGuard H.264 + DPAPI on the station, customer-controlled storage.AccessGuard plus SessionGuard cross-check on a separate VM for evidence-chain redundancy.
Network boundaryStation-level VLAN or local firewall isolating the engineering station.Bifrost Unit at the boundary – outbound-only OT posture, 4G/LTE out-of-band path for incident response.
Audit + monitoringLocal audit log on the station, periodic export to a SIEM.Bifrost Manager native SIEM forwarding (Dedicated Cloud tier) plus OT-IDS co-deployment for protocol-level alerting.
Updated on July 14, 2026
Threat ModelScenario Implementation – Scenario 2
Essentials Logo
Islands Brygge 55
2300 Copenhagen S, Denmark
+45 70 60 20 56
[email protected]
About Us
Release Notes
Privacy Policy
Terms & Conditions
FAQ
Book a Demo
Book a Demo

Subscribe to Our Newsletter

Copyright BifrostConnect ApS. 2026
All Rights Reserved