Company
Support
Login
BifrostConnect BifrostConnect
  • How it Works
    Zero Trust by design
    How it Works
    Direct Native Access (DNA)
    Direct Tunnel Access (DTA)
    Clientless Tunnel Access (CTA)
    Clientless IP Tunnel

    Create a Zero Trust network without VPN Tunneling

    Clientless Serial Tunnel

    Establish a Serial (RS232) connection without borders

    Offline File Transfer

    Transfer files without exposing endpoints to the internet

  • Who We Help
    Case Studies
    Damgaard Automatik Case Study
    SGS Case Study
    Luságua Case Study
    Operational Technology
    Engineering & Commissioning
    Cybersecurity & Compliance
    Industries
    Energy & Utilities
    Water Management
    Vandværker
    Industrial Automation & Manufacturing
    Pharma, Life Science & Healthcare
    Testing, Inspection & Certification
    Logistics, Transportation & Maritime
    Banking & Financial Services
  • Resources
    Company
    Zero Trust by design
    Release Notes
    Knowledge Center
    Tours & Tutorials
    FAQ
    Blog
    NIS2
  • Pricing
  • OT Cybersecurity
    Best-practice Guide for Secure 3rd party remote access in OT
    OT Cybersecurity Landscape: Denmark 2027
    NIS2 Remote Access WHITE PAPER
Contact Us
BifrostConnect
  • How it Works
    Zero Trust by design
    How it Works
    Direct Native Access (DNA)
    Direct Tunnel Access (DTA)
    Clientless Tunnel Access (CTA)
    Clientless IP Tunnel
    Clientless Serial Tunnel
    Offline File Transfer
  • Who We Help
    Cybersecurity & Compliance
    Engineering & Commissioning
    Operations
    Industries
    Energy & Utilities
    Water Management
    Vandværker
    Industrial Automation & Manufacturing
    Pharma, Life Science & Healthcare
    Testing, Inspection & Certification
    Logistics, Transportation & Maritime
    Banking & Financial Services
  • Resources
    Company
    Zero Trust by design
    Release Notes
    Knowledge Center
    Tours & Tutorials
    FAQ
    Blog
  • Pricing
  • Support
  • OT Cybersecurity
    OT Cybersecurity Landscape: Denmark 2027
    Best-practice Guide for Secure 3rd party remote access in OT
    NIS2 Remote Access WHITE PAPER
Book a Demo
Contact Us

Getting Started

12
  • Admin
    • Set up your organization
    • User roles and permissions
  • Onsite User Guides
    • Onsite Step Guide
    • Connect KVM
    • Connect IP Tunnel
    • Connect Offline File Transfer
    • Connect USB Tunnel
    • Connect Serial Tunnel
    • Connect SSH
    • Connect Serial Terminal (Console Access)
  • Datasheets
    • Technical Specifications
    • Requirements

Technical Support

2
  • Feedback & Feature requests
    • Share your ideas and feedback
  • Report a bug
    • Reporting Bugs 

Release Notes

21
  • 2026
    • Remote Access Interface Release 25 June 2026
    • Direct Tunnel Release 1 June 2026
    • Bifrost Release 13 January 2026
  • 2025
    • Bifrost Release 30 Oktober 2025
    • Bifrost Release 19 August 2025
    • Bifrost Release 30 June 2025
    • Bifrost Release 11 February 2025
  • 2024
    • Bifrost Release 04 December 2024
    • Bifrost Release 16 November 2024
    • Bifrost Release 2 Oktober 2024
    • Bifrost Release 14 August 2024
    • Bifrost Release 7 May 2024
    • BifrostConnect Firmware V4.8.0
  • 2023
    • BifrostConnect Firmware V4.7.0
    • BifrostConnect Firmware V4.6.0
    • BifrostConnect Firmware V4.5.0
    • BifrostConnect Firmware V4.4.0
  • 2022
    • BifrostConnect Firmware V.4.3.2
    • BifrostConnect Firmware V.4.3.1
    • BifrostConnect Firmware V.4.2.0
  • 2021
    • BifrostConnect Firmware V.4.0.0

Best Practice Guide

14
  • About this guide
  • Core Framework
  • Architecture & Principles
  • Threat Context
  • Zero Standing Privilege
  • Four OT Access Patterns
  • Degraded Mode & Legacy Equipment
  • Defence in Depth
  • Compliance & Implementation
  • Residual Risks
  • Definitions
  • References
  • Operational Lifecycle 
  • Procurement Appendix

Implementing the OT Best Practice Framework with BifrostConnect

6
  • Overview and Framework Mapping
  • Threat Model
  • Scenario Implementation – Scenario 1
  • Scenario Implementation – Scenario 2
  • Scenario Implementation – Scenario 3
  • Scenario Implementation – Scenario 4
  • Home
  • Knowledge Center
  • Implementing the OT Best Practice Framework with BifrostConnect
  • Scenario Implementation – Scenario 2
View Categories

Scenario Implementation – Scenario 2

SCENARIO OVERVIEW
What are the four OT access scenarios, and which BifrostConnect products map to each?

Part 1 defines four scenarios derived from two axes: where the programming software is located (engineering station vs vendor PC) and the scale of the OT operation (small with no SOC vs large with SOC, PAM, SIEM). Each scenario maps to a specific BifrostConnect product mix.The figure below shows the four implementations side by side. The detailed configuration for each scenario follows in the next four sections.

SCENARIO 2 · PATTERN A
How is BifrostConnect implemented for Scenario 2 (large OT, software on the engineering station)?

Part 1 requirement recap: Large utility or industrial site with dedicated OT security staff, existing SOC, PAM, SIEM. Programming software is installed on engineering stations under operations control. Vendor access must integrate with enterprise identity, be logged to SIEM and support fast emergency access.

Configuration:

  • Bifrost Manager deployed on BifrostConnect Dedicated Cloud or on-premises (required for SSO and SIEM).
  • SSO configured against the customer’s existing IdP (SAML, OAuth2, AD or LDAP).
  • Vendor groups defined with Just-in-Time (JIT) time-boxed access windows.
  • AccessGuard deployed on engineering stations; account provisioning flows from the Bifrost Manager identity layer.
  • SIEM integration configured to forward authentication events, access grants and denials, session start and end, and recording metadata.
  • Audit logging enabled for all Manager actions, including admin operations.
  • Firmware updates on Bifrost Units managed via OTA from Bifrost Manager with session-aware postponement.

Compliance evidence mapping (Part 1, Scenario 2 regulatory alignment):

Requirement (source)Technical evidence BifrostConnect providesOrganisational control still required
NIS2 Art. 21(2)(b): incident handlingSession recordings, audit logs, SIEM-forwarded events for forensic investigation and 24h/72h/1-month staged reporting.Incident response plan, trained incident response team, established communication with competent authority, legal counsel on standby.
NIS2 Art. 21(2)(c): business continuitySession logs for disaster recovery verification, attended Bifrost Unit for emergency access.Business continuity plan, tested failover procedures, documented recovery priorities.
NIS2 Art. 21(2)(d): supply chain securityJIT access, SSO-federated vendor identity, per-vendor group scoping, session recording, SIEM export.Vendor contractual obligations, regular vendor access reviews, supplier risk assessment, incident notification clauses.
NIS2 Art. 23: 24h/72h/1-month staged reportingSIEM-integrated session logs for scope determination within reporting deadline.Established notification workflow, legal review of reporting obligations, designated incident contact.
BEK 260 §62: network segmentation during vendor accessBifrost Unit as boundary device, outbound-only posture, masquerading.Network architecture documentation, segmentation verification testing.
IEC 62443-3-3:2019 FR 5 Restricted data flow (zone isolation)Hardware-enforced access boundary between enterprise and OT zones.Security level assignments per zone, conduit documentation, periodic architecture review.

Implementation requirements for Scenario 2. Confirm the following operational decisions before go-live so the deployment delivers the SSO, audit and recording properties the compliance evidence will rely on:

  • Deployment tier: enterprise SSO and SIEM forwarding are delivered on BifrostConnect Dedicated Cloud or on-premises Manager. Procure the right tier at the start so the SSO trust and audit chain are established before the first vendor session.
  • Recording verification: include the SessionGuard or AccessGuard acceptance test in rollout (see Implementation hardening guidance). Treat the test as a go-live gate so recording is provably enforced from day one.
  • PAM co-deployment: keep your existing PAM platform for credential vaulting. BifrostConnect provides the access-and-audit layer upstream of credentials; mapping which control owns what avoids overlap and keeps the credential rotation policy in PAM where the auditor expects it.

Optional co-deployment: certified data diode. For Scenario 2 sites that operate Historian replication into the IT analytics stack, or that need to forward OT logs into a centralised SIEM without opening a return path into the OT zone, a certified data diode is the recommended unidirectional transport. The diode is co-deployed alongside BifrostConnect rather than replacing any of its functions:

  • One-way log export: place the diode between the OT logging infrastructure and the enterprise SIEM destination. Bifrost Manager events flow to SIEM through the standard outbound channel; OT-IDS alerts and asset telemetry flow through the diode. Both meet at the SIEM for correlation.
  • One-way Historian replication: deploy one-way database replication on the diode for replicating the Historian (or any OPC UA / SQL data store) to the IT analytics stack without an inbound IT-to-OT path.
  • Inline file scanning for vendor uploads: chain a data-diode file security gateway (multi-engine scan, content disarm/reconstruction) ahead of Direct Tunnel Access file uploads so vendor-introduced files are sanitised before they touch the OT zone.

These are co-deployments, not replacements: the diode handles unidirectional transport; BifrostConnect handles the human-session governance. Both forward to the customer SIEM.

Maturity profile: minimum viable vs target state (Scenario 2). Read the guide’s recommendations as a floor, not a ceiling. Minimum viable closes the compliance gap for a large OT site; target state adds resilience, redundancy, and diode-protected one-way transport.

CapabilityMinimum viable (Scenario 2 floor)Target state (Scenario 2 ceiling)
IdentityBifrost Manager with Auth0 MFA on admin accounts; per-vendor accounts.Enterprise SSO via SAML / OAuth 2.0 / AD / LDAP (Dedicated Cloud / on-premises tier); conditional access and hardware-token MFA on admin sign-in (delivered through the customer’s federated IdP).
RecordingAccessGuard on engineering stations (H.264 + DPAPI).AccessGuard + SessionGuard for cross-check; tamper alerts forwarded to SOC.
Network boundaryBifrost Unit at OT boundary, outbound-only on port 443.Bifrost Unit + a certified data diode for one-way log export and Historian replication.
Audit + monitoringNative SIEM forwarding from Bifrost Manager (Dedicated Cloud tier).Bifrost Manager + OT-IDS co-deployment correlated at the SIEM.
Vendor file handlingVendor-supplied files reviewed by ops before deployment.Inline data-diode file security gateway (multi-engine malware scanning + content disarm/reconstruction) on every Direct Tunnel Access file upload.
Updated on July 14, 2026
Scenario Implementation – Scenario 1Scenario Implementation – Scenario 3
Essentials Logo
Islands Brygge 55
2300 Copenhagen S, Denmark
+45 70 60 20 56
[email protected]
About Us
Release Notes
Privacy Policy
Terms & Conditions
FAQ
Book a Demo
Book a Demo

Subscribe to Our Newsletter

Copyright BifrostConnect ApS. 2026
All Rights Reserved