Part 1 defines four scenarios derived from two axes: where the programming software is located (engineering station vs vendor PC) and the scale of the OT operation (small with no SOC vs large with SOC, PAM, SIEM). Each scenario maps to a specific BifrostConnect product mix.The figure below shows the four implementations side by side. The detailed configuration for each scenario follows in the next four sections.
Part 1 requirement recap: Large utility or industrial site with dedicated OT security staff, existing SOC, PAM, SIEM. Programming software is installed on engineering stations under operations control. Vendor access must integrate with enterprise identity, be logged to SIEM and support fast emergency access.
Configuration:
- Bifrost Manager deployed on BifrostConnect Dedicated Cloud or on-premises (required for SSO and SIEM).
- SSO configured against the customer’s existing IdP (SAML, OAuth2, AD or LDAP).
- Vendor groups defined with Just-in-Time (JIT) time-boxed access windows.
- AccessGuard deployed on engineering stations; account provisioning flows from the Bifrost Manager identity layer.
- SIEM integration configured to forward authentication events, access grants and denials, session start and end, and recording metadata.
- Audit logging enabled for all Manager actions, including admin operations.
- Firmware updates on Bifrost Units managed via OTA from Bifrost Manager with session-aware postponement.
Compliance evidence mapping (Part 1, Scenario 2 regulatory alignment):
| Requirement (source) | Technical evidence BifrostConnect provides | Organisational control still required |
|---|---|---|
| NIS2 Art. 21(2)(b): incident handling | Session recordings, audit logs, SIEM-forwarded events for forensic investigation and 24h/72h/1-month staged reporting. | Incident response plan, trained incident response team, established communication with competent authority, legal counsel on standby. |
| NIS2 Art. 21(2)(c): business continuity | Session logs for disaster recovery verification, attended Bifrost Unit for emergency access. | Business continuity plan, tested failover procedures, documented recovery priorities. |
| NIS2 Art. 21(2)(d): supply chain security | JIT access, SSO-federated vendor identity, per-vendor group scoping, session recording, SIEM export. | Vendor contractual obligations, regular vendor access reviews, supplier risk assessment, incident notification clauses. |
| NIS2 Art. 23: 24h/72h/1-month staged reporting | SIEM-integrated session logs for scope determination within reporting deadline. | Established notification workflow, legal review of reporting obligations, designated incident contact. |
| BEK 260 §62: network segmentation during vendor access | Bifrost Unit as boundary device, outbound-only posture, masquerading. | Network architecture documentation, segmentation verification testing. |
| IEC 62443-3-3:2019 FR 5 Restricted data flow (zone isolation) | Hardware-enforced access boundary between enterprise and OT zones. | Security level assignments per zone, conduit documentation, periodic architecture review. |
Implementation requirements for Scenario 2. Confirm the following operational decisions before go-live so the deployment delivers the SSO, audit and recording properties the compliance evidence will rely on:
- Deployment tier: enterprise SSO and SIEM forwarding are delivered on BifrostConnect Dedicated Cloud or on-premises Manager. Procure the right tier at the start so the SSO trust and audit chain are established before the first vendor session.
- Recording verification: include the SessionGuard or AccessGuard acceptance test in rollout (see Implementation hardening guidance). Treat the test as a go-live gate so recording is provably enforced from day one.
- PAM co-deployment: keep your existing PAM platform for credential vaulting. BifrostConnect provides the access-and-audit layer upstream of credentials; mapping which control owns what avoids overlap and keeps the credential rotation policy in PAM where the auditor expects it.
Optional co-deployment: certified data diode. For Scenario 2 sites that operate Historian replication into the IT analytics stack, or that need to forward OT logs into a centralised SIEM without opening a return path into the OT zone, a certified data diode is the recommended unidirectional transport. The diode is co-deployed alongside BifrostConnect rather than replacing any of its functions:
- One-way log export: place the diode between the OT logging infrastructure and the enterprise SIEM destination. Bifrost Manager events flow to SIEM through the standard outbound channel; OT-IDS alerts and asset telemetry flow through the diode. Both meet at the SIEM for correlation.
- One-way Historian replication: deploy one-way database replication on the diode for replicating the Historian (or any OPC UA / SQL data store) to the IT analytics stack without an inbound IT-to-OT path.
- Inline file scanning for vendor uploads: chain a data-diode file security gateway (multi-engine scan, content disarm/reconstruction) ahead of Direct Tunnel Access file uploads so vendor-introduced files are sanitised before they touch the OT zone.
These are co-deployments, not replacements: the diode handles unidirectional transport; BifrostConnect handles the human-session governance. Both forward to the customer SIEM.
Maturity profile: minimum viable vs target state (Scenario 2). Read the guide’s recommendations as a floor, not a ceiling. Minimum viable closes the compliance gap for a large OT site; target state adds resilience, redundancy, and diode-protected one-way transport.
| Capability | Minimum viable (Scenario 2 floor) | Target state (Scenario 2 ceiling) |
|---|---|---|
| Identity | Bifrost Manager with Auth0 MFA on admin accounts; per-vendor accounts. | Enterprise SSO via SAML / OAuth 2.0 / AD / LDAP (Dedicated Cloud / on-premises tier); conditional access and hardware-token MFA on admin sign-in (delivered through the customer’s federated IdP). |
| Recording | AccessGuard on engineering stations (H.264 + DPAPI). | AccessGuard + SessionGuard for cross-check; tamper alerts forwarded to SOC. |
| Network boundary | Bifrost Unit at OT boundary, outbound-only on port 443. | Bifrost Unit + a certified data diode for one-way log export and Historian replication. |
| Audit + monitoring | Native SIEM forwarding from Bifrost Manager (Dedicated Cloud tier). | Bifrost Manager + OT-IDS co-deployment correlated at the SIEM. |
| Vendor file handling | Vendor-supplied files reviewed by ops before deployment. | Inline data-diode file security gateway (multi-engine malware scanning + content disarm/reconstruction) on every Direct Tunnel Access file upload. |