Company
Support
Login
BifrostConnect BifrostConnect
  • How it Works
    Zero Trust by design
    How it Works
    Direct Native Access (DNA)
    Direct Tunnel Access (DTA)
    Clientless Tunnel Access (CTA)
    Clientless IP Tunnel

    Create a Zero Trust network without VPN Tunneling

    Clientless Serial Tunnel

    Establish a Serial (RS232) connection without borders

    Offline File Transfer

    Transfer files without exposing endpoints to the internet

  • Who We Help
    Case Studies
    Damgaard Automatik Case Study
    SGS Case Study
    Luságua Case Study
    Operational Technology
    Engineering & Commissioning
    Cybersecurity & Compliance
    Industries
    Energy & Utilities
    Water Management
    Vandværker
    Industrial Automation & Manufacturing
    Pharma, Life Science & Healthcare
    Testing, Inspection & Certification
    Logistics, Transportation & Maritime
    Banking & Financial Services
  • Resources
    Company
    Zero Trust by design
    Release Notes
    Knowledge Center
    Tours & Tutorials
    FAQ
    Blog
    NIS2
  • Pricing
  • OT Cybersecurity
    Best-practice Guide for Secure 3rd party remote access in OT
    OT Cybersecurity Landscape: Denmark 2027
    NIS2 Remote Access WHITE PAPER
Contact Us
BifrostConnect
  • How it Works
    Zero Trust by design
    How it Works
    Direct Native Access (DNA)
    Direct Tunnel Access (DTA)
    Clientless Tunnel Access (CTA)
    Clientless IP Tunnel
    Clientless Serial Tunnel
    Offline File Transfer
  • Who We Help
    Cybersecurity & Compliance
    Engineering & Commissioning
    Operations
    Industries
    Energy & Utilities
    Water Management
    Vandværker
    Industrial Automation & Manufacturing
    Pharma, Life Science & Healthcare
    Testing, Inspection & Certification
    Logistics, Transportation & Maritime
    Banking & Financial Services
  • Resources
    Company
    Zero Trust by design
    Release Notes
    Knowledge Center
    Tours & Tutorials
    FAQ
    Blog
  • Pricing
  • Support
  • OT Cybersecurity
    OT Cybersecurity Landscape: Denmark 2027
    Best-practice Guide for Secure 3rd party remote access in OT
    NIS2 Remote Access WHITE PAPER
Book a Demo
Contact Us

Getting Started

12
  • Admin
    • Set up your organization
    • User roles and permissions
  • Onsite User Guides
    • Onsite Step Guide
    • Connect KVM
    • Connect IP Tunnel
    • Connect Offline File Transfer
    • Connect USB Tunnel
    • Connect Serial Tunnel
    • Connect SSH
    • Connect Serial Terminal (Console Access)
  • Datasheets
    • Technical Specifications
    • Requirements

Technical Support

2
  • Feedback & Feature requests
    • Share your ideas and feedback
  • Report a bug
    • Reporting Bugs 

Release Notes

21
  • 2026
    • Remote Access Interface Release 25 June 2026
    • Direct Tunnel Release 1 June 2026
    • Bifrost Release 13 January 2026
  • 2025
    • Bifrost Release 30 Oktober 2025
    • Bifrost Release 19 August 2025
    • Bifrost Release 30 June 2025
    • Bifrost Release 11 February 2025
  • 2024
    • Bifrost Release 04 December 2024
    • Bifrost Release 16 November 2024
    • Bifrost Release 2 Oktober 2024
    • Bifrost Release 14 August 2024
    • Bifrost Release 7 May 2024
    • BifrostConnect Firmware V4.8.0
  • 2023
    • BifrostConnect Firmware V4.7.0
    • BifrostConnect Firmware V4.6.0
    • BifrostConnect Firmware V4.5.0
    • BifrostConnect Firmware V4.4.0
  • 2022
    • BifrostConnect Firmware V.4.3.2
    • BifrostConnect Firmware V.4.3.1
    • BifrostConnect Firmware V.4.2.0
  • 2021
    • BifrostConnect Firmware V.4.0.0

Best Practice Guide

14
  • About this guide
  • Core Framework
  • Architecture & Principles
  • Threat Context
  • Zero Standing Privilege
  • Four OT Access Patterns
  • Degraded Mode & Legacy Equipment
  • Defence in Depth
  • Compliance & Implementation
  • Residual Risks
  • Definitions
  • References
  • Operational Lifecycle 
  • Procurement Appendix

Implementing the OT Best Practice Framework with BifrostConnect

6
  • Overview and Framework Mapping
  • Threat Model
  • Scenario Implementation – Scenario 1
  • Scenario Implementation – Scenario 2
  • Scenario Implementation – Scenario 3
  • Scenario Implementation – Scenario 4
  • Home
  • Knowledge Center
  • Implementing the OT Best Practice Framework with BifrostConnect
  • Scenario Implementation – Scenario 4
View Categories

Scenario Implementation – Scenario 4

SCENARIO OVERVIEW
What are the four OT access scenarios, and which BifrostConnect products map to each?

Part 1 defines four scenarios derived from two axes: where the programming software is located (engineering station vs vendor PC) and the scale of the OT operation (small with no SOC vs large with SOC, PAM, SIEM). Each scenario maps to a specific BifrostConnect product mix.The figure below shows the four implementations side by side. The detailed configuration for each scenario follows in the next four sections.

SCENARIO 4 · PATTERN B
How is BifrostConnect implemented for Scenario 4 (large OT, vendor-owned PC)?

Part 1 requirement recap: Large utility or industrial site with vendor-owned licensed software on vendor laptops. Part 1 requires layered controls: NAC, vendor DMZ, OT-IDS with deep packet inspection, protocol-level monitoring, centralised SIEM, and isolation between vendor engagements.

Configuration:

  • Bifrost Units deployed at each vendor access point on the OT network (Purdue L3 / DMZ).
  • Unattended variant used for operations requiring admin-driven access without on-site presence.
  • Bifrost Manager hosted on Dedicated Cloud or on-premises; SSO federated to enterprise IdP.
  • SessionGuard VM deployed per customer engagement, giving isolation between different vendor-customer relationships.
  • An OT-IDS co-deployed on the OT network to provide deep packet inspection on actual OT protocols (Modbus TCP, OPC UA, S7comm, IEC-104). This is co-deployment, not API-level integration: BifrostConnect and OT-IDS operate independently, correlated at the SIEM layer.
  • SIEM receives: Bifrost Manager events, OT-IDS alerts, SessionGuard recording metadata. Correlation happens in the SIEM, not in BifrostConnect.
  • A certified data diode is available for unidirectional log export or unidirectional Historian replication as a compensating control where required.

Compliance evidence mapping (Part 1, Scenario 4 regulatory alignment):

Requirement (source)Technical evidence BifrostConnect providesOrganizational control still required
NIS2 Art. 21(2)(d): supply chain (vendor device on OT)JIT access, SSO-federated vendor identity, SessionGuard recording, Bifrost Unit network isolation, SIEM export.Vendor device compliance verification (NAC health check), background checks for critical infrastructure, vendor contracts.
NIS2 Art. 23: 24h/72h/1-month staged reportingComprehensive session logs, SIEM-integrated audit trail, SessionGuard recordings for scope determination.Incident response plan with 24/72-hour workflow, trained reporting team, legal counsel, designated authority contact.
IEC 62443-3-3:2019 FR 5 Restricted data flow + FR 1 SR 1.1Hardware-enforced zone boundary (Bifrost Unit at L3), scoped tunnel access.Security level assignment per zone, documented conduit policies, periodic penetration testing.
BEK 260 §62: mandatory network segmentation during vendor accessBifrost Unit in DMZ, masquerading, outbound-only OT posture.Network architecture documentation, vendor VLAN policies, segmentation verification testing.
BEK 260 §74: alternative communication for incident responseBifrost Unit over 4G/LTE provides out-of-band access independent of primary WAN.Tested fallback communication procedures, documented alternative access paths.
CER Directive: supply chain supervisionCross-vendor session audit trail, per-engagement isolation via SessionGuard VMs.Cross-sector resilience assessment, supplier qualification program, periodic supply chain review.

Implementation requirements for Scenario 4. Scenario 4 brings the most controls together. The following deployment decisions make each layer carry its weight:

  • OT-IDS placement: position OT-IDS visibility downstream of the Bifrost Unit (on the decrypted L1/L2 traffic). DPI on Modbus / OPC UA / S7comm needs the cleartext, so the architecture must give the IDS a tap point past tunnel termination.
  • Pair recording layers: SessionGuard is designed to capture the operator side; OT-IDS packet captures cover the wire side. Together they answer ‘who did what’ and ‘what hit the protocol’ – both questions an incident review needs.
  • Data diode role: a certified data diode provides unidirectional transfer for log export and Historian replication. Deploy it where one-way movement is mandated; treat it as a transport guarantee, not a replacement for monitoring.
  • Time-bound Direct Tunnel Access: operate Bifrost Manager on the Advanced plan or Dedicated Cloud tier, which enables Time-Based Access for Direct IP Tunnel so subnet mappings can be made time-bound. This converts the default-permanent posture to default-just-in-time, matching NIS2 Art. 21(2)(i) intent.

Maturity profile: minimum viable vs target state (Scenario 4). Scenario 4 is the most layered scenario. Minimum viable already brings most of the control set in place; target state hardens the trust boundaries and adds full diode-protected one-way transport for the most regulated environments.

CapabilityMinimum viable (Scenario 4 floor)Target state (Scenario 4 ceiling)
IdentityBifrost Manager with enterprise SSO (Dedicated Cloud / on-premises tier); RBAC and JIT in place.Hardware-token MFA on admin accounts; impossible-travel detection; policy four-eyes principle on access scope changes.
RecordingSessionGuard per engagement on customer-deployed VMs.SessionGuard + OT-IDS packet capture, both correlated at SIEM.
Network boundaryBifrost Unit at L3 / DMZ, outbound-only.Bifrost Unit + a certified data diode for one-way log export and Historian replication; segmentation verified by periodic pen-test.
File handlingVendor file uploads logged and reviewed.Inline file security gateway on every Direct Tunnel Access upload (multi-engine + content disarm/reconstruction).
Multi-customer isolationSeparate SessionGuard VMs per customer engagement.Separate Bifrost Manager tenants per customer engagement; cross-tenant data flow architecturally segregated at the tenant boundary.
Updated on July 14, 2026
Scenario Implementation – Scenario 3Overview and Framework Mapping
Essentials Logo
Islands Brygge 55
2300 Copenhagen S, Denmark
+45 70 60 20 56
[email protected]
About Us
Release Notes
Privacy Policy
Terms & Conditions
FAQ
Book a Demo
Book a Demo

Subscribe to Our Newsletter

Copyright BifrostConnect ApS. 2026
All Rights Reserved