Company
Support
Login
BifrostConnect BifrostConnect
  • How it Works
    Zero Trust by design
    How it Works
    Direct Native Access (DNA)
    Direct Tunnel Access (DTA)
    Clientless Tunnel Access (CTA)
    Clientless IP Tunnel

    Create a Zero Trust network without VPN Tunneling

    Clientless Serial Tunnel

    Establish a Serial (RS232) connection without borders

    Offline File Transfer

    Transfer files without exposing endpoints to the internet

  • Who We Help
    Case Studies
    Damgaard Automatik Case Study
    SGS Case Study
    Luságua Case Study
    Operational Technology
    Engineering & Commissioning
    Cybersecurity & Compliance
    Industries
    Energy & Utilities
    Water Management
    Vandværker
    Industrial Automation & Manufacturing
    Pharma, Life Science & Healthcare
    Testing, Inspection & Certification
    Logistics, Transportation & Maritime
    Banking & Financial Services
  • Resources
    Company
    Zero Trust by design
    Release Notes
    Knowledge Center
    Tours & Tutorials
    FAQ
    Blog
    NIS2
  • Pricing
  • OT Cybersecurity
    Best-practice Guide for Secure 3rd party remote access in OT
    OT Cybersecurity Landscape: Denmark 2027
    NIS2 Remote Access WHITE PAPER
Contact Us
BifrostConnect
  • How it Works
    Zero Trust by design
    How it Works
    Direct Native Access (DNA)
    Direct Tunnel Access (DTA)
    Clientless Tunnel Access (CTA)
    Clientless IP Tunnel
    Clientless Serial Tunnel
    Offline File Transfer
  • Who We Help
    Cybersecurity & Compliance
    Engineering & Commissioning
    Operations
    Industries
    Energy & Utilities
    Water Management
    Vandværker
    Industrial Automation & Manufacturing
    Pharma, Life Science & Healthcare
    Testing, Inspection & Certification
    Logistics, Transportation & Maritime
    Banking & Financial Services
  • Resources
    Company
    Zero Trust by design
    Release Notes
    Knowledge Center
    Tours & Tutorials
    FAQ
    Blog
  • Pricing
  • Support
  • OT Cybersecurity
    OT Cybersecurity Landscape: Denmark 2027
    Best-practice Guide for Secure 3rd party remote access in OT
    NIS2 Remote Access WHITE PAPER
Book a Demo
Contact Us

Getting Started

12
  • Admin
    • Set up your organization
    • User roles and permissions
  • Onsite User Guides
    • Onsite Step Guide
    • Connect KVM
    • Connect IP Tunnel
    • Connect Offline File Transfer
    • Connect USB Tunnel
    • Connect Serial Tunnel
    • Connect SSH
    • Connect Serial Terminal (Console Access)
  • Datasheets
    • Technical Specifications
    • Requirements

Technical Support

2
  • Feedback & Feature requests
    • Share your ideas and feedback
  • Report a bug
    • Reporting Bugs 

Release Notes

21
  • 2026
    • Remote Access Interface Release 25 June 2026
    • Direct Tunnel Release 1 June 2026
    • Bifrost Release 13 January 2026
  • 2025
    • Bifrost Release 30 Oktober 2025
    • Bifrost Release 19 August 2025
    • Bifrost Release 30 June 2025
    • Bifrost Release 11 February 2025
  • 2024
    • Bifrost Release 04 December 2024
    • Bifrost Release 16 November 2024
    • Bifrost Release 2 Oktober 2024
    • Bifrost Release 14 August 2024
    • Bifrost Release 7 May 2024
    • BifrostConnect Firmware V4.8.0
  • 2023
    • BifrostConnect Firmware V4.7.0
    • BifrostConnect Firmware V4.6.0
    • BifrostConnect Firmware V4.5.0
    • BifrostConnect Firmware V4.4.0
  • 2022
    • BifrostConnect Firmware V.4.3.2
    • BifrostConnect Firmware V.4.3.1
    • BifrostConnect Firmware V.4.2.0
  • 2021
    • BifrostConnect Firmware V.4.0.0

Best Practice Guide

14
  • About this guide
  • Core Framework
  • Architecture & Principles
  • Threat Context
  • Zero Standing Privilege
  • Four OT Access Patterns
  • Degraded Mode & Legacy Equipment
  • Defence in Depth
  • Compliance & Implementation
  • Residual Risks
  • Definitions
  • References
  • Operational Lifecycle 
  • Procurement Appendix

Implementing the OT Best Practice Framework with BifrostConnect

6
  • Overview and Framework Mapping
  • Threat Model
  • Scenario Implementation – Scenario 1
  • Scenario Implementation – Scenario 2
  • Scenario Implementation – Scenario 3
  • Scenario Implementation – Scenario 4
  • Home
  • Knowledge Center
  • Best Practice Guide
  • Compliance & Implementation
View Categories

Compliance & Implementation

COMPLIANCE CROSSWALK
How do the controls in this guide map across multiple compliance frameworks (compliance crosswalk)?
The same set of controls earns credit under multiple frameworks. The crosswalk in Figure 7 maps six control areas introduced in this guide against five frameworks: NIS2 Article 21, Lov om styrket beredskab i energisektoren and BEK 260, IEC 62443-3-3, NIST SP 800-82 Rev. 3, and NIST SP 800-207. Each non-empty cell carries the specific clause reference, not just a checkmark. Empty cells are deliberate. They mean the framework does not address the principle at a clause level that this guide is willing to cite verbatim. Where a framework offers a closely matching control without an exact verbatim clause, the cell cites the most specific available clause and the descriptor remains conservative. Supply-chain hygiene for the IEC 62443 family is anchored to IEC 62443-2-4:2024 (service-provider programme requirements) rather than to 62443-3-3, because the service-provider programme is the system-of-systems requirement most directly applicable to third-party access governance.
Control area NIS2 Art. 21 Lov om styrket beredskab i energisektoren / BEK 260 IEC 62443-3-3:2019 NIST SP 800-82 NIST SP 800-207
1. Zero Standing Privilege (Privilege expires) Art. 21(2)(i) access control policies § 52 stk. 1 nr. 1 + § 55 stk. 2 adgangskontrol; ophører ved opgavens afslutning SR 2.1 + RE 2 authorization enforcement; permission mapping to roles § 6.2.10 remote access OT overlay: removing access when no longer required Tenet 3 per-session access
2. Ad-hoc access beats standing (No always-on paths) Art. 21(2)(e) network and information system security § 62 segmentering og logisk adskillelse SR 5.1 network segmentation § 6.2.1.3 network architecture; deny-all default Tenet 2 all comms secured regardless of location
3. Layered controls (Defense in depth) Art. 21(2)(b) incident handling § 55 stk. 3 mulighed for at afbryde og terminere adgang SR 5.1 network segmentation (zone boundary) AC-17(9) remote access; disconnect/disable Tenet 6 dynamic, strictly enforced authentication
4. Session evidence (Recorded, reviewed) Art. 21(2)(b)+(f) incident handling; effectiveness § 66 stk. 2 nr. 2 logning og opbevaring af adgangshændelser SR 6.1 audit log accessibility § 5.2.3.2 centralized logging Tenet 7 monitor posture; collect info; improve
5. Supply-chain hygiene (Vendors are assets too) Art. 21(2)(d) + para 3 supply-chain security § 29 + § 30 + § 31 leverandørstyring; krav til tredjepart IEC 62443-2-4 SP.07 service provider security program § 6.2.10 third-party access n/a outside ZTA scope
6. Offline-capable design (Works when internet doesn’t) Art. 21(2)(j) MFA / continuous authentication § 53 flerfaktorautentificering SR 1.1 + RE 2 identification and authentication; unique IDs § 6.2.10 identification and authentication Tenet 6 authZ enforced before access
Figure 7. Compliance crosswalk. Six control areas by five frameworks, with the specific clause reference in each non-empty cell. Empty cells are deliberate and explicitly marked. Product-specific coverage mapping lives in the companion BifrostConnect Implementation Guide (Del 2).
IMPLEMENTATION PRIORITY
What is the recommended implementation priority and phased plan for third-party OT access controls?
A reader finishing the crosswalk typically asks a practical question: what do I do on Monday morning? This guide’s answer is a vendor-neutral maturity staging. The ordering is deliberately technology-agnostic; it reflects the natural sequence in which controls stabilise on top of each other. A competitor to the publisher of this guide could adopt the same sequence without change.

PHASE 1 – STOP THE BLEEDING (0-30 DAYS)

Inventory every third-party access path currently in use: named vendor, purpose, entry point, protocol, and whether MFA is enforced. Remove or disable any standing VPN account for which no current, approved work exists. Disable inbound listening ports that are not accounted for in the inventory. This phase is discovery and containment; it does not require new procurement.

PHASE 2 – ESTABLISH THE PATTERN (30-90 DAYS)

Introduce a session broker, MFA on every session, and per-session approval. Replace shared vendor credentials with named identities bound to the broker. Enforce a time-out policy measured in hours. At this phase, the access path may still be imperfect; the goal is to make every session a discrete, identifiable, revocable event. These windows assume an organisation with existing identity and logging foundations; a site starting from zero should treat the same steps as a longer programme and sequence them over a realistic horizon.

PHASE 3 – EVIDENCE AND MONITORING (90-180 DAYS)

Turn on session recording and route logs to the asset owner’s SIEM or SOC. Tune alarming on specific OT anomalies (PLC stop attempts, unauthorised code upload, command sequences outside ticketed work). Institutionalise incident response for detected anomalies: session revocation, site-owner notification, incident record. A 90-to-180-day window is realistic only where log collection already exists; building SIEM or SOC visibility from nothing is itself a multi-quarter effort and should be planned as one.

PHASE 4 – PROGRAM MATURITY (180+ DAYS)

Move from per-session controls to programme-level controls. Vendor onboarding checklists, contract clauses for security posture, background checks where the regulatory regime allows it, vendor-specific threat modelling, and joint incident response playbooks with named vendors. This phase is the substance of IEC 62443-2-4:2024 and NIS2 Article 21(2)(d) read together.

Updated on July 10, 2026
Defence in DepthResidual Risks
Table of Contents
  • PHASE 1 - STOP THE BLEEDING (0-30 DAYS)
  • PHASE 2 - ESTABLISH THE PATTERN (30-90 DAYS)
  • PHASE 3 - EVIDENCE AND MONITORING (90-180 DAYS)
  • PHASE 4 - PROGRAM MATURITY (180+ DAYS)
Essentials Logo
Islands Brygge 55
2300 Copenhagen S, Denmark
+45 70 60 20 56
[email protected]
About Us
Release Notes
Privacy Policy
Terms & Conditions
FAQ
Book a Demo
Book a Demo

Subscribe to Our Newsletter

Copyright BifrostConnect ApS. 2026
All Rights Reserved