Company
Support
Login
BifrostConnect BifrostConnect
  • How it Works
    Zero Trust by design
    How it Works
    Direct Native Access (DNA)
    Direct Tunnel Access (DTA)
    Clientless Tunnel Access (CTA)
    Clientless IP Tunnel

    Create a Zero Trust network without VPN Tunneling

    Clientless Serial Tunnel

    Establish a Serial (RS232) connection without borders

    Offline File Transfer

    Transfer files without exposing endpoints to the internet

  • Who We Help
    Case Studies
    Damgaard Automatik Case Study
    SGS Case Study
    Luságua Case Study
    Operational Technology
    Engineering & Commissioning
    Cybersecurity & Compliance
    Industries
    Energy & Utilities
    Water Management
    Vandværker
    Industrial Automation & Manufacturing
    Pharma, Life Science & Healthcare
    Testing, Inspection & Certification
    Logistics, Transportation & Maritime
    Banking & Financial Services
  • Resources
    Company
    Zero Trust by design
    Release Notes
    Knowledge Center
    Tours & Tutorials
    FAQ
    Blog
    NIS2
  • Pricing
  • OT Cybersecurity
    Best-practice Guide for Secure 3rd party remote access in OT
    OT Cybersecurity Landscape: Denmark 2027
    NIS2 Remote Access WHITE PAPER
Contact Us
BifrostConnect
  • How it Works
    Zero Trust by design
    How it Works
    Direct Native Access (DNA)
    Direct Tunnel Access (DTA)
    Clientless Tunnel Access (CTA)
    Clientless IP Tunnel
    Clientless Serial Tunnel
    Offline File Transfer
  • Who We Help
    Cybersecurity & Compliance
    Engineering & Commissioning
    Operations
    Industries
    Energy & Utilities
    Water Management
    Vandværker
    Industrial Automation & Manufacturing
    Pharma, Life Science & Healthcare
    Testing, Inspection & Certification
    Logistics, Transportation & Maritime
    Banking & Financial Services
  • Resources
    Company
    Zero Trust by design
    Release Notes
    Knowledge Center
    Tours & Tutorials
    FAQ
    Blog
  • Pricing
  • Support
  • OT Cybersecurity
    OT Cybersecurity Landscape: Denmark 2027
    Best-practice Guide for Secure 3rd party remote access in OT
    NIS2 Remote Access WHITE PAPER
Book a Demo
Contact Us

Getting Started

12
  • Admin
    • Set up your organization
    • User roles and permissions
  • Onsite User Guides
    • Onsite Step Guide
    • Connect KVM
    • Connect IP Tunnel
    • Connect Offline File Transfer
    • Connect USB Tunnel
    • Connect Serial Tunnel
    • Connect SSH
    • Connect Serial Terminal (Console Access)
  • Datasheets
    • Technical Specifications
    • Requirements

Technical Support

2
  • Feedback & Feature requests
    • Share your ideas and feedback
  • Report a bug
    • Reporting Bugs 

Release Notes

21
  • 2026
    • Remote Access Interface Release 25 June 2026
    • Direct Tunnel Release 1 June 2026
    • Bifrost Release 13 January 2026
  • 2025
    • Bifrost Release 30 Oktober 2025
    • Bifrost Release 19 August 2025
    • Bifrost Release 30 June 2025
    • Bifrost Release 11 February 2025
  • 2024
    • Bifrost Release 04 December 2024
    • Bifrost Release 16 November 2024
    • Bifrost Release 2 Oktober 2024
    • Bifrost Release 14 August 2024
    • Bifrost Release 7 May 2024
    • BifrostConnect Firmware V4.8.0
  • 2023
    • BifrostConnect Firmware V4.7.0
    • BifrostConnect Firmware V4.6.0
    • BifrostConnect Firmware V4.5.0
    • BifrostConnect Firmware V4.4.0
  • 2022
    • BifrostConnect Firmware V.4.3.2
    • BifrostConnect Firmware V.4.3.1
    • BifrostConnect Firmware V.4.2.0
  • 2021
    • BifrostConnect Firmware V.4.0.0

Best Practice Guide

14
  • About this guide
  • Core Framework
  • Architecture & Principles
  • Threat Context
  • Zero Standing Privilege
  • Four OT Access Patterns
  • Degraded Mode & Legacy Equipment
  • Defence in Depth
  • Compliance & Implementation
  • Residual Risks
  • Definitions
  • References
  • Operational Lifecycle 
  • Procurement Appendix

Implementing the OT Best Practice Framework with BifrostConnect

6
  • Overview and Framework Mapping
  • Threat Model
  • Scenario Implementation – Scenario 1
  • Scenario Implementation – Scenario 2
  • Scenario Implementation – Scenario 3
  • Scenario Implementation – Scenario 4
  • Home
  • Knowledge Center
  • Best Practice Guide
  • Defence in Depth
View Categories

Defence in Depth

DEFENCE IN DEPTH
What is the defence-in-depth model for third-party OT access and what are the six control layers?
Across all four patterns, the same structural answer recurs: no single control is load-bearing. A defensible third-party access pattern is a stack of independent layers, each catching what the previous missed. If one layer fails, the asset is still protected by the next. This is the structural answer to the supply-chain risk that NIS2 Article 21(2)(d) addresses, and it is the reason Patterns A through D differ in implementation but not in shape. The six layers, from outermost to innermost: Identity and Access (who is requesting); Approval and Ticketing (why and when); Network Path Control (where the session may go); Session Mediation (how the session is rendered into the zone); Session Recording and Monitoring (the witness); Log Integrity and Export (the evidence). Each layer carries its own framework anchor; together they cover the FR 1 through FR 7 spectrum of IEC 62443-3-3.
FIGURE 6. Defence in depth Six concentric control layers wrap a single OT asset, spanning the seven IEC 62443-3-3 Foundational Requirements. OT ASSET PLC · RTU HMI · SCADA 6 5 4 3 2 1 1 Physical & local Tamper-evident hardware. Local authorisation. NIS2 21(2)(i) · IEC FR 1, FR 3 2 Identity & authentication Out-of-band identity. MFA at the station. NIS2 21(2)(i) · FR 1 3 Authorisation Asset owner approves per session. Least-privilege. NIS2 21(2)(i)+(d) · FR 2 4 Session controls Time-bound, scoped. Recording + keystroke logs. NIS2 21(2)(j) · FR 3, FR 4 5 Network controls No inbound. Outbound-initiated only. One-way export. NIS2 21(2)(i)+(d) · FR 5 6 Governance & audit Documentation, evidence retention, periodic review. NIS2 21(2)(f)+(g) · FR 6, FR 7 Six concentric control layers wrap a single OT asset; together they span the seven Foundational Requirements of IEC 62443-3-3.
Figure 6. Six concentric control layers wrap a single OT asset. Each layer carries its own framework anchor; together they span the seven Foundational Requirements of IEC 62443-3-3.
INCIDENT HANDLING ACROSS THE LAYERS
How does incident handling work across the defence-in-depth layers?
NIS2 Article 21(2)(b) requires entities to implement incident handling as a named technical and organisational measure. The layers above are structured for prevention; a defensible pattern also needs structured detection and response when prevention fails. Incident handling threads through three of the six layers. At the Session Recording and Monitoring layer, the recording is not passive; it is piped into an automated rule set that alarms on specific anomalies: attempts to stop or restart a PLC, unauthorised code upload, command sequences that do not match the ticketed work, and authentication events outside the approved window. Anchors: IEC 62443-3-3 SR 6.1 (audit log accessibility) and SR 6.2 (continuous monitoring); audit log generation is anchored in SR 2.8 (auditable events) and SR 2.9 (audit storage capacity); Lov om styrket beredskab i energisektoren §8 stk. 2 nr. 6 (parent law) and BEK 260 §66 stk. 2 nr. 2 (logging on remote-access equipment). At the Log Integrity and Export layer, the pipeline feeds an OT intrusion detection system or a security operations centre that can see events in near-real-time, not only after the fact. Passive logs without alarming do not satisfy §8 stk. 2 nr. 6, because §8 stk. 2 nr. 6 requires the log to support alarms and incident handling, not only forensic reconstruction. The same obligation is reinforced by NIST SP 800-53 Rev. 5 control AU-6 (Audit Record Review, Analysis, and Reporting), which requires review with frequency matched to the risk of the system. At the Approval and Ticketing layer, incident handling closes the loop: a detected anomaly revokes the active session, notifies the site owner, and opens an incident record with the same identifiers as the session recording. This makes the incident handling response traceable to a specific session, a specific vendor identity, and a specific set of actions, which is the evidence pattern NIS2 Article 23 (significant incident reporting) requires. Personal data note. Session recordings typically contain personal data within the meaning of the EU General Data Protection Regulation (GDPR). Retention periods, access control, data subject rights, and processing grounds must be addressed in the recording policy, independently of the technical control. GDPR obligations apply to the recording whether or not the underlying OT system is subject to NIS2.

Updated on July 10, 2026
Degraded Mode & Legacy EquipmentCompliance & Implementation
Essentials Logo
Islands Brygge 55
2300 Copenhagen S, Denmark
+45 70 60 20 56
[email protected]
About Us
Release Notes
Privacy Policy
Terms & Conditions
FAQ
Book a Demo
Book a Demo

Subscribe to Our Newsletter

Copyright BifrostConnect ApS. 2026
All Rights Reserved