Company
Support
Login
BifrostConnect BifrostConnect
  • How it Works
    Zero Trust by design
    How it Works
    Direct Native Access (DNA)
    Direct Tunnel Access (DTA)
    Clientless Tunnel Access (CTA)
    Clientless IP Tunnel

    Create a Zero Trust network without VPN Tunneling

    Clientless Serial Tunnel

    Establish a Serial (RS232) connection without borders

    Offline File Transfer

    Transfer files without exposing endpoints to the internet

  • Who We Help
    Case Studies
    Damgaard Automatik Case Study
    SGS Case Study
    Luságua Case Study
    Operational Technology
    Engineering & Commissioning
    Cybersecurity & Compliance
    Industries
    Energy & Utilities
    Water Management
    Vandværker
    Industrial Automation & Manufacturing
    Pharma, Life Science & Healthcare
    Testing, Inspection & Certification
    Logistics, Transportation & Maritime
    Banking & Financial Services
  • Resources
    Company
    Zero Trust by design
    Release Notes
    Knowledge Center
    Tours & Tutorials
    FAQ
    Blog
    NIS2
  • Pricing
  • OT Cybersecurity
    Best-practice Guide for Secure 3rd party remote access in OT
    OT Cybersecurity Landscape: Denmark 2027
    NIS2 Remote Access WHITE PAPER
Contact Us
BifrostConnect
  • How it Works
    Zero Trust by design
    How it Works
    Direct Native Access (DNA)
    Direct Tunnel Access (DTA)
    Clientless Tunnel Access (CTA)
    Clientless IP Tunnel
    Clientless Serial Tunnel
    Offline File Transfer
  • Who We Help
    Cybersecurity & Compliance
    Engineering & Commissioning
    Operations
    Industries
    Energy & Utilities
    Water Management
    Vandværker
    Industrial Automation & Manufacturing
    Pharma, Life Science & Healthcare
    Testing, Inspection & Certification
    Logistics, Transportation & Maritime
    Banking & Financial Services
  • Resources
    Company
    Zero Trust by design
    Release Notes
    Knowledge Center
    Tours & Tutorials
    FAQ
    Blog
  • Pricing
  • Support
  • OT Cybersecurity
    OT Cybersecurity Landscape: Denmark 2027
    Best-practice Guide for Secure 3rd party remote access in OT
    NIS2 Remote Access WHITE PAPER
Book a Demo
Contact Us

Getting Started

12
  • Admin
    • Set up your organization
    • User roles and permissions
  • Onsite User Guides
    • Onsite Step Guide
    • Connect KVM
    • Connect IP Tunnel
    • Connect Offline File Transfer
    • Connect USB Tunnel
    • Connect Serial Tunnel
    • Connect SSH
    • Connect Serial Terminal (Console Access)
  • Datasheets
    • Technical Specifications
    • Requirements

Technical Support

2
  • Feedback & Feature requests
    • Share your ideas and feedback
  • Report a bug
    • Reporting Bugs 

Release Notes

21
  • 2026
    • Remote Access Interface Release 25 June 2026
    • Direct Tunnel Release 1 June 2026
    • Bifrost Release 13 January 2026
  • 2025
    • Bifrost Release 30 Oktober 2025
    • Bifrost Release 19 August 2025
    • Bifrost Release 30 June 2025
    • Bifrost Release 11 February 2025
  • 2024
    • Bifrost Release 04 December 2024
    • Bifrost Release 16 November 2024
    • Bifrost Release 2 Oktober 2024
    • Bifrost Release 14 August 2024
    • Bifrost Release 7 May 2024
    • BifrostConnect Firmware V4.8.0
  • 2023
    • BifrostConnect Firmware V4.7.0
    • BifrostConnect Firmware V4.6.0
    • BifrostConnect Firmware V4.5.0
    • BifrostConnect Firmware V4.4.0
  • 2022
    • BifrostConnect Firmware V.4.3.2
    • BifrostConnect Firmware V.4.3.1
    • BifrostConnect Firmware V.4.2.0
  • 2021
    • BifrostConnect Firmware V.4.0.0

Best Practice Guide

14
  • About this guide
  • Core Framework
  • Architecture & Principles
  • Threat Context
  • Zero Standing Privilege
  • Four OT Access Patterns
  • Degraded Mode & Legacy Equipment
  • Defence in Depth
  • Compliance & Implementation
  • Residual Risks
  • Definitions
  • References
  • Operational Lifecycle 
  • Procurement Appendix

Implementing the OT Best Practice Framework with BifrostConnect

6
  • Overview and Framework Mapping
  • Threat Model
  • Scenario Implementation – Scenario 1
  • Scenario Implementation – Scenario 2
  • Scenario Implementation – Scenario 3
  • Scenario Implementation – Scenario 4
  • Home
  • Knowledge Center
  • Best Practice Guide
  • Definitions
View Categories

Definitions

DEFINITIONS AND KEY TERMS
What are the key definitions and terms used in this Best Practice Guide?
The terms below are used throughout this guide. All definitions are vendor-neutral and drawn from the cited standards.
  • Zero Standing Privilege (ZSP): An operating model where no access exists by default. Every session is requested, approved, opened for a bounded window, and revoked on close. Anchored in NIST SP 800-207 Tenets 3 and 6 and IEC 62443-3-3 SR 2.6 (remote session termination).
  • Out-of-Band (OOB) access: An access path that is logically or physically independent of the operational network, so it remains usable when the operational network is degraded, isolated, or compromised.
  • Air gap: A network posture in which an OT environment has no physical network connection to external networks and no automated logical connection. Strict definition per NIST Computer Security Resource Center glossary. Used in this guide only for genuinely isolated sites, where no physical or logical connection exists. Isolation is defined by the absence of connectivity, not by site size; air-gapped sites are most often small Pattern D installations, but it is the absence of any connection, not the scale, that makes a site air-gapped. Outbound-only brokered architectures are not air gaps and are named separately below.
  • Egress-only session pattern: An access architecture in which every session is initiated outbound from the OT zone to an external broker. No listening port exists on the OT side; inbound access is structurally impossible. Distinct from an air gap because a logical path exists when the zone itself opens it. This is the dominant posture for Patterns A through C in this guide and is the practical phrasing of the OT Island Principle.
  • Multi-Factor Authentication (MFA): Authentication that combines at least two independent factors. Required per session by NIS2 Article 21(2)(j) and Lov om styrket beredskab i energisektoren §8 stk. 2 nr. 10.
  • Time-based One-Time Password (TOTP): A short-lived numeric code derived from a shared secret and the current time (RFC 6238, the TOTP: Time-Based One-Time Password Algorithm). Suitable as a second factor in environments without persistent internet connectivity.
  • Identity broker: A control plane component that authenticates the human, evaluates approval policy, and issues a session-scoped credential. The identity broker holds no operational privilege itself.
  • Session broker: A control plane component that mediates the authenticated session into the OT zone, records the session, and terminates it on inactivity or timer expiry.
  • Network Access Control (NAC): A control that gates which devices may attach to a network based on identity, posture, and policy. Relevant where vendor-owned hardware enters a managed OT zone.
  • Vendor demilitarized zone (vendor-DMZ): A segregated network segment that hosts vendor-originated sessions before they are mediated into the operational zone. Limits blast radius if vendor equipment is compromised.
  • OT intrusion detection system (OT-IDS): Passive network monitoring tuned to industrial protocols. Provides session evidence and anomaly detection inside the OT zone. Where a dedicated OT-IDS is not deployed, equivalent visibility can come from SIEM correlation of session and network logs.
  • Unidirectional gateway / data diode: A hardware or hardware-enforced software component that permits data flow in one direction only. Standard pattern for log export from OT zones without creating an inbound path.
  • NIS2: Directive (EU) 2022/2555. Imposes risk-management and incident-reporting obligations on essential and important entities, including OT operators in energy, water, transport, and other critical sectors.
  • Lov om styrket beredskab i energisektoren: Danish parent law for energy-sector preparedness. §§ 6, 7, and 8 cover organisational, physical, and cybersecurity requirements. BEK 260 is the executive order issued under this law.
  • IEC 62443-3-3:2019: International standard (DS/EN harmonization 2019) defining seven Foundational Requirements (FR 1-7) and associated System Requirements (SR) for industrial automation and control systems.
  • IEC 62443-2-1:2024: International standard (DS/EN IEC 62443-2-1:2024) defining cybersecurity programme requirements for IACS asset owners. The companion to 3-3 on the asset owner side.
  • IEC 62443-2-4:2024: International standard (DS/EN IEC 62443-2-4:2024) defining security programme requirements for IACS service providers. Annex A specifies twelve SP categories including SP.07 Remote access.
  • NIST SP 800-82 Rev. 3: Guide to Operational Technology (OT) Security, published September 2023. Functions as an OT overlay on NIST SP 800-53 Rev. 5 and is the authoritative vendor-neutral reference for OT-specific control selection.
  • NIST SP 800-207: Zero Trust Architecture, published August 2020. Defines the seven Zero Trust Tenets used as the conceptual foundation for per-session, per-resource access decisions.
  • Joint NCSC Secure Connectivity Principles for OT: Eight principles, published 18 March 2024, by the United Kingdom National Cyber Security Centre in joint partnership with the Australian Signals Directorate’s Australian Cyber Security Centre, the Canadian Centre for Cyber Security, the United States Cybersecurity and Infrastructure Security Agency, the United States Federal Bureau of Investigation, Germany’s Federal Office for Information Security, the Netherlands’ National Cyber Security Centre, and New Zealand’s National Cyber Security Centre. Principle 5 (“Harden your OT boundary”) is the most directly relevant for the third-party access framework, with its hardening checklist explicitly including the requirement to enforce security requirements on third parties.
  • Joint CISA Zero Trust for OT: Adapting Zero Trust Principles to Operational Technology, published 29 April 2026 by the United States Cybersecurity and Infrastructure Security Agency (CISA), Department of War, Department of Energy, Federal Bureau of Investigation, and Department of State, with contributions from the National Institute of Standards and Technology. Aligns with NIST CSF 2.0 functions and provides the most recent authoritative application of Zero Trust principles to OT environments.
  • Danish energy-sector regime: For Danish energy entities, Lov om styrket beredskab i energisektoren and BEK 260 govern preparedness, including cybersecurity of remote access, to the extent the entity is covered by that regime. The Danish NIS2 implementation (LOV nr. 434 af 6. maj 2025) does not apply to the extent the entity is already covered by Lov om styrket beredskab i energisektoren. Energy entities should consult both regimes for the applicable obligations.

Updated on July 10, 2026
Residual RisksReferences
Essentials Logo
Islands Brygge 55
2300 Copenhagen S, Denmark
+45 70 60 20 56
[email protected]
About Us
Release Notes
Privacy Policy
Terms & Conditions
FAQ
Book a Demo
Book a Demo

Subscribe to Our Newsletter

Copyright BifrostConnect ApS. 2026
All Rights Reserved