DEFINITIONS AND KEY TERMS
What are the key definitions and terms used in this Best Practice Guide?
The terms below are used throughout this guide. All definitions are vendor-neutral and drawn from the cited standards.
- Zero Standing Privilege (ZSP): An operating model where no access exists by default. Every session is requested, approved, opened for a bounded window, and revoked on close. Anchored in NIST SP 800-207 Tenets 3 and 6 and IEC 62443-3-3 SR 2.6 (remote session termination).
- Out-of-Band (OOB) access: An access path that is logically or physically independent of the operational network, so it remains usable when the operational network is degraded, isolated, or compromised.
- Air gap: A network posture in which an OT environment has no physical network connection to external networks and no automated logical connection. Strict definition per NIST Computer Security Resource Center glossary. Used in this guide only for genuinely isolated sites, where no physical or logical connection exists. Isolation is defined by the absence of connectivity, not by site size; air-gapped sites are most often small Pattern D installations, but it is the absence of any connection, not the scale, that makes a site air-gapped. Outbound-only brokered architectures are not air gaps and are named separately below.
- Egress-only session pattern: An access architecture in which every session is initiated outbound from the OT zone to an external broker. No listening port exists on the OT side; inbound access is structurally impossible. Distinct from an air gap because a logical path exists when the zone itself opens it. This is the dominant posture for Patterns A through C in this guide and is the practical phrasing of the OT Island Principle.
- Multi-Factor Authentication (MFA): Authentication that combines at least two independent factors. Required per session by NIS2 Article 21(2)(j) and Lov om styrket beredskab i energisektoren §8 stk. 2 nr. 10.
- Time-based One-Time Password (TOTP): A short-lived numeric code derived from a shared secret and the current time (RFC 6238, the TOTP: Time-Based One-Time Password Algorithm). Suitable as a second factor in environments without persistent internet connectivity.
- Identity broker: A control plane component that authenticates the human, evaluates approval policy, and issues a session-scoped credential. The identity broker holds no operational privilege itself.
- Session broker: A control plane component that mediates the authenticated session into the OT zone, records the session, and terminates it on inactivity or timer expiry.
- Network Access Control (NAC): A control that gates which devices may attach to a network based on identity, posture, and policy. Relevant where vendor-owned hardware enters a managed OT zone.
- Vendor demilitarized zone (vendor-DMZ): A segregated network segment that hosts vendor-originated sessions before they are mediated into the operational zone. Limits blast radius if vendor equipment is compromised.
- OT intrusion detection system (OT-IDS): Passive network monitoring tuned to industrial protocols. Provides session evidence and anomaly detection inside the OT zone. Where a dedicated OT-IDS is not deployed, equivalent visibility can come from SIEM correlation of session and network logs.
- Unidirectional gateway / data diode: A hardware or hardware-enforced software component that permits data flow in one direction only. Standard pattern for log export from OT zones without creating an inbound path.
- NIS2: Directive (EU) 2022/2555. Imposes risk-management and incident-reporting obligations on essential and important entities, including OT operators in energy, water, transport, and other critical sectors.
- Lov om styrket beredskab i energisektoren: Danish parent law for energy-sector preparedness. §§ 6, 7, and 8 cover organisational, physical, and cybersecurity requirements. BEK 260 is the executive order issued under this law.
- IEC 62443-3-3:2019: International standard (DS/EN harmonization 2019) defining seven Foundational Requirements (FR 1-7) and associated System Requirements (SR) for industrial automation and control systems.
- IEC 62443-2-1:2024: International standard (DS/EN IEC 62443-2-1:2024) defining cybersecurity programme requirements for IACS asset owners. The companion to 3-3 on the asset owner side.
- IEC 62443-2-4:2024: International standard (DS/EN IEC 62443-2-4:2024) defining security programme requirements for IACS service providers. Annex A specifies twelve SP categories including SP.07 Remote access.
- NIST SP 800-82 Rev. 3: Guide to Operational Technology (OT) Security, published September 2023. Functions as an OT overlay on NIST SP 800-53 Rev. 5 and is the authoritative vendor-neutral reference for OT-specific control selection.
- NIST SP 800-207: Zero Trust Architecture, published August 2020. Defines the seven Zero Trust Tenets used as the conceptual foundation for per-session, per-resource access decisions.
- Joint NCSC Secure Connectivity Principles for OT: Eight principles, published 18 March 2024, by the United Kingdom National Cyber Security Centre in joint partnership with the Australian Signals Directorate’s Australian Cyber Security Centre, the Canadian Centre for Cyber Security, the United States Cybersecurity and Infrastructure Security Agency, the United States Federal Bureau of Investigation, Germany’s Federal Office for Information Security, the Netherlands’ National Cyber Security Centre, and New Zealand’s National Cyber Security Centre. Principle 5 (“Harden your OT boundary”) is the most directly relevant for the third-party access framework, with its hardening checklist explicitly including the requirement to enforce security requirements on third parties.
- Joint CISA Zero Trust for OT: Adapting Zero Trust Principles to Operational Technology, published 29 April 2026 by the United States Cybersecurity and Infrastructure Security Agency (CISA), Department of War, Department of Energy, Federal Bureau of Investigation, and Department of State, with contributions from the National Institute of Standards and Technology. Aligns with NIST CSF 2.0 functions and provides the most recent authoritative application of Zero Trust principles to OT environments.
- Danish energy-sector regime: For Danish energy entities, Lov om styrket beredskab i energisektoren and BEK 260 govern preparedness, including cybersecurity of remote access, to the extent the entity is covered by that regime. The Danish NIS2 implementation (LOV nr. 434 af 6. maj 2025) does not apply to the extent the entity is already covered by Lov om styrket beredskab i energisektoren. Energy entities should consult both regimes for the applicable obligations.