Company
Support
Login
BifrostConnect BifrostConnect
  • How it Works
    Zero Trust by design
    How it Works
    Direct Native Access (DNA)
    Direct Tunnel Access (DTA)
    Clientless Tunnel Access (CTA)
    Clientless IP Tunnel

    Create a Zero Trust network without VPN Tunneling

    Clientless Serial Tunnel

    Establish a Serial (RS232) connection without borders

    Offline File Transfer

    Transfer files without exposing endpoints to the internet

  • Who We Help
    Case Studies
    Damgaard Automatik Case Study
    SGS Case Study
    LusΓ‘gua Case Study
    Operational Technology
    Engineering & Commissioning
    Cybersecurity & Compliance
    Industries
    Energy & Utilities
    Water Management
    Vandværker
    Industrial Automation & Manufacturing
    Pharma, Life Science & Healthcare
    Testing, Inspection & Certification
    Logistics, Transportation & Maritime
    Banking & Financial Services
  • Resources
    Company
    Zero Trust by design
    Release Notes
    Knowledge Center
    Tours & Tutorials
    FAQ
    Blog
    NIS2
  • Pricing
  • OT Cybersecurity
    Best-practice Guide for Secure 3rd party remote access in OT
    OT Cybersecurity Landscape: Denmark 2027
    NIS2 Remote Access WHITE PAPER
Contact Us
BifrostConnect
  • How it Works
    Zero Trust by design
    How it Works
    Direct Native Access (DNA)
    Direct Tunnel Access (DTA)
    Clientless Tunnel Access (CTA)
    Clientless IP Tunnel
    Clientless Serial Tunnel
    Offline File Transfer
  • Who We Help
    Cybersecurity & Compliance
    Engineering & Commissioning
    Operations
    Industries
    Energy & Utilities
    Water Management
    Vandværker
    Industrial Automation & Manufacturing
    Pharma, Life Science & Healthcare
    Testing, Inspection & Certification
    Logistics, Transportation & Maritime
    Banking & Financial Services
  • Resources
    Company
    Zero Trust by design
    Release Notes
    Knowledge Center
    Tours & Tutorials
    FAQ
    Blog
  • Pricing
  • Support
  • OT Cybersecurity
    OT Cybersecurity Landscape: Denmark 2027
    Best-practice Guide for Secure 3rd party remote access in OT
    NIS2 Remote Access WHITE PAPER
Book a Demo
Contact Us

Getting Started

12
  • Admin
    • Set up your organization
    • User roles and permissions
  • Onsite User Guides
    • Onsite Step Guide
    • Connect KVM
    • Connect IP Tunnel
    • Connect Offline File Transfer
    • Connect USB Tunnel
    • Connect Serial Tunnel
    • Connect SSH
    • Connect Serial Terminal (Console Access)
  • Datasheets
    • Technical Specifications
    • Requirements

Technical Support

2
  • Feedback & Feature requests
    • Share your ideas and feedback
  • Report a bug
    • Reporting BugsΒ 

Release Notes

21
  • 2026
    • Remote Access Interface Release 25 June 2026
    • Direct Tunnel Release 1 June 2026
    • Bifrost Release 13 January 2026
  • 2025
    • Bifrost Release 30 Oktober 2025
    • Bifrost Release 19 August 2025
    • Bifrost Release 30 June 2025
    • Bifrost Release 11 February 2025
  • 2024
    • Bifrost Release 04 December 2024
    • Bifrost Release 16 November 2024
    • Bifrost Release 2 Oktober 2024
    • Bifrost Release 14 August 2024
    • Bifrost Release 7 May 2024
    • BifrostConnect Firmware V4.8.0
  • 2023
    • BifrostConnect Firmware V4.7.0
    • BifrostConnect Firmware V4.6.0
    • BifrostConnect Firmware V4.5.0
    • BifrostConnect Firmware V4.4.0
  • 2022
    • BifrostConnect Firmware V.4.3.2
    • BifrostConnect Firmware V.4.3.1
    • BifrostConnect Firmware V.4.2.0
  • 2021
    • BifrostConnect Firmware V.4.0.0

Best Practice Guide

14
  • About this guide
  • Core Framework
  • Architecture & Principles
  • Threat Context
  • Zero Standing Privilege
  • Four OT Access Patterns
  • Degraded Mode & Legacy Equipment
  • Defence in Depth
  • Compliance & Implementation
  • Residual Risks
  • Definitions
  • References
  • Operational LifecycleΒ 
  • Procurement Appendix

Implementing the OT Best Practice Framework with BifrostConnect

6
  • Overview and Framework Mapping
  • Threat Model
  • Scenario Implementation – Scenario 1
  • Scenario Implementation – Scenario 2
  • Scenario Implementation – Scenario 3
  • Scenario Implementation – Scenario 4
  • Home
  • Knowledge Center
  • Best Practice Guide
  • Degraded Mode & Legacy Equipment
View Categories

Degraded Mode & Legacy Equipment

DEGRADED MODE OPERATIONS: WHEN THE BROKER IS UNAVAILABLE
How should degraded mode operations be handled when the session broker is unavailable?
Patterns C and D depend on a broker mediating between the vendor and the OT zone. WAN outages, central-broker failures, and configuration changes inevitably mean the broker will be unavailable at moments when work is required, including emergencies. An access architecture that fails closed in every degraded scenario is also an architecture that prevents emergency response. The discipline is to define explicitly what degrades gracefully and what never bypasses, and to write that boundary into the operational runbook before the first outage. For sites that must keep operating during WAN or broker loss (island-mode operation), define a pre-authorised local break-glass path that is itself identity-bound, time-limited, and logged, so continuity never becomes an ungoverned backdoor. Controls that may degrade gracefully in a documented degraded mode: MFA may temporarily fall back to single-factor where the second factor depends on the unavailable service, provided that the resulting session is logged and tagged as degraded; access decisions may temporarily fall back to a cached policy with a defined maximum cache age (typically 24 to 72 hours); session recording targets may temporarily fall back to local storage if the central evidence vault is unreachable, provided the recordings are exported on broker recovery. Each of these is a documented break-glass step, not a permanent state. Controls that shall never bypass, regardless of degradation.
  • Audit trail. The fact that a degraded-mode session occurred, who initiated it, and what they did must be captured even when the central monitoring stack is unreachable; storage is local until exfil is restored.
  • Identity. A degraded-mode session shall still be tied to a named individual by some local mechanism (badge, station-resident TOTP, supervisor co-presence).
  • Approval. A break-glass session shall require explicit authorisation by a designated role; absence of the broker is not absence of approval.
  • Time-bounding. Degraded sessions shall expire automatically; degraded mode must not be a stable operating state.
  • Anchors. NIST SP 800-82 Rev. 3 Β§6.2.10 (remote access OT overlay) recommends mechanisms to manage the removal of access on a configurable schedule and to support emergency disconnect; NIST SP 800-53 Rev. 5 AC-17(9), per the NIST SP 800-82 Rev. 3 OT overlay, defines a documented disconnect-or-disable capability that extends OT baselines. Both anchors imply that degraded modes must be designed in, not improvised under pressure.
COMPENSATING CONTROLS FOR LEGACY EQUIPMENT
What compensating controls apply to legacy equipment including serial connections and air-gapped systems?
OT estates contain equipment that pre-dates modern remote-access architecture. Serial links (RS-232, RS-485), Modbus RTU, proprietary fieldbus protocols, engineering workstations on Windows XP or Windows 7 (and servers on Windows Server 2003 or 2008), and vendor support tools that presume a flat network are common in installations with 15- to 25-year operating horizons. The principles in this guide apply, but the specific implementation patterns described in Figures 2 through 6 require supplementary controls when the underlying equipment cannot natively support session brokering, MFA, or modern transport security.

SERIAL CONNECTIONS VIA PROTOCOL CONVERTERS

A serial-only PLC cannot be reached by a session broker that speaks IP. The compensating pattern is a protocol converter at the boundary that terminates an authenticated, time-bounded IP session on one side and presents an isolated serial link to the legacy device on the other. The session broker’s authentication, time-bounding, recording, and log-export properties apply on the IP side; the serial side becomes a controlled extension of the brokered session. Anchors: IEC 62443-3-3 SR 5.1 (network segmentation) supports this approach by requiring zone boundaries with controlled communication; NIST SP 800-82 Rev. 3 Β§6.2.1 (Network Architecture) describes protocol converters and unidirectional gateways as legitimate boundary devices for legacy zones. The converter is itself a networked device: an ethernet-to-serial gateway (for example a Moxa NPort) has its own firmware, credentials, and management interface, so it becomes part of the attack surface and must be hardened, segmented, patched, and monitored like any other boundary device.

AIR-GAPPED SYSTEMS AND CONTROLLED MEDIA TRANSFER

Some installations are deliberately air-gapped, with no network path in or out. Engineering changes are delivered on physical media (USB, CD, signed update packs). The principles still apply, but the brokering happens in the human and procedural layer rather than the network layer. Compensating controls: chain-of-custody for every piece of media that crosses the air gap, including who created it, who carried it, and what was on it; a media-staging workstation in a controlled IT area where incoming files are scanned for malware (multi-engine where the data permits) and where outgoing files are reviewed before they leave the OT zone; a tamper-evident transfer log that is itself archived in the asset owner’s evidence stack. The session is the physical visit; the recording is the chain-of-custody. Anchors: NIST SP 800-82 Rev. 3 Β§5.2.3.1 (Network Segmentation) supports physical separation as the strongest form of zone boundary; NCSC UK Principle 5 (Harden your OT boundary) applies whether the boundary is a firewall or a doorway.

PROPRIETARY SYSTEMS THAT CANNOT HOST A SESSION AGENT

Some legacy automation platforms cannot run additional software, cannot accept external authentication, and cannot be patched. These devices remain in service because their replacement is a multi-year capital project. The compensating pattern is to wrap, not modify. The legacy device sits inside a small, dedicated VLAN behind a deny-by-default firewall; the only path in or out is through a session broker that treats the device as a destination, not a participant; the broker imposes the identity, time-bounding, recording, and log-export properties externally. The legacy device contributes nothing to its own security; the boundary contributes everything. Anchors: IEC 62443-3-3 SR 5.1 (network segmentation) and SR 7.1 (denial of service protection); NIST SP 800-82 Rev. 3 Β§6.2.1 (Network Architecture) explicitly endorses isolation of legacy equipment behind hardened boundaries with compensating monitoring.

MINIMUM ACCEPTABLE CONTROLS WHEN BEST PRACTICE CANNOT BE MET

For each legacy scenario, the question is not whether the ideal is achievable but what minimum the asset owner can defend. The minima below apply to legacy paths that cannot yet meet the full pattern: a documented inventory of every legacy asset and every remote path into it; identity of every individual who has ever connected, captured manually if not automatically; time-bounded engagement (a maintenance ticket with a start and an end); a session record of some form (video of the engineer at the local console where remote brokering is impossible); and a written migration plan with a target date for moving the legacy asset under a modern boundary. The migration plan is the difference between a legacy compensating control and a permanent exception.
Updated on July 10, 2026
Four OT Access PatternsDefence in Depth
Table of Contents
  • SERIAL CONNECTIONS VIA PROTOCOL CONVERTERS
  • AIR-GAPPED SYSTEMS AND CONTROLLED MEDIA TRANSFER
  • PROPRIETARY SYSTEMS THAT CANNOT HOST A SESSION AGENT
  • MINIMUM ACCEPTABLE CONTROLS WHEN BEST PRACTICE CANNOT BE MET
Essentials Logo
Islands Brygge 55
2300 Copenhagen S, Denmark
+45 70 60 20 56
[email protected]
About Us
Release Notes
Privacy Policy
Terms & Conditions
FAQ
Book a Demo
Book a Demo

Subscribe to Our Newsletter

Copyright BifrostConnect ApS. 2026
All Rights Reserved