FOUR OT ACCESS PATTERNS
How are the four OT access patterns defined and what determines which applies?
Not all third-party OT access is the same problem. Two dimensions shape what control is achievable in practice: site scale (the level of enterprise infrastructure available to wrap the access path) and where the programming software runs (on a customer-owned, customer-managed station, or on a vendor-owned laptop the vendor brings to the work).
The two dimensions yield four patterns. The axis framing is observational, drawn from field experience across OT deployments rather than from a single standard. The controls inside each quadrant, however, map only to verified clauses in the cited frameworks. These four patterns expand the at-a-glance summary in the Executive Summary (The Four Access Patterns at a Glance): the summary gives the one-line version of each pattern, while this section gives the per-pattern controls, framework anchors, and failure modes.
Figure 4. Four OT access patterns. Site scale (Large / Small) by where the programming software runs (Customer-owned station / Vendor-owned laptop). Per-quadrant controls anchored in IEC 62443-3-3:2019 SR 1.1, 1.13, 2.1, 2.6; NIS2 Article 21(2)(d), (i), (j); Lov om styrket beredskab i energisektoren §8 stk. 2 nr. 10; NCSC UK Principles 2 (limit the exposure of your connectivity) and 7 (logging and monitoring).
PATTERN A: LARGE OT, CUSTOMER-OWNED STATION (SCENARIO 2)
What are the defensible controls and failure modes for Pattern A (Large OT, customer-owned station)?
The third-party vendor logs into a station the customer owns, manages, and patches. Typical settings: large utility operator, pharmaceutical manufacturer, transport operator. Enterprise infrastructure is available: directory services, jump hosts, Security Information and Event Management (SIEM), Privileged Access Management (PAM), and a Security Operations Centre (SOC). The control problem is integration, not invention.
Defensible controls in this pattern. Identity: the vendor's account exists in the customer's identity broker and inherits its lifecycle (joiner, mover, leaver). MFA is enforced at the broker, supporting NIS2 Article 21(2)(j) and Lov om styrket beredskab i energisektoren §8 stk. 2 nr. 10. Approval: a per-session ticket is required before the session opens, in support of NIST SP 800-207 Tenet 6 and IEC 62443-3-3 SR 2.1. Mediation: the session traverses a jump host or PAM session broker that records the session and terminates it on inactivity, providing evidence for IEC 62443-3-3 SR 2.6 and FR 6. Network: the path into the OT zone exists only for the duration of the approved session, in line with IEC 62443-3-3 SR 1.13. Evidence: session recording is shipped to the SIEM via the SOC's existing log pipeline, providing evidence for Lov om styrket beredskab i energisektoren §8 stk. 2 nr. 6.
Failure mode to watch for: the standing PAM credential. PAM systems are often configured with a long-lived service account that satisfies the audit requirement but defeats Zero Standing Privilege. The control is rotation discipline plus session-bound credential issuance, not the existence of PAM.
PATTERN B: LARGE OT, VENDOR-OWNED LAPTOP (SCENARIO 4)
What are the defensible controls and failure modes for Pattern B (Large OT, vendor-owned laptop)?
The third-party vendor brings their own equipment into a managed OT zone. Typical setting: large-scale commissioning of new automation, where the vendor's laptop carries the engineering software licences and the customer's environment must accept the device for the duration of the project. Enterprise infrastructure is available but the device entering the network is not customer-managed. Device posture cannot be assumed.
Defensible controls in this pattern. Network Access Control (NAC) gates which devices may attach; the vendor laptop receives a posture-attested attachment to a vendor demilitarised zone (vendor-DMZ) rather than the operational network directly. An OT intrusion detection system (OT-IDS) monitors the resulting traffic into Level 2 and Level 1 for anomalies. Identity, approval, mediation and evidence controls follow Pattern A. The key delta is the boundary: the vendor's device is treated as untrusted regardless of vendor reputation. NIS2 Article 21(2)(d) supply-chain security is the legal anchor, with BEK 260 §§29-32 providing the operational specifics for supplier procedures and remote-access procedures for direct suppliers; NCSC UK Principles 2 (limit the exposure of your connectivity) and 5 (Harden your OT boundary) are the operational anchors.
Failure mode to watch for: the implicit trust gradient. Once a vendor laptop has been on the network for weeks, the controls around it tend to relax. The discipline is to treat each session as a new posture check, not a renewal of the previous trust decision.
PATTERN C: SMALL OT, CUSTOMER-OWNED STATION (SCENARIO 1)
What are the defensible controls and failure modes for Pattern C (Small OT, customer-owned station)?
The third-party vendor logs into a customer-owned engineering station at a site with no on-site IT staff. Typical settings: a small water utility, a district heating remote business unit (RBU), a regional automation site. Internet connectivity is unreliable or prohibited by policy. There is no jump host, no SIEM, no SOC. The control surface must sit at the station itself.
This is the pattern most often misread. The common claim is that a small site without enterprise infrastructure cannot meet NIS2 or Lov om styrket beredskab i energisektoren. That claim is false. Five station-local controls satisfy the same regulatory clauses without requiring any live network path.
Figure 5. Quadrant C unpacked. Five control points bridge the vendor-to-station gap without a live network path: out-of-
band identity verification; time-bound approval from the site owner; offline MFA at the station; local session recording; one-
way log export when the site is next visited. Anchors: NIS2 Article 21(2)(d) and (j); Lov om styrket beredskab i
energisektoren §§ 6, 7, 8; IEC 62443-3-3 SR 1.1 and FR 6; NIST SP 800-82 Rev. 3 (AC and IA control families).
Each of the five controls maps to verified clauses. Out-of-band identity verification (a separate channel before the vendor reaches the site) supports IEC 62443-3-3 SR 1.1 (human user identification and authentication). Time-bound approval from the site owner supports NIST SP 800-207 Tenet 6. Offline MFA at the station, via TOTP, hardware token, or PIV card, supports NIS2 Article 21(2)(j) without requiring internet. Local session recording provides evidence for IEC 62443-3-3 FR 6 and Lov om styrket beredskab i energisektoren §8 stk. 2 nr. 6. One-way log export, through a unidirectional gateway or signed media at the next site visit, preserves the air gap while delivering the evidence the regulator requires.
Failure mode to watch for: the assumption that 'no internet' equals 'no compliance'. Most small sites operate this way today not because the controls are technically infeasible but because the operating discipline (authorised collection visits, signed media chain of custody, station-local credential lifecycle) has not been established. The fix is process design, not infrastructure investment.
PATTERN D: SMALL OT, VENDOR-OWNED LAPTOP (SCENARIO 3)
What are the defensible controls for Pattern D (Small OT, vendor-owned laptop)?
The third-party vendor brings their own laptop to a small site with no on-site IT infrastructure. Typical setting: a remote business unit visited rarely by an automation contractor whose engineering tools live on the contractor's machine. This is the residual hardest case. The device is untrusted, the site has no enterprise infrastructure to wrap it, and the controls cannot sit at a station the customer manages because the work is happening on the vendor's hardware.
Defensible controls in this pattern must sit at the boundary between the vendor's device and the operational equipment. The architectural ingredients are scoped session brokers (so the vendor never gets a flat tunnel into Level 1), session evidence captured outside the vendor's machine (so the recording is not under vendor control), and structured log export off-site (so the evidence reaches the asset owner).
The legal anchor is the same as Pattern B: NIS2 Article 21(2)(d) supply-chain security, and §6 stk. 2 nr. 7 of Lov om styrket beredskab i energisektoren on supply-chain security between the entity and its direct suppliers, with the operational specifics in BEK 260 §§29-32 (supplier procedures and remote-access procedures for direct suppliers).
MINIMUM VIABLE CONTROLS FOR PATTERN D
What are the minimum viable controls for Pattern D (Small OT, vendor-owned laptop)?
Pattern D is the most common scenario for small sites served by external contractors (small water utilities, regional wind or solar sites, local SCADA integrators). A minimum viable set of controls, formulated in vendor-neutral terms, is achievable even at sites with no on-site enterprise infrastructure. Each control below maps to a primary-verified clause where possible; where the control rests on IEC 62443-2-4:2024 (paywalled) it is flagged as GUIDE INTERPRETATION.
- Mandatory per-session MFA across the chain. MFA at the point the vendor authenticates, plus MFA at the point of entry to the site broker. NIS2 Article 21(2)(j); Lov om styrket beredskab i energisektoren §8 stk. 2 nr. 10 (REQUIREMENT).
- Session brokering via a hardware appliance at the site. No direct VPN from the vendor's own laptop to the operational network. The vendor authenticates to a broker physically present at the site; the broker mediates into Level 2 / Level 1 equipment. IEC 62443-3-3 SR 1.13; NIST SP 800-82 Rev. 3 Remote Access overlay (REQUIREMENT).
- Forced session recording regardless of licence location. The session is recorded outside the vendor's machine, regardless of where the engineering software licence lives. Recording under vendor control is not evidence for the asset owner. IEC 62443-3-3 FR 6; §8 stk. 2 nr. 6 (GUIDE INTERPRETATION of 'forensic capability').
- Time-bound access measured in hours, not days. Access is authorised for the length of the expected work, not for the length of the contract. NIST SP 800-207 Tenet 3; IEC 62443-3-3 SR 2.1, SR 2.6 (REQUIREMENT).
- Session-log export to the asset owner's SIEM or SOC. Logs leave the site through a unidirectional path and land in the asset owner's monitoring stack. §8 stk. 2 nr. 6 requires logs to support alarms, investigation, and incident handling; a log that never leaves the site does not satisfy that purpose (GUIDE INTERPRETATION).