Company
Support
Login
BifrostConnect BifrostConnect
  • How it Works
    Zero Trust by design
    How it Works
    Direct Native Access (DNA)
    Direct Tunnel Access (DTA)
    Clientless Tunnel Access (CTA)
    Clientless IP Tunnel

    Create a Zero Trust network without VPN Tunneling

    Clientless Serial Tunnel

    Establish a Serial (RS232) connection without borders

    Offline File Transfer

    Transfer files without exposing endpoints to the internet

  • Who We Help
    Case Studies
    Damgaard Automatik Case Study
    SGS Case Study
    Luságua Case Study
    Operational Technology
    Engineering & Commissioning
    Cybersecurity & Compliance
    Industries
    Energy & Utilities
    Water Management
    Vandværker
    Industrial Automation & Manufacturing
    Pharma, Life Science & Healthcare
    Testing, Inspection & Certification
    Logistics, Transportation & Maritime
    Banking & Financial Services
  • Resources
    Company
    Zero Trust by design
    Release Notes
    Knowledge Center
    Tours & Tutorials
    FAQ
    Blog
    NIS2
  • Pricing
  • OT Cybersecurity
    Best-practice Guide for Secure 3rd party remote access in OT
    OT Cybersecurity Landscape: Denmark 2027
    NIS2 Remote Access WHITE PAPER
Contact Us
BifrostConnect
  • How it Works
    Zero Trust by design
    How it Works
    Direct Native Access (DNA)
    Direct Tunnel Access (DTA)
    Clientless Tunnel Access (CTA)
    Clientless IP Tunnel
    Clientless Serial Tunnel
    Offline File Transfer
  • Who We Help
    Cybersecurity & Compliance
    Engineering & Commissioning
    Operations
    Industries
    Energy & Utilities
    Water Management
    Vandværker
    Industrial Automation & Manufacturing
    Pharma, Life Science & Healthcare
    Testing, Inspection & Certification
    Logistics, Transportation & Maritime
    Banking & Financial Services
  • Resources
    Company
    Zero Trust by design
    Release Notes
    Knowledge Center
    Tours & Tutorials
    FAQ
    Blog
  • Pricing
  • Support
  • OT Cybersecurity
    OT Cybersecurity Landscape: Denmark 2027
    Best-practice Guide for Secure 3rd party remote access in OT
    NIS2 Remote Access WHITE PAPER
Book a Demo
Contact Us

Getting Started

12
  • Admin
    • Set up your organization
    • User roles and permissions
  • Onsite User Guides
    • Onsite Step Guide
    • Connect KVM
    • Connect IP Tunnel
    • Connect Offline File Transfer
    • Connect USB Tunnel
    • Connect Serial Tunnel
    • Connect SSH
    • Connect Serial Terminal (Console Access)
  • Datasheets
    • Technical Specifications
    • Requirements

Technical Support

2
  • Feedback & Feature requests
    • Share your ideas and feedback
  • Report a bug
    • Reporting Bugs 

Release Notes

21
  • 2026
    • Remote Access Interface Release 25 June 2026
    • Direct Tunnel Release 1 June 2026
    • Bifrost Release 13 January 2026
  • 2025
    • Bifrost Release 30 Oktober 2025
    • Bifrost Release 19 August 2025
    • Bifrost Release 30 June 2025
    • Bifrost Release 11 February 2025
  • 2024
    • Bifrost Release 04 December 2024
    • Bifrost Release 16 November 2024
    • Bifrost Release 2 Oktober 2024
    • Bifrost Release 14 August 2024
    • Bifrost Release 7 May 2024
    • BifrostConnect Firmware V4.8.0
  • 2023
    • BifrostConnect Firmware V4.7.0
    • BifrostConnect Firmware V4.6.0
    • BifrostConnect Firmware V4.5.0
    • BifrostConnect Firmware V4.4.0
  • 2022
    • BifrostConnect Firmware V.4.3.2
    • BifrostConnect Firmware V.4.3.1
    • BifrostConnect Firmware V.4.2.0
  • 2021
    • BifrostConnect Firmware V.4.0.0

Best Practice Guide

14
  • About this guide
  • Core Framework
  • Architecture & Principles
  • Threat Context
  • Zero Standing Privilege
  • Four OT Access Patterns
  • Degraded Mode & Legacy Equipment
  • Defence in Depth
  • Compliance & Implementation
  • Residual Risks
  • Definitions
  • References
  • Operational Lifecycle 
  • Procurement Appendix

Implementing the OT Best Practice Framework with BifrostConnect

6
  • Overview and Framework Mapping
  • Threat Model
  • Scenario Implementation – Scenario 1
  • Scenario Implementation – Scenario 2
  • Scenario Implementation – Scenario 3
  • Scenario Implementation – Scenario 4
  • Home
  • Knowledge Center
  • Best Practice Guide
  • Four OT Access Patterns
View Categories

Four OT Access Patterns

FOUR OT ACCESS PATTERNS
How are the four OT access patterns defined and what determines which applies?
Not all third-party OT access is the same problem. Two dimensions shape what control is achievable in practice: site scale (the level of enterprise infrastructure available to wrap the access path) and where the programming software runs (on a customer-owned, customer-managed station, or on a vendor-owned laptop the vendor brings to the work). The two dimensions yield four patterns. The axis framing is observational, drawn from field experience across OT deployments rather than from a single standard. The controls inside each quadrant, however, map only to verified clauses in the cited frameworks. These four patterns expand the at-a-glance summary in the Executive Summary (The Four Access Patterns at a Glance): the summary gives the one-line version of each pattern, while this section gives the per-pattern controls, framework anchors, and failure modes.
FIGURE 4. Four OT access patterns Site scale by where the software runs. Each quadrant maps to a scenario and a risk level. Where the programming software runs Customer-owned station Vendor-owned laptop Site scale Large OT Small OT PATTERN A Scenario 2 · lowest residual risk Large OT, customer-owned station. Customer controls the software PATTERN B Scenario 4 · most layered defence Large OT, vendor-owned laptop. Vendor controls the software PATTERN C Scenario 1 · medium residual risk Small OT, customer-owned station. Customer controls the software PATTERN D Scenario 3 · highest residual risk Small OT, vendor-owned laptop. Vendor controls the software Residual risk: A · LOWEST C · MEDIUM B · LAYERED D · HIGHEST
Figure 4. Four OT access patterns. Site scale (Large / Small) by where the programming software runs (Customer-owned station / Vendor-owned laptop). Per-quadrant controls anchored in IEC 62443-3-3:2019 SR 1.1, 1.13, 2.1, 2.6; NIS2 Article 21(2)(d), (i), (j); Lov om styrket beredskab i energisektoren §8 stk. 2 nr. 10; NCSC UK Principles 2 (limit the exposure of your connectivity) and 7 (logging and monitoring).
PATTERN A: LARGE OT, CUSTOMER-OWNED STATION (SCENARIO 2)
What are the defensible controls and failure modes for Pattern A (Large OT, customer-owned station)?
The third-party vendor logs into a station the customer owns, manages, and patches. Typical settings: large utility operator, pharmaceutical manufacturer, transport operator. Enterprise infrastructure is available: directory services, jump hosts, Security Information and Event Management (SIEM), Privileged Access Management (PAM), and a Security Operations Centre (SOC). The control problem is integration, not invention. Defensible controls in this pattern. Identity: the vendor's account exists in the customer's identity broker and inherits its lifecycle (joiner, mover, leaver). MFA is enforced at the broker, supporting NIS2 Article 21(2)(j) and Lov om styrket beredskab i energisektoren §8 stk. 2 nr. 10. Approval: a per-session ticket is required before the session opens, in support of NIST SP 800-207 Tenet 6 and IEC 62443-3-3 SR 2.1. Mediation: the session traverses a jump host or PAM session broker that records the session and terminates it on inactivity, providing evidence for IEC 62443-3-3 SR 2.6 and FR 6. Network: the path into the OT zone exists only for the duration of the approved session, in line with IEC 62443-3-3 SR 1.13. Evidence: session recording is shipped to the SIEM via the SOC's existing log pipeline, providing evidence for Lov om styrket beredskab i energisektoren §8 stk. 2 nr. 6. Failure mode to watch for: the standing PAM credential. PAM systems are often configured with a long-lived service account that satisfies the audit requirement but defeats Zero Standing Privilege. The control is rotation discipline plus session-bound credential issuance, not the existence of PAM.
PATTERN B: LARGE OT, VENDOR-OWNED LAPTOP (SCENARIO 4)
What are the defensible controls and failure modes for Pattern B (Large OT, vendor-owned laptop)?
The third-party vendor brings their own equipment into a managed OT zone. Typical setting: large-scale commissioning of new automation, where the vendor's laptop carries the engineering software licences and the customer's environment must accept the device for the duration of the project. Enterprise infrastructure is available but the device entering the network is not customer-managed. Device posture cannot be assumed. Defensible controls in this pattern. Network Access Control (NAC) gates which devices may attach; the vendor laptop receives a posture-attested attachment to a vendor demilitarised zone (vendor-DMZ) rather than the operational network directly. An OT intrusion detection system (OT-IDS) monitors the resulting traffic into Level 2 and Level 1 for anomalies. Identity, approval, mediation and evidence controls follow Pattern A. The key delta is the boundary: the vendor's device is treated as untrusted regardless of vendor reputation. NIS2 Article 21(2)(d) supply-chain security is the legal anchor, with BEK 260 §§29-32 providing the operational specifics for supplier procedures and remote-access procedures for direct suppliers; NCSC UK Principles 2 (limit the exposure of your connectivity) and 5 (Harden your OT boundary) are the operational anchors. Failure mode to watch for: the implicit trust gradient. Once a vendor laptop has been on the network for weeks, the controls around it tend to relax. The discipline is to treat each session as a new posture check, not a renewal of the previous trust decision.
PATTERN C: SMALL OT, CUSTOMER-OWNED STATION (SCENARIO 1)
What are the defensible controls and failure modes for Pattern C (Small OT, customer-owned station)?
The third-party vendor logs into a customer-owned engineering station at a site with no on-site IT staff. Typical settings: a small water utility, a district heating remote business unit (RBU), a regional automation site. Internet connectivity is unreliable or prohibited by policy. There is no jump host, no SIEM, no SOC. The control surface must sit at the station itself. This is the pattern most often misread. The common claim is that a small site without enterprise infrastructure cannot meet NIS2 or Lov om styrket beredskab i energisektoren. That claim is false. Five station-local controls satisfy the same regulatory clauses without requiring any live network path.
FIGURE 5. Quadrant C unpacked Five control points bridge the vendor-to-station gap without a live network path. Vendor-neutral. Third-party vendor Engineering station isolated OT enclave NO LIVE NETWORK Five control points bridge the gap without a live network path. 1 Out-of-band identity Identity verified on a separate channel before any session. NIS2 21(2)(i) 2 Time-bound approval Site owner grants a bounded access window per task. Lov §§ 6-8 3 Offline MFA at station Second factor entered locally, at the station itself. NIS2 21(2)(j) 4 Local session recording Screen and keystrokes captured and stored on site. IEC SR 6.1 · FR 6 5 One-way log export Evidence exported one-way at the next site visit. IEC FR 6 Together, these five controls deliver live-network security properties without a live network. Anchors: NIS2 Art. 21(2)(d)+(j) · Lov om styrket beredskab i energisektoren §§ 6, 7, 8 · IEC 62443-3-3 SR 1.1 + FR 6 · NIST SP 800-82 Rev. 3
Figure 5. Quadrant C unpacked. Five control points bridge the vendor-to-station gap without a live network path: out-of- band identity verification; time-bound approval from the site owner; offline MFA at the station; local session recording; one- way log export when the site is next visited. Anchors: NIS2 Article 21(2)(d) and (j); Lov om styrket beredskab i energisektoren §§ 6, 7, 8; IEC 62443-3-3 SR 1.1 and FR 6; NIST SP 800-82 Rev. 3 (AC and IA control families). Each of the five controls maps to verified clauses. Out-of-band identity verification (a separate channel before the vendor reaches the site) supports IEC 62443-3-3 SR 1.1 (human user identification and authentication). Time-bound approval from the site owner supports NIST SP 800-207 Tenet 6. Offline MFA at the station, via TOTP, hardware token, or PIV card, supports NIS2 Article 21(2)(j) without requiring internet. Local session recording provides evidence for IEC 62443-3-3 FR 6 and Lov om styrket beredskab i energisektoren §8 stk. 2 nr. 6. One-way log export, through a unidirectional gateway or signed media at the next site visit, preserves the air gap while delivering the evidence the regulator requires. Failure mode to watch for: the assumption that 'no internet' equals 'no compliance'. Most small sites operate this way today not because the controls are technically infeasible but because the operating discipline (authorised collection visits, signed media chain of custody, station-local credential lifecycle) has not been established. The fix is process design, not infrastructure investment.
PATTERN D: SMALL OT, VENDOR-OWNED LAPTOP (SCENARIO 3)
What are the defensible controls for Pattern D (Small OT, vendor-owned laptop)?
The third-party vendor brings their own laptop to a small site with no on-site IT infrastructure. Typical setting: a remote business unit visited rarely by an automation contractor whose engineering tools live on the contractor's machine. This is the residual hardest case. The device is untrusted, the site has no enterprise infrastructure to wrap it, and the controls cannot sit at a station the customer manages because the work is happening on the vendor's hardware. Defensible controls in this pattern must sit at the boundary between the vendor's device and the operational equipment. The architectural ingredients are scoped session brokers (so the vendor never gets a flat tunnel into Level 1), session evidence captured outside the vendor's machine (so the recording is not under vendor control), and structured log export off-site (so the evidence reaches the asset owner). The legal anchor is the same as Pattern B: NIS2 Article 21(2)(d) supply-chain security, and §6 stk. 2 nr. 7 of Lov om styrket beredskab i energisektoren on supply-chain security between the entity and its direct suppliers, with the operational specifics in BEK 260 §§29-32 (supplier procedures and remote-access procedures for direct suppliers).
MINIMUM VIABLE CONTROLS FOR PATTERN D
What are the minimum viable controls for Pattern D (Small OT, vendor-owned laptop)?
Pattern D is the most common scenario for small sites served by external contractors (small water utilities, regional wind or solar sites, local SCADA integrators). A minimum viable set of controls, formulated in vendor-neutral terms, is achievable even at sites with no on-site enterprise infrastructure. Each control below maps to a primary-verified clause where possible; where the control rests on IEC 62443-2-4:2024 (paywalled) it is flagged as GUIDE INTERPRETATION.
  • Mandatory per-session MFA across the chain. MFA at the point the vendor authenticates, plus MFA at the point of entry to the site broker. NIS2 Article 21(2)(j); Lov om styrket beredskab i energisektoren §8 stk. 2 nr. 10 (REQUIREMENT).
  • Session brokering via a hardware appliance at the site. No direct VPN from the vendor's own laptop to the operational network. The vendor authenticates to a broker physically present at the site; the broker mediates into Level 2 / Level 1 equipment. IEC 62443-3-3 SR 1.13; NIST SP 800-82 Rev. 3 Remote Access overlay (REQUIREMENT).
  • Forced session recording regardless of licence location. The session is recorded outside the vendor's machine, regardless of where the engineering software licence lives. Recording under vendor control is not evidence for the asset owner. IEC 62443-3-3 FR 6; §8 stk. 2 nr. 6 (GUIDE INTERPRETATION of 'forensic capability').
  • Time-bound access measured in hours, not days. Access is authorised for the length of the expected work, not for the length of the contract. NIST SP 800-207 Tenet 3; IEC 62443-3-3 SR 2.1, SR 2.6 (REQUIREMENT).
  • Session-log export to the asset owner's SIEM or SOC. Logs leave the site through a unidirectional path and land in the asset owner's monitoring stack. §8 stk. 2 nr. 6 requires logs to support alarms, investigation, and incident handling; a log that never leaves the site does not satisfy that purpose (GUIDE INTERPRETATION).
Program-level controls from IEC 62443-2-4:2024. The standard, current edition DS/EN IEC 62443-2-4:2024 (which supersedes IEC 62443-2-4:2015 with Amendment 1:2017), defines security programme requirements for industrial automation and control system service providers. Primary PDF access to the underlying IEC text is paywalled, so specific clause wording is not reproduced here. Based on three independent secondary summaries of the standard, the following categories of programme controls are referenced: vendor security programme governance; patch level and anti-malware posture of service-provider laptops; anti-tampering and change control of vendor tooling; contractual evidence obligations including log delivery and retention; personnel security and background checks for vendor technicians. Because the underlying IEC text is paywalled, these controls appear here as GUIDE INTERPRETATION drawn from three independent secondary summaries, not as verbatim clause quotations. Pattern D (vendor-laptop programmes) is treated here at principle level and, in product-anchored terms, in Part 2; its deepest clause-level anchor is IEC 62443-2-4:2024, which addresses security programme requirements for industrial automation and control system service providers. A companion document, BifrostConnect Implementation Guide (Del 2), addresses Pattern D in product-anchored terms. Readers seeking a fully clause-referenced Pattern D treatment should read IEC 62443-2-4:2024 alongside NCSC UK Principles 1 (balance the risk and opportunities) and 6 (limit the impact of compromise).
Updated on July 14, 2026
Zero Standing PrivilegeDegraded Mode & Legacy Equipment
Essentials Logo
Islands Brygge 55
2300 Copenhagen S, Denmark
+45 70 60 20 56
[email protected]
About Us
Release Notes
Privacy Policy
Terms & Conditions
FAQ
Book a Demo
Book a Demo

Subscribe to Our Newsletter

Copyright BifrostConnect ApS. 2026
All Rights Reserved