Company
Support
Login
BifrostConnect BifrostConnect
  • How it Works
    Zero Trust by design
    How it Works
    Direct Native Access (DNA)
    Direct Tunnel Access (DTA)
    Clientless Tunnel Access (CTA)
    Clientless IP Tunnel

    Create a Zero Trust network without VPN Tunneling

    Clientless Serial Tunnel

    Establish a Serial (RS232) connection without borders

    Offline File Transfer

    Transfer files without exposing endpoints to the internet

  • Who We Help
    Case Studies
    Damgaard Automatik Case Study
    SGS Case Study
    Luságua Case Study
    Operational Technology
    Engineering & Commissioning
    Cybersecurity & Compliance
    Industries
    Energy & Utilities
    Water Management
    Vandværker
    Industrial Automation & Manufacturing
    Pharma, Life Science & Healthcare
    Testing, Inspection & Certification
    Logistics, Transportation & Maritime
    Banking & Financial Services
  • Resources
    Company
    Zero Trust by design
    Release Notes
    Knowledge Center
    Tours & Tutorials
    FAQ
    Blog
    NIS2
  • Pricing
  • OT Cybersecurity
    Best-practice Guide for Secure 3rd party remote access in OT
    OT Cybersecurity Landscape: Denmark 2027
    NIS2 Remote Access WHITE PAPER
Contact Us
BifrostConnect
  • How it Works
    Zero Trust by design
    How it Works
    Direct Native Access (DNA)
    Direct Tunnel Access (DTA)
    Clientless Tunnel Access (CTA)
    Clientless IP Tunnel
    Clientless Serial Tunnel
    Offline File Transfer
  • Who We Help
    Cybersecurity & Compliance
    Engineering & Commissioning
    Operations
    Industries
    Energy & Utilities
    Water Management
    Vandværker
    Industrial Automation & Manufacturing
    Pharma, Life Science & Healthcare
    Testing, Inspection & Certification
    Logistics, Transportation & Maritime
    Banking & Financial Services
  • Resources
    Company
    Zero Trust by design
    Release Notes
    Knowledge Center
    Tours & Tutorials
    FAQ
    Blog
  • Pricing
  • Support
  • OT Cybersecurity
    OT Cybersecurity Landscape: Denmark 2027
    Best-practice Guide for Secure 3rd party remote access in OT
    NIS2 Remote Access WHITE PAPER
Book a Demo
Contact Us

Getting Started

12
  • Admin
    • Set up your organization
    • User roles and permissions
  • Onsite User Guides
    • Onsite Step Guide
    • Connect KVM
    • Connect IP Tunnel
    • Connect Offline File Transfer
    • Connect USB Tunnel
    • Connect Serial Tunnel
    • Connect SSH
    • Connect Serial Terminal (Console Access)
  • Datasheets
    • Technical Specifications
    • Requirements

Technical Support

2
  • Feedback & Feature requests
    • Share your ideas and feedback
  • Report a bug
    • Reporting Bugs 

Release Notes

21
  • 2026
    • Remote Access Interface Release 25 June 2026
    • Direct Tunnel Release 1 June 2026
    • Bifrost Release 13 January 2026
  • 2025
    • Bifrost Release 30 Oktober 2025
    • Bifrost Release 19 August 2025
    • Bifrost Release 30 June 2025
    • Bifrost Release 11 February 2025
  • 2024
    • Bifrost Release 04 December 2024
    • Bifrost Release 16 November 2024
    • Bifrost Release 2 Oktober 2024
    • Bifrost Release 14 August 2024
    • Bifrost Release 7 May 2024
    • BifrostConnect Firmware V4.8.0
  • 2023
    • BifrostConnect Firmware V4.7.0
    • BifrostConnect Firmware V4.6.0
    • BifrostConnect Firmware V4.5.0
    • BifrostConnect Firmware V4.4.0
  • 2022
    • BifrostConnect Firmware V.4.3.2
    • BifrostConnect Firmware V.4.3.1
    • BifrostConnect Firmware V.4.2.0
  • 2021
    • BifrostConnect Firmware V.4.0.0

Best Practice Guide

14
  • About this guide
  • Core Framework
  • Architecture & Principles
  • Threat Context
  • Zero Standing Privilege
  • Four OT Access Patterns
  • Degraded Mode & Legacy Equipment
  • Defence in Depth
  • Compliance & Implementation
  • Residual Risks
  • Definitions
  • References
  • Operational Lifecycle 
  • Procurement Appendix

Implementing the OT Best Practice Framework with BifrostConnect

6
  • Overview and Framework Mapping
  • Threat Model
  • Scenario Implementation – Scenario 1
  • Scenario Implementation – Scenario 2
  • Scenario Implementation – Scenario 3
  • Scenario Implementation – Scenario 4
  • Home
  • Knowledge Center
  • Implementing the OT Best Practice Framework with BifrostConnect
  • Overview and Framework Mapping
View Categories

Overview and Framework Mapping

ABOUT THIS COMPANION DOCUMENT
What is Part 2 of the BifrostConnect OT Best Practice Guide, and how does it relate to Part 1?

This is Part 2 of a two-part publication by BifrostConnect. Part 1 is a vendor-neutral best-practice framework for third-party access to operational technology, written to stand alone as a reference for threat modelling, scenario analysis and regulatory mapping.

This Part 2 is the implementation companion: it describes how to deploy BifrostConnect, so the controls Part 1 calls for are delivered securely, what each deployment decision means for the resulting evidence chain, and where to harden the trust boundaries the architecture introduces. No claim is made that BifrostConnect is the only way to implement Part 1’s recommendations; several of the compensating controls can be realized with other architectures. Where regulatory wording is interpreted, the interpretation aligns with the guidance issued by Styrelsen for Samfundssikkerhed (SAMSIK) on the Danish NIS2 implementation (Vejledning til NIS 2-loven, June to August 2025).

Cross-references in the form ‘(Part 1, Scenario X)’ point the reader back to the corresponding section of Part 1.

Note on figures and product specifications: text descriptions, figures and architectural diagrams in this guide reflect the target architecture of the BifrostConnect product family. Some components (including AccessGuard and SessionGuard) and some governance patterns (including per-session approval workflows) are deployed where the regulatory regime or operational governance requires them, and may not be present in default deployments. Specific feature availability per plan tier and per release phase is documented separately in current product documentation; reach out to BifrostConnect for the latest availability matrix.

HOW PART 2 MAPS TO PART 1
How does Part 2’s structure map to Part 1’s OT Best Practice Framework?

Part 1 defines four scenarios, a threat model, two complementary architectural lenses (Purdue topology and OT Island direction), and a single operational principle (Zero Standing Privilege). Part 2 is organised around the same structure. The table below shows the mapping.

Part 1 sectionPart 2 sectionPurpose
Zero Standing PrivilegeZero Standing Privilege with BifrostConnectMaps the principle to Bifrost session lifecycle
OT Island PrincipleOT Island couplingHow Bifrost Unit enforces outbound-only OT posture
Threat modelHow BifrostConnect mitigates the threat modelMaps actors, vectors and incidents to Bifrost controls
Scenarios 1 to 4Scenarios 1 to 4 implementationPer-scenario product configuration
Comparative summaryProduct referenceWhat each product is and where it applies
Implementation approachesCo-deployment categoriesHow Bifrost co-deploys with OT-IDS, SIEM, data diodes
Compliance maturity matrixImplementation hardening guidance + Architectural transparencyDeployment decisions that deliver Part 1’s controls and harden the trust boundaries the architecture introduces
ACCESS TYPE DIFFERENTIATION
What is the difference between KVM (Direct Native Access) and IP tunnel (Direct Tunnel Access)?

Part 1 distinguishes two fundamentally different access models. Part 2 uses these consistently throughout:

  • Hardware-based KVM/console access (Direct Native Access): The operator receives a video stream of the endpoint’s display via WebRTC. No network-layer connectivity is established. The operator’s device never joins the OT network and has no IP-level access to OT assets. The trust boundary is physical hardware.
  • Session-scoped IP tunnels (Direct Tunnel Access): The operator’s device receives scoped subnet-level IP connectivity to specific endpoints for the session duration. This is temporary network-layer connectivity, tighter than VPN but fundamentally different from KVM. The operator’s device can send packets to specified OT endpoints within the tunnel scope.

These are not equivalent security models. KVM provides isolation without network participation. IP tunnels provide scoped network participation with session controls. Both implement Zero Standing Privilege but at different layers.

ZERO STANDING PRIVILEGE
How does BifrostConnect implement Zero Standing Privilege?

Part 1 defines Zero Standing Privilege as ‘session-based access, closed by default’. No user should hold a pre-existing, persistent path into the OT network. Access is policy-authorized in advance, opened on session start, used, recorded and torn down, in that order, for every session.

BifrostConnect implements this through administrator-defined access policy in Bifrost Manager (per-user, per-Unit, per-subnet), session-based teardown for Direct Native Access (KVM, SSH, Serial), and time-bound subnet mappings for Direct Tunnel Access (Time-Based Access on Advanced plan and Dedicated Cloud tier). Per-session approval workflows, where a vendor request triggers explicit administrator confirmation before the session opens, are an architectural extension that can be deployed where the regulatory regime or operational governance requires it; the underlying policy engine in Bifrost Manager is designed to support this pattern.

The architecture is realized through the Bifrost Unit’s outbound-only posture. The Bifrost Unit maintains only an outbound connection to the BifrostConnect Service on port 443 (WebRTC and MQTT over WSS). No inbound port is open on the OT network. For KVM/console sessions (Direct Native Access), no network-layer connectivity is established at all; the operator sees a video stream without joining the OT network. For IP tunnel sessions (Direct Tunnel Access), scoped subnet-level connectivity is established for the session duration only, with unsolicited inbound traffic blocked by default.

MAPPING TO PART 1’S PRINCIPLES
How does BifrostConnect implement each of Part 1’s five core principles?
Part 1 principleBifrostConnect implementation
1. Zero Standing PrivilegeNo access exists between sessions. Direct Native Access and Direct Tunnel Access sessions terminate when the browser session ends (no persistent tunnel); Direct Tunnel Access subnet mappings can be configured time-bound (Advanced plan / Dedicated Cloud tier). Bifrost Manager enforces JIT access windows; AccessGuard is designed to enforce mandatory TOTP per session at the engineering station.
2. The OT Island PrincipleThe Bifrost Unit initiates outbound connections only and listens on no inbound port (outbound 443 only): OT calls out, OT never accepts inbound. For KVM (Direct Native Access) there is no network-layer connectivity at all; IP-tunnel connectivity is scoped to specific endpoints for the session only.
3. Defence in depthIndependent layers wrap the asset: individual identity and MFA (Bifrost Manager via Auth0; AccessGuard TOTP at the station), per-session approval and JIT, scoped network path (masquerading, subnet scoping), session mediation through the Bifrost Unit, session recording (AccessGuard H.264 with DPAPI; SessionGuard WebRTC to a customer VM where deployed), and one-way log export to SIEM (optionally via a data diode).
4. Minimum viable controls scale to contextThe same control gates apply to every scenario; implementation depth scales with site maturity. Each scenario carries a documented minimum-viable floor and a target-state ceiling (see the per-scenario capability tables).
5. Verification over assumptionEvery control above is acceptance-testable and anchored to BifrostConnect Security Documentation; session recordings and audit logs are the evidence that each control operated as designed during the access window.
OT ISLAND COUPLING
How does BifrostConnect implement the OT Island Principle, and why is dedicated hardware used?

Part 1 introduces the OT Island Principle as a directional complement to Purdue: OT calls out, OT never receives. Architecturally, BifrostConnect implements this principle: the Bifrost Unit initiates outbound connections to the BifrostConnect Service; it accepts no inbound connections. The OT environment remains an island. The Bifrost Unit is the enforcement point of the outbound-only principle at the OT boundary.

The outbound-only posture does not by itself require hardware: a software agent can also be outbound-initiated. The Bifrost Unit exists as dedicated hardware for the trust properties a software agent running on a customer-managed OT host cannot guarantee. Its SoC secure-boot fuses are burnt at manufacture and are non-reversible, so it cannot boot alternative firmware; it runs a stripped industrial Linux with no local users, no SSH, no local web services, and no physical service or debugging ports; firmware updates are signed and delivered over-the-air only; and its battery and built-in LTE provide an out-of-band path independent of the customer network. A general-purpose host running a software agent inherits that host’s users, services, patch state, and exploitable surface; the dedicated Unit does not.

Updated on July 14, 2026
Scenario Implementation – Scenario 4Threat Model
Essentials Logo
Islands Brygge 55
2300 Copenhagen S, Denmark
+45 70 60 20 56
[email protected]
About Us
Release Notes
Privacy Policy
Terms & Conditions
FAQ
Book a Demo
Book a Demo

Subscribe to Our Newsletter

Copyright BifrostConnect ApS. 2026
All Rights Reserved