APPENDIX: SAMPLE PROCUREMENT REQUIREMENTS FOR OT REMOTE ACCESS
What sample procurement requirements should be included in contracts for OT remote access vendors?
The clauses below are illustrative drafting language for use in tender documents, Master Service Agreements, and statements of work where third-party remote access into operational technology is in scope. The wording is anchored in IEC 62443-2-4:2024 (service provider security programme requirements) and the BEK 260 §§ 30 to 32 family of supplier-agreement obligations. Adopting organisations should adapt the wording to their legal framework and purchasing process; the clauses are not a substitute for qualified legal counsel.
- The Vendor shall support session brokering in such a manner that no direct network path exists from the Vendor’s equipment to Customer’s operational technology assets outside of an active, authorised session. (Anchor: IEC 62443-2-4:2024 SP.07 Remote access; BEK 260 §31.)
- The Vendor shall enforce multi-factor authentication on every session, with at least one factor independent of the Vendor’s own infrastructure. (Anchor: IEC 62443-3-3:2019 SR 1.1 RE 1; NIS2 Article 21(2)(j); BEK 260 §53.)
- The Vendor shall operate under a security programme demonstrably aligned with IEC 62443-2-4:2024 SP.01 to SP.12, with documented evidence of training, background checks, configuration management, and patch management for personnel and tooling engaged on Customer’s site. (Anchor: IEC 62443-2-4:2024 Annex A; BEK 260 §29 and §30.)
- The Solution shall provide cryptographic audit trail of all access events with a minimum retention period of thirteen (13) months, with audit records meeting the content requirements of NIST SP 800-53 Rev. 5 AU-3. (Anchor: NIST SP 800-53 Rev. 5 AU-2 and AU-3; BEK 260 §66 stk. 2 nr. 2 logging of remote-access events, and §67 stk. 3 retention period (13 months, niveau 4-5).)
- The Vendor shall obtain explicit, time-bounded approval from a designated Customer representative prior to each session. Standing or open-ended approvals are not permitted. (Anchor: IEC 62443-2-4:2024 SP.07.04; NIST SP 800-207 Tenet 3 and Tenet 6; BEK 260 §55 stk. 2.)
- The Vendor shall support automated session termination at a configurable time limit and shall support unilateral termination by the Customer at any time without operational degradation of OT systems. (Anchor: IEC 62443-3-3:2019 SR 2.6 (remote session termination); NIST SP 800-82 Rev. 3 AC-17(9).)
- The Vendor shall provide forced session recording of all activity occurring inside the brokered session, with the recording stored under Customer-controlled infrastructure. Vendor-controlled recording is not acceptable as evidence. (Anchor: GUIDE INTERPRETATION of IEC 62443-3-3:2019 FR 6 and NIST SP 800-53 Rev. 5 AU-14 in the OT supplier context; Lov om styrket beredskab i energisektoren §8 stk. 2 nr. 6.)
- The Vendor shall notify the Customer of any security incident affecting Vendor personnel, tooling, or infrastructure used to deliver the Service within twenty-four (24) hours of detection. (Anchor: NIS2 Article 23; BEK 260 §30 stk. 1 nr. 2.)
- The Vendor shall, on Customer’s written request, support Customer’s reporting obligations under NIS2 Article 23 and applicable national law, including timely delivery of session logs, audit records, and forensic artefacts. (Anchor: BEK 260 §30 stk. 1 nr. 3 and §32.)
- Vendor shall, within a defined transition period not exceeding thirty (30) days, return or securely destroy all Customer access credentials, keys, configurations, and operational data, and shall provide written attestation of completion. (Anchor: NIS2 Article 21(2)(i) access control and asset management; NIS2 Article 21(2)(d) supply-chain security; BEK 260 §52 nr. 2 deactivation and removal of accounts, and §30 stk. 1 nr. 8 customer data ownership.)