Company
Support
Login
BifrostConnect BifrostConnect
  • How it Works
    Zero Trust by design
    How it Works
    Direct Native Access (DNA)
    Direct Tunnel Access (DTA)
    Clientless Tunnel Access (CTA)
    Clientless IP Tunnel

    Create a Zero Trust network without VPN Tunneling

    Clientless Serial Tunnel

    Establish a Serial (RS232) connection without borders

    Offline File Transfer

    Transfer files without exposing endpoints to the internet

  • Who We Help
    Case Studies
    Damgaard Automatik Case Study
    SGS Case Study
    Luságua Case Study
    Operational Technology
    Engineering & Commissioning
    Cybersecurity & Compliance
    Industries
    Energy & Utilities
    Water Management
    Vandværker
    Industrial Automation & Manufacturing
    Pharma, Life Science & Healthcare
    Testing, Inspection & Certification
    Logistics, Transportation & Maritime
    Banking & Financial Services
  • Resources
    Company
    Zero Trust by design
    Release Notes
    Knowledge Center
    Tours & Tutorials
    FAQ
    Blog
    NIS2
  • Pricing
  • OT Cybersecurity
    Best-practice Guide for Secure 3rd party remote access in OT
    OT Cybersecurity Landscape: Denmark 2027
    NIS2 Remote Access WHITE PAPER
Contact Us
BifrostConnect
  • How it Works
    Zero Trust by design
    How it Works
    Direct Native Access (DNA)
    Direct Tunnel Access (DTA)
    Clientless Tunnel Access (CTA)
    Clientless IP Tunnel
    Clientless Serial Tunnel
    Offline File Transfer
  • Who We Help
    Cybersecurity & Compliance
    Engineering & Commissioning
    Operations
    Industries
    Energy & Utilities
    Water Management
    Vandværker
    Industrial Automation & Manufacturing
    Pharma, Life Science & Healthcare
    Testing, Inspection & Certification
    Logistics, Transportation & Maritime
    Banking & Financial Services
  • Resources
    Company
    Zero Trust by design
    Release Notes
    Knowledge Center
    Tours & Tutorials
    FAQ
    Blog
  • Pricing
  • Support
  • OT Cybersecurity
    OT Cybersecurity Landscape: Denmark 2027
    Best-practice Guide for Secure 3rd party remote access in OT
    NIS2 Remote Access WHITE PAPER
Book a Demo
Contact Us

Getting Started

12
  • Admin
    • Set up your organization
    • User roles and permissions
  • Onsite User Guides
    • Onsite Step Guide
    • Connect KVM
    • Connect IP Tunnel
    • Connect Offline File Transfer
    • Connect USB Tunnel
    • Connect Serial Tunnel
    • Connect SSH
    • Connect Serial Terminal (Console Access)
  • Datasheets
    • Technical Specifications
    • Requirements

Technical Support

2
  • Feedback & Feature requests
    • Share your ideas and feedback
  • Report a bug
    • Reporting Bugs 

Release Notes

21
  • 2026
    • Remote Access Interface Release 25 June 2026
    • Direct Tunnel Release 1 June 2026
    • Bifrost Release 13 January 2026
  • 2025
    • Bifrost Release 30 Oktober 2025
    • Bifrost Release 19 August 2025
    • Bifrost Release 30 June 2025
    • Bifrost Release 11 February 2025
  • 2024
    • Bifrost Release 04 December 2024
    • Bifrost Release 16 November 2024
    • Bifrost Release 2 Oktober 2024
    • Bifrost Release 14 August 2024
    • Bifrost Release 7 May 2024
    • BifrostConnect Firmware V4.8.0
  • 2023
    • BifrostConnect Firmware V4.7.0
    • BifrostConnect Firmware V4.6.0
    • BifrostConnect Firmware V4.5.0
    • BifrostConnect Firmware V4.4.0
  • 2022
    • BifrostConnect Firmware V.4.3.2
    • BifrostConnect Firmware V.4.3.1
    • BifrostConnect Firmware V.4.2.0
  • 2021
    • BifrostConnect Firmware V.4.0.0

Best Practice Guide

14
  • About this guide
  • Core Framework
  • Architecture & Principles
  • Threat Context
  • Zero Standing Privilege
  • Four OT Access Patterns
  • Degraded Mode & Legacy Equipment
  • Defence in Depth
  • Compliance & Implementation
  • Residual Risks
  • Definitions
  • References
  • Operational Lifecycle 
  • Procurement Appendix

Implementing the OT Best Practice Framework with BifrostConnect

6
  • Overview and Framework Mapping
  • Threat Model
  • Scenario Implementation – Scenario 1
  • Scenario Implementation – Scenario 2
  • Scenario Implementation – Scenario 3
  • Scenario Implementation – Scenario 4
  • Home
  • Knowledge Center
  • Best Practice Guide
  • Procurement Appendix
View Categories

Procurement Appendix

APPENDIX: SAMPLE PROCUREMENT REQUIREMENTS FOR OT REMOTE ACCESS
What sample procurement requirements should be included in contracts for OT remote access vendors?
The clauses below are illustrative drafting language for use in tender documents, Master Service Agreements, and statements of work where third-party remote access into operational technology is in scope. The wording is anchored in IEC 62443-2-4:2024 (service provider security programme requirements) and the BEK 260 §§ 30 to 32 family of supplier-agreement obligations. Adopting organisations should adapt the wording to their legal framework and purchasing process; the clauses are not a substitute for qualified legal counsel.
  1. The Vendor shall support session brokering in such a manner that no direct network path exists from the Vendor’s equipment to Customer’s operational technology assets outside of an active, authorised session. (Anchor: IEC 62443-2-4:2024 SP.07 Remote access; BEK 260 §31.)
  2. The Vendor shall enforce multi-factor authentication on every session, with at least one factor independent of the Vendor’s own infrastructure. (Anchor: IEC 62443-3-3:2019 SR 1.1 RE 1; NIS2 Article 21(2)(j); BEK 260 §53.)
  3. The Vendor shall operate under a security programme demonstrably aligned with IEC 62443-2-4:2024 SP.01 to SP.12, with documented evidence of training, background checks, configuration management, and patch management for personnel and tooling engaged on Customer’s site. (Anchor: IEC 62443-2-4:2024 Annex A; BEK 260 §29 and §30.)
  4. The Solution shall provide cryptographic audit trail of all access events with a minimum retention period of thirteen (13) months, with audit records meeting the content requirements of NIST SP 800-53 Rev. 5 AU-3. (Anchor: NIST SP 800-53 Rev. 5 AU-2 and AU-3; BEK 260 §66 stk. 2 nr. 2 logging of remote-access events, and §67 stk. 3 retention period (13 months, niveau 4-5).)
  5. The Vendor shall obtain explicit, time-bounded approval from a designated Customer representative prior to each session. Standing or open-ended approvals are not permitted. (Anchor: IEC 62443-2-4:2024 SP.07.04; NIST SP 800-207 Tenet 3 and Tenet 6; BEK 260 §55 stk. 2.)
  6. The Vendor shall support automated session termination at a configurable time limit and shall support unilateral termination by the Customer at any time without operational degradation of OT systems. (Anchor: IEC 62443-3-3:2019 SR 2.6 (remote session termination); NIST SP 800-82 Rev. 3 AC-17(9).)
  7. The Vendor shall provide forced session recording of all activity occurring inside the brokered session, with the recording stored under Customer-controlled infrastructure. Vendor-controlled recording is not acceptable as evidence. (Anchor: GUIDE INTERPRETATION of IEC 62443-3-3:2019 FR 6 and NIST SP 800-53 Rev. 5 AU-14 in the OT supplier context; Lov om styrket beredskab i energisektoren §8 stk. 2 nr. 6.)
  8. The Vendor shall notify the Customer of any security incident affecting Vendor personnel, tooling, or infrastructure used to deliver the Service within twenty-four (24) hours of detection. (Anchor: NIS2 Article 23; BEK 260 §30 stk. 1 nr. 2.)
  9. The Vendor shall, on Customer’s written request, support Customer’s reporting obligations under NIS2 Article 23 and applicable national law, including timely delivery of session logs, audit records, and forensic artefacts. (Anchor: BEK 260 §30 stk. 1 nr. 3 and §32.)
  10. Vendor shall, within a defined transition period not exceeding thirty (30) days, return or securely destroy all Customer access credentials, keys, configurations, and operational data, and shall provide written attestation of completion. (Anchor: NIS2 Article 21(2)(i) access control and asset management; NIS2 Article 21(2)(d) supply-chain security; BEK 260 §52 nr. 2 deactivation and removal of accounts, and §30 stk. 1 nr. 8 customer data ownership.)
These clauses are starting points, not finished contract language. Each should be reviewed against the specific Vendor relationship, the Customer’s regulatory environment, and the relevant procurement process. The clauses cite primary sources where available and are labelled GUIDE INTERPRETATION where they extend a primary clause beyond its literal text into the OT supplier context.

Updated on July 10, 2026
Operational Lifecycle About this guide
Essentials Logo
Islands Brygge 55
2300 Copenhagen S, Denmark
+45 70 60 20 56
[email protected]
About Us
Release Notes
Privacy Policy
Terms & Conditions
FAQ
Book a Demo
Book a Demo

Subscribe to Our Newsletter

Copyright BifrostConnect ApS. 2026
All Rights Reserved