SOURCES AND REFERENCES
What are the primary sources and references cited in this Best Practice Guide?
Each citation below names the primary source and retrieval date.
- EU NIS2 Directive (2022/2555). Article 21, paragraph 2, points (a) through (j). Primary source: EUR-Lex CELEX 32022L2555. Relevant for third-party access: (d) supply chain, (i) access control policies, (j) multi-factor authentication.
- LOV nr. 434 af 6. maj 2025. Lov om foranstaltninger til sikring af et højt cybersikkerhedsniveau – Danish implementation of NIS2. § 6, stk. 1, nr. 1 to 10 transpose NIS2 Article 21(2)(a) to (j). Primary source: Retsinformation (Lovtidende, 2025).
- Lov om styrket beredskab i energisektoren. §§ 6, 7, 8. Parent law for BEK 260. Relevant clauses: §6 stk. 2 nr. 3 access control policies; §6 stk. 2 nr. 7 supply chain; §8 stk. 2 nr. 2 network architecture; §8 stk. 2 nr. 6 logging; §8 stk. 2 nr. 10 MFA and access protection. Danish energy entities are governed by this regime to the extent of its coverage; LOV nr. 434 af 6. maj 2025 does not apply for those obligations that are already covered by the energy-sector regime.
- BEK 260 af 6. marts 2025. Executive order on cybersecurity preparedness in the energy sector, issued under Lov om styrket beredskab i energisektoren. Relevant paragraphs: §§29-32 supply-chain security and remote-access procedures (incl. supplier agreement requirements); §§51-53 access control policy, access control, and multi-factor authentication; §55 stk. 2 zero standing privilege evidence (time-limited remote access only during approved work-related need); §62 network segmentation; §§64-66 logging and monitoring (with §66 stk. 2 nr. 2 explicitly covering remote-access equipment).
- IEC 62443-3-3:2019. International standard for industrial automation and control systems security. Foundational Requirements FR 1 to FR 7. System Requirements relevant to third-party access: SR 1.1 human user identification and authentication; SR 1.13 access via untrusted networks; SR 2.1 authorisation enforcement; SR 2.6 remote session termination; SR 2.8 auditable events; SR 6.1 audit log accessibility; SR 6.2 continuous monitoring.
- IEC 62443-2-4:2024. Security programme requirements for industrial automation and control system service providers. Current edition (DS/EN IEC 62443-2-4:2024), supersedes IEC 62443-2-4:2015 with Amendment 1:2017. Paywalled; this guide references the standard for Pattern D and for supply-chain hygiene controls based on three independent secondary summaries. Primary PDF acquisition recommended for any legally binding use.
- NIST SP 800-82 Rev. 3. Guide to Operational Technology (OT) Security. Published 28 September 2023. Functions as an OT overlay on NIST SP 800-53 Rev. 5. Relevant control families: Access Control (AC) and Identification and Authentication (IA). Includes a dedicated section on Network Segmentation and Isolation and OT-specific remote access overlay for AC-17.
- NIST SP 800-53 Rev. 5. Security and Privacy Controls for Information Systems and Organizations. Relevant audit family controls: AU-2 event logging; AU-3 content of audit records; AU-6 audit record review, analysis, and reporting; AU-12 audit record generation; AU-14 session audit.
- NIST SP 800-207. Zero Trust Architecture. Published August 2020. Section 2.1 defines seven Zero Trust Tenets used as the conceptual foundation for per-session, dynamic-policy access decisions in this guide.
- Joint NCSC Secure Connectivity Principles for Operational Technology. Published 18 March 2024, by the United Kingdom National Cyber Security Centre in joint partnership with the Australian Signals Directorate’s Australian Cyber Security Centre, the Canadian Centre for Cyber Security, the United States Cybersecurity and Infrastructure Security Agency, the United States Federal Bureau of Investigation, Germany’s Federal Office for Information Security, the Netherlands’ National Cyber Security Centre, and New Zealand’s National Cyber Security Centre. Eight principles for OT connectivity; Principle 5 (“Harden your OT boundary”) is the most directly relevant for the third-party access framework, with its hardening checklist explicitly including the requirement to enforce security requirements on third parties.
- CISA Adapting Zero Trust Principles to Operational Technology. Joint guide published 29 April 2026 by the United States Cybersecurity and Infrastructure Security Agency, Department of War, Department of Energy, Federal Bureau of Investigation, and Department of State, with contributions from the National Institute of Standards and Technology. Aligned with NIST CSF 2.0 functions (Govern, Identify, Protect, Detect, Respond, Recover). The most recent authoritative application of Zero Trust to OT, used in this guide alongside NIST SP 800-207 as the dual anchor for the Zero Standing Privilege principle (Figure 3).
- ISA-95 / IEC 62264. Reference architecture for enterprise-control system integration. Adopts the Purdue Model layers used in Figure 1.
- CISA Advisory AA24-038A. PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure (Volt Typhoon). Joint advisory by CISA, NSA, FBI and international partners, 7 February 2024. Reference for the threat context section.
- CISA Advisory AA23-335A. IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including U.S. Water and Wastewater Systems Facilities (CyberAv3ngers). Published 1 December 2023. Reference for the threat context section.
- Mandiant APT44 profile and CERT-UA Industroyer2 advisory. Mandiant report on APT44 / Sandworm (2024); CERT-UA advisory on the April 2022 attack against Ukrainian electricity substations using Industroyer2 and CaddyWiper. Reference for the threat context section.
- SektorCERT rapport (November 2023). De koordinerede angreb mod dansk, kritisk infrastruktur. Danish sector CERT documentation of the May 2023 coordinated attack against 22 Danish energy companies. Reference for the threat context section.
- Dragos TRITON / TRISIS analysis. Technical analysis of the 2017 attack on a Saudi Arabian petrochemical safety instrumented system, first reported by FireEye and Dragos. Reference incident for attacks reaching the safety-integrity layer.
- EU GDPR (2016/679). General Data Protection Regulation. Relevant for session recordings that contain personal data of vendor technicians or site operators. Retention, access control, and data subject rights must be addressed in the recording policy.