Company
Support
Login
BifrostConnect BifrostConnect
  • How it Works
    Zero Trust by design
    How it Works
    Direct Native Access (DNA)
    Direct Tunnel Access (DTA)
    Clientless Tunnel Access (CTA)
    Clientless IP Tunnel

    Create a Zero Trust network without VPN Tunneling

    Clientless Serial Tunnel

    Establish a Serial (RS232) connection without borders

    Offline File Transfer

    Transfer files without exposing endpoints to the internet

  • Who We Help
    Case Studies
    Damgaard Automatik Case Study
    SGS Case Study
    Luságua Case Study
    Operational Technology
    Engineering & Commissioning
    Cybersecurity & Compliance
    Industries
    Energy & Utilities
    Water Management
    Vandværker
    Industrial Automation & Manufacturing
    Pharma, Life Science & Healthcare
    Testing, Inspection & Certification
    Logistics, Transportation & Maritime
    Banking & Financial Services
  • Resources
    Company
    Zero Trust by design
    Release Notes
    Knowledge Center
    Tours & Tutorials
    FAQ
    Blog
    NIS2
  • Pricing
  • OT Cybersecurity
    Best-practice Guide for Secure 3rd party remote access in OT
    OT Cybersecurity Landscape: Denmark 2027
    NIS2 Remote Access WHITE PAPER
Contact Us
BifrostConnect
  • How it Works
    Zero Trust by design
    How it Works
    Direct Native Access (DNA)
    Direct Tunnel Access (DTA)
    Clientless Tunnel Access (CTA)
    Clientless IP Tunnel
    Clientless Serial Tunnel
    Offline File Transfer
  • Who We Help
    Cybersecurity & Compliance
    Engineering & Commissioning
    Operations
    Industries
    Energy & Utilities
    Water Management
    Vandværker
    Industrial Automation & Manufacturing
    Pharma, Life Science & Healthcare
    Testing, Inspection & Certification
    Logistics, Transportation & Maritime
    Banking & Financial Services
  • Resources
    Company
    Zero Trust by design
    Release Notes
    Knowledge Center
    Tours & Tutorials
    FAQ
    Blog
  • Pricing
  • Support
  • OT Cybersecurity
    OT Cybersecurity Landscape: Denmark 2027
    Best-practice Guide for Secure 3rd party remote access in OT
    NIS2 Remote Access WHITE PAPER
Book a Demo
Contact Us

Getting Started

12
  • Admin
    • Set up your organization
    • User roles and permissions
  • Onsite User Guides
    • Onsite Step Guide
    • Connect KVM
    • Connect IP Tunnel
    • Connect Offline File Transfer
    • Connect USB Tunnel
    • Connect Serial Tunnel
    • Connect SSH
    • Connect Serial Terminal (Console Access)
  • Datasheets
    • Technical Specifications
    • Requirements

Technical Support

2
  • Feedback & Feature requests
    • Share your ideas and feedback
  • Report a bug
    • Reporting Bugs 

Release Notes

21
  • 2026
    • Remote Access Interface Release 25 June 2026
    • Direct Tunnel Release 1 June 2026
    • Bifrost Release 13 January 2026
  • 2025
    • Bifrost Release 30 Oktober 2025
    • Bifrost Release 19 August 2025
    • Bifrost Release 30 June 2025
    • Bifrost Release 11 February 2025
  • 2024
    • Bifrost Release 04 December 2024
    • Bifrost Release 16 November 2024
    • Bifrost Release 2 Oktober 2024
    • Bifrost Release 14 August 2024
    • Bifrost Release 7 May 2024
    • BifrostConnect Firmware V4.8.0
  • 2023
    • BifrostConnect Firmware V4.7.0
    • BifrostConnect Firmware V4.6.0
    • BifrostConnect Firmware V4.5.0
    • BifrostConnect Firmware V4.4.0
  • 2022
    • BifrostConnect Firmware V.4.3.2
    • BifrostConnect Firmware V.4.3.1
    • BifrostConnect Firmware V.4.2.0
  • 2021
    • BifrostConnect Firmware V.4.0.0

Best Practice Guide

14
  • About this guide
  • Core Framework
  • Architecture & Principles
  • Threat Context
  • Zero Standing Privilege
  • Four OT Access Patterns
  • Degraded Mode & Legacy Equipment
  • Defence in Depth
  • Compliance & Implementation
  • Residual Risks
  • Definitions
  • References
  • Operational Lifecycle 
  • Procurement Appendix

Implementing the OT Best Practice Framework with BifrostConnect

6
  • Overview and Framework Mapping
  • Threat Model
  • Scenario Implementation – Scenario 1
  • Scenario Implementation – Scenario 2
  • Scenario Implementation – Scenario 3
  • Scenario Implementation – Scenario 4
  • Home
  • Knowledge Center
  • Best Practice Guide
  • Threat Context
View Categories

Threat Context

THIRD-PARTY ACCESS TODAY VERSUS A DEFENSIBLE PATTERN
How does third-party OT access today compare to a defensible access pattern?
The most common pattern observed across OT environments is also the most exposed: the third-party vendor connects through an always-listening VPN concentrator into a flat OT LAN, where credentials persist beyond the work, the network path stays open between sessions, and no recording exists of what happened inside the zone. Lateral movement to a PLC is unaudited, because nothing was watching. A defensible pattern looks structurally different. The vendor authenticates against an identity broker that requires multi-factor authentication and per-session approval. On approval, a session broker mediates the connection into the OT zone, records the session, and terminates it on a timer. Logs flow outward through a unidirectional channel to an audit vault; no inbound path is opened by the act of recording.
FIGURE 2. Common today vs. defensible pattern Two-pattern reference for third-party access into operational technology. Vendor-neutral. A. COMMON TODAY flat VPN · persistent credentials · no session view Third-party vendor always-on VPN VPN concentrator no identity broker, no session boundary FLAT OT SEGMENT shared accounts · lateral movement possible PLC Engineering station HMI Historian SCADA PERSISTENT CREDENTIALS NO SESSION BOUNDARY NO RECORDING FLAT NETWORK ACCESS LOGS LIVE WITH PRODUCTION B. DEFENSIBLE PATTERN identity broker · session broker · recorded session · one-way log export Third-party vendor 1 Identity broker out-of-band identity + authorisation 2 Session broker time-bound, approved, scoped to one endpoint outbound- initiated SCOPED OT ENCLAVE Approved endpoint all other endpoints unreachable in session Log store / SIEM outbound-only export EPHEMERAL ACCESS SCOPED TO ONE ENDPOINT SESSION RECORDED OUTBOUND-INITIATED ONE-WAY LOG EXPORT
Figure 2. Common today vs. defensible pattern. Two-panel reference for third party access into operational technology, vendor-neutral. Panel A (top) shows the most exposed pattern still in production use (persistent VPN credentials, flat OT segment, no session boundary). Panel B (bottom) shows the defensible pattern this guide describes (identity broker, session broker, recorded session, one-way log export).
THREAT CONTEXT
What is the threat context that makes third-party OT access controls necessary?
The pattern in the previous section is not compliance theatre. It is an operational response to a concrete and escalating threat landscape. Three named actor groups illustrate the risk profile that third-party OT access must now defend against. Sandworm (also tracked as APT44 and attributed by Mandiant and CISA to GRU Unit 74455) deployed the Industroyer2 and CaddyWiper malware against Ukrainian electricity substations in April 2022. Industroyer2 is specifically designed to manipulate electricity substation equipment (IEC 60870-5-104); CaddyWiper destroys data on Windows hosts. The intrusion chain relied on pre-existing access into the OT environment, which is exactly the exposure a flat vendor tunnel creates. Reference: CERT-UA advisory (April 2022); Mandiant APT44 profile (2024). Volt Typhoon is a People's Republic of China state-sponsored group tracked jointly by CISA, NSA and Five Eyes partners. The 7 February 2024 CISA advisory AA24-038A documents the group's pre-positioning activity inside United States critical infrastructure, including energy, water and transport sectors, using compromised small-office and home-office (SOHO) devices and living-off-the-land (LOTL) techniques to avoid detection. The advisory describes the pattern as deliberate positioning for future disruptive or destructive effects, not espionage. Reference: CISA Advisory AA24-038A (7 February 2024). CyberAv3ngers is a group of IRGC-affiliated cyber actors, per CISA Advisory AA23-335A. CISA Advisory AA23-335A (1 December 2023) documents the group's exploitation of internet-exposed Unitronics Vision series programmable logic controllers at multiple United States water utilities in late 2023. The attack vector was default credentials on devices reachable from the public internet – the low-end of the same exposure profile that unbrokered third-party remote access creates. Reference: CISA Advisory AA23-335A (1 December 2023).
LIVING OFF THE LAND AND THE CASE FOR SESSION BROKERING
What is living off the land (LOTL) and why does it make the case for session brokering?
Across these and similar intrusions, a recurring technique is the abuse of legitimate remote-access sessions and built-in operating system binaries, known as living off the land (LOTL). CISA Advisory AA24-038A and the joint guidance Identifying and Mitigating Living Off the Land Techniques (February 2024) both describe the pattern: an attacker who has obtained a foothold in a legitimate remote session can avoid detection by using tools that are already present and expected on the host. The direct structural response is session brokering with recording: if the only way a vendor session reaches the zone is through a broker that records what is entered and what is executed, LOTL behaviour generates evidence even when the tooling itself looks legitimate.
REFERENCE INCIDENTS FOR THE 'WHY SHOULD I CARE' QUESTION
What are the reference incidents that answer the "Why should I care?" question about OT access security?
Three publicly reported incidents answer the question in concrete terms. The 2021 Colonial Pipeline ransomware incident reached the billing systems through a compromised, unbranded VPN account with no MFA, and the operational fuel shutdown followed from the business decision to halt pipeline operations. The 2023 SektorCERT disclosure of the coordinated attack against 22 Danish energy companies documents the value of sector-level detection and of disciplined remote-access control; the SektorCERT report itself is the primary Danish reference document on OT intrusion patterns and the value of collective defence. TRITON / TRISIS, first reported by FireEye and Dragos in December 2017, targeted a Saudi Arabian petrochemical safety instrumented system and is the reference incident for attacks reaching the safety-integrity layer, not only the control layer. References: CISA and FBI joint advisory on Colonial Pipeline (2021); SektorCERT rapport (November 2023); Dragos TRITON analysis (2017-2018).

Updated on July 10, 2026
Architecture & PrinciplesZero Standing Privilege
Essentials Logo
Islands Brygge 55
2300 Copenhagen S, Denmark
+45 70 60 20 56
[email protected]
About Us
Release Notes
Privacy Policy
Terms & Conditions
FAQ
Book a Demo
Book a Demo

Subscribe to Our Newsletter

Copyright BifrostConnect ApS. 2026
All Rights Reserved