Company
Support
Login
Book a Demo
Contact Us
OT Cybersecurity

Third-party access to OT, made defensible.

Vendors, integrators and OEMs need a way into your OT environment. The defensible pattern is brokered, time-bound, recorded and revocable - and it is documented, clause by clause, in our free two-part guide.

Built on the published OT Best-Practice Guide, version 1.21.
Technical review by Mikael Vingaard, ICSRange · Mapped to NIS2, BEK 260 and IEC 62443 · Written for water, energy and industrial OT operators.

Front page preview of the OT Best-Practice Guide to 3rd Party Remote Access, Part 1, version 1.21
Read the guide Book a Demo
The risk

Why third-party access is the soft spot.

The guide's threat model starts from three realities of industrial operations.

Legitimate access, weaponised

Attackers increasingly reuse the vendor's own credentials and remote paths instead of breaking in through the perimeter.

Vendor laptops bypass the stack

Unmanaged third-party devices reach OT equipment without passing the controls your own endpoints must satisfy.

Standing privilege, always on

Persistent VPN tunnels and shared accounts stay open between service jobs - attack surface with no session boundary.

The framework

Five principles of defensible OT access.

The vendor-neutral core of the guide. Any solution can be measured against them.

DEFENSIBLE THIRD-PARTY OT ACCESS brokered · time-bound · recorded · revocable 1 Zero Standing Privilege No standing path 2 The OT Island Principle OT never accepts inbound 3 Defence in depth Independent layers 4 Controls scale to context Five gates, depth by maturity 5 Verification over assumption Clause-anchored and tested
The patterns

Every situation maps to one of four patterns.

Two questions decide which one is yours: how large is the OT environment, and where does the programming software run?

Where the programming software runsCustomer-owned stationVendor-owned laptopSite scaleLarge OTSmall OTPATTERN AScenario 2 · lowest residual riskLarge OT, customer-owned station.Customer controls the softwarePATTERN BScenario 4 · most layered defenceLarge OT, vendor-owned laptop.Vendor controls the softwarePATTERN CScenario 1 · medium residual riskSmall OT, customer-owned station.Customer controls the softwarePATTERN DScenario 3 · highest residual riskSmall OT, vendor-owned laptop.Vendor controls the softwareResidual risk:A · LOWESTC · MEDIUMB · LAYEREDD · HIGHEST

Figure from the published guide (v1.21). Part 1 walks through all four patterns - and Part 2 gives the product mix for each.

The implementation

How BifrostConnect implements the pattern.

Three access methods on one hardware-anchored platform - so the right isolation level is a choice, not a compromise.

DNA

Direct Native Access

Clientless, browser-based KVM, serial and SSH. The operator's device never joins the OT network - the highest isolation level.

DTA

Direct Tunnel Access

A lightweight client opens a scoped, encrypted IP tunnel for the session - subnet-level access that closes when the work ends.

CTA

Clientless Tunnel Access

Hardware-to-hardware tunnel with a Bifrost Unit on both ends - no software on either side, for segmented and air-gapped paths.

The platform: Bifrost Unit (the hardware broker at the OT boundary), Bifrost Manager (approvals, audit, identity), AccessGuard (vendor access control on engineering stations) and SessionGuard (session evidence for vendor laptops) - together sold as Unified Out-of-Band Access™. See how it works.

Front page of the BifrostConnect Implementation Guide, Part 2, version 1.21, June 2026
Get Part 2 (PDF) Read both guides
The guide · Part 2

The implementation, documented.

Part 2 maps each control above to a working deployment: the product mix for all four scenarios, architecture and implementation hardening guidance. Free. No form. No gate.

See it on your own OT.

A 30-minute walkthrough of brokered, time-bound, fully audited third-party access, without opening your network.

Book a Demo Read the guide first

Sources

  • OT Best-Practice Guide to 3rd Party Remote Access, v1.21 (June 2026) · free download
  • BifrostConnect Implementation Guide, v1.21 (June 2026) · free download
  • NIS2 Directive (EU) 2022/2555 · eur-lex.europa.eu
  • NIS 2-loven, lov nr. 1598 af 2024 (DK) · retsinformation.dk
  • BEK 260: modstandsdygtighed og beredskab i energisektoren (DK)
  • IEC 62443-2-4, 62443-3-3, 62443-4-2 · ISA / IEC
  • NIST SP 800-82r3, Guide to Operational Technology Security · csrc.nist.gov

Page references retrieved 2026-06-12. Guide content: v1.21, June 2026.

Where VPNs end, BifrostConnect.