The Intelligent Remote Link
SiteConduit is the building automation remote access platform that gives your BAS technicians the access they need — with the controls your security team demands. Purpose-built for BAS remote access and OT cybersecurity: time-limited sessions, protocol-level firewalling, real-time traffic monitoring, and proactive device health tracking.
Join the waitlist for early access. No credit card required.
A 4-minute overview of the platform — from the problem to the solution.
70% of OT security incidents involve third-party access (Dragos Year in Review). Traditional tools give technicians far more network access than they need, with zero visibility.
Persistent VPN credentials stay active indefinitely. A technician who connected six months ago may still have a live tunnel to your building network.
Once on the network via TeamViewer or SSH, a technician can reach anything — file servers, printers, IT infrastructure — not just their BAS controllers.
No record of which protocols were used, what data was transferred, or whether the technician accessed systems outside their scope.
Revoking access means calling the integrator, locating VPN credentials, and hoping no one made a copy. It takes hours, not seconds.
"Who accessed the building network on February 12th and what did they do?" Most organizations cannot answer this question.
Building systems control HVAC, fire suppression, elevators, and door locks. A compromised BAS vendor is a physical safety risk — not just a data breach.
Every control was designed for OT and BAS environments — not retrofitted from an IT product.
Sessions last 2, 4, 8, or 24 hours and auto-expire with no grace period. The encrypted tunnel is torn down the moment the clock runs out. Zero standing access between sessions.
Default-deny bridge filter. Only BACnet, Modbus, Niagara Fox, and HTTP are allowed through. Configurable per site. The tech can reach the JACE, but not the file server.
Per-protocol traffic breakdown updated every 60 seconds. See exactly what BACnet, Modbus, Niagara, and HTTP traffic the technician is generating. Full history retained.
Default 10 Mbps cap per session — generous for BAS traffic, impractical for data exfiltration. Configurable from 1 to 100 Mbps per site.
Terminate any session, all sessions at a site, or your entire organization with one click. Tunnel, credentials, and bridge destroyed in seconds.
Full audit trail: who connected, when, how long, which protocols, how much data. CSV export designed for compliance audits, insurance renewals, and vendor risk reviews.
SiteConduit doesn't just give you secure access — it watches your building systems around the clock and alerts you the moment something needs attention.
Single pane of glass showing every CPE device, tunnel status, LTE signal strength, CPU, memory, and uptime — across all your sites.
Severity-classified alerts when devices go offline, signals degrade, or systems exceed thresholds. Acknowledge alerts with notes for your team.
Track RSRP, RSRQ, SINR, band, and carrier for every cellular-connected site. Identify signal issues before they cause downtime.
Up to 90 days of historical telemetry for every device. Spot trends, plan capacity, and prove uptime to stakeholders with real data.
Aggregated health per site: device count, tunnel status, active alerts, average signal quality, and CPU load — at a glance.
Every new CPE device is automatically enrolled in the monitoring system with pre-configured templates. No manual setup required.
No IT project. No on-site configuration. Zero Touch Provisioning handles everything.
A small, pre-configured CPE device ships to your building site. No configuration required.
Your facilities team plugs the CPE into the building automation network. It auto-provisions via ZTP.
The technician opens the Connect app, loads their session file, and they're Layer 2 adjacent to the building network.
Monitor protocols in real time, set bandwidth limits, view device health, and terminate any session instantly.
70%
of OT incidents involve third-party access
<30s
to fully terminate a session
60s
monitoring & traffic resolution
24/7
proactive device monitoring
Everything your CISO needs to approve third-party BAS access.
| Security Question | SiteConduit Answer |
|---|---|
| What can the technician access? | Only protocols in the site's allowlist — BACnet, Modbus, Niagara, HTTP. Everything else is dropped by a default-deny bridge filter. |
| Can we see what they did? | Per-protocol traffic accounting with 60-second resolution. Full compliance reports exportable to CSV. |
| Can we cut access immediately? | One-click kill switch. Tunnel, credentials, and bridge destroyed in seconds. No coordination with the vendor required. |
| Is there a time limit? | Sessions auto-expire (2-24 hours). No standing access. No persistent VPN. Encrypted tunnel is torn down between sessions. |
| Is traffic encrypted? | End-to-end encrypted tunnels using modern cryptography. No unencrypted path exists between the technician and your building network. |
| Is it multi-tenant? | Fully isolated per customer. Separate VRF routing, data, users, sites, and audit trails. Cross-tenant access is technically impossible. |
| Do you monitor device health? | 24/7 telemetry from every CPE device — tunnel status, LTE signal quality, CPU, memory. Real-time alerts classified by severity with up to 90 days of history. |
Default-deny bridge filter for BACnet, Modbus, and Niagara remote access — technicians reach their controllers and nothing else.
Allowed (configurable per site)
Blocked (default-deny)
SiteConduit serves building owners, their security teams, and the technicians who maintain their systems.
Building Owner
Security Team
Service Contractor
Each customer is fully isolated. Manage everything from a single web portal.
VRF-isolated per customer. Separate data, users, and audit trails.
Manage sites, users, sessions, and reports from any browser.
Lightweight app for Windows, Linux, and macOS. One click to connect.
Works over LTE, broadband, or satellite. Our encrypted tunnel handles anything.
TeamViewer cannot discover BACnet devices, filter protocols, or limit sessions. Learn why BAS needs network-level access, not screen sharing.
38% of smart buildings have been attacked. A breakdown of the top building automation cybersecurity threats and how to defend against them in 2026.
Gartner says VPNs create unacceptable risk for cyber-physical systems. Learn why BAS needs protocol-aware remote access instead of traditional VPNs.
Join the waitlist for early access. Be the first to secure your building automation network with SiteConduit.