What protocols does SiteConduit support for building automation remote access?

SiteConduit supports BACnet/IP (UDP 47808), Modbus/TCP (TCP 502), Niagara Fox (TCP 4911, 5011), HTTP/HTTPS (TCP 80, 443), and ICMP. The protocol allowlist is configurable per site, and a default-deny bridge filter blocks everything not explicitly permitted.

How does SiteConduit prevent unauthorized lateral movement on building networks?

Every session runs behind a protocol-level firewall with a default-deny bridge filter. Only approved BAS protocols are permitted. Technicians can reach their BACnet controllers and Niagara stations but cannot access file servers, printers, or IT infrastructure. Sessions are also bandwidth-limited to prevent data exfiltration.

Does SiteConduit support compliance and audit requirements?

SiteConduit generates detailed compliance reports with full session history including technician identity, session times, protocols used, and data transferred. Reports export to CSV and are designed to support industry compliance frameworks, insurance renewals, and vendor risk assessments.

How long does it take to deploy SiteConduit at a building site?

Minutes, not months. SiteConduit ships a pre-configured CPE device to your site. Your facilities team plugs it into the building automation network. The device auto-provisions via Zero Touch Provisioning with no on-site IT support required.

Can building owners terminate remote access sessions immediately?

Yes. SiteConduit provides a one-click kill switch that terminates any session in seconds. The encrypted tunnel is disabled, credentials are revoked, and the network bridge is destroyed. Bulk termination is available per-site or across all sites in your organization.

BAS Cybersecurity Threats in 2026: What Building Owners Must Know

Building automation systems are under attack. Not theoretically. Not "potentially at risk." Under attack, right now, at a scale most building owners do not appreciate.

According to Kaspersky's research on building automation infrastructure, 38% of smart buildings experienced at least one cyberattack on their BAS in a recent 12-month period. That is not a statistic about high-profile targets or Fortune 500 companies. It covers commercial buildings with standard HVAC controllers, lighting panels, and access control systems.

Claroty's Team82 research unit went deeper. After analyzing nearly 500,000 building management system devices across 500+ organizations, they found that 75% of organizations have BMS devices affected by known exploited vulnerabilities (KEVs). Not theoretical vulnerabilities. Not possible attack vectors. Vulnerabilities that have already been exploited in the wild, documented by CISA, and linked to active campaigns.

Meanwhile, the building automation market continues to grow. Precedence Research projects the BAS market will reach $176.4 billion by 2034, up from $95.9 billion in 2025. More buildings are being automated. More devices are being connected. And the OT security market is racing to keep pace, growing at 16.5% CAGR toward $50.3 billion by 2030 according to Mordor Intelligence.

The gap between the number of connected BAS devices and the security controls protecting them is widening. This article breaks down the five most pressing threats to building automation systems in 2026 and what building owners can do about each one.

Threat 1: Uncontrolled third-party vendor access

Every commercial building depends on outside technicians. HVAC contractors, fire alarm integrators, lighting controls specialists, access control vendors. These third parties need remote access to do their jobs. The problem is how that access is typically managed.

According to Dragos, 70% of OT security incidents involve third-party access. That number alone should reshape how building owners think about vendor access. The majority of operational technology breaches do not come from sophisticated nation-state hackers or zero-day exploits. They come through the people you hired to maintain your systems.

The patterns are consistent across the industry. BAS integrators share a single username and password companywide so any technician can access any building. Vendors use one remote access license with generic logins passed between field staff. Persistent VPN connections stay active indefinitely, giving contractors 24/7 network access even when they only need two hours of maintenance time every quarter.

When a technician leaves the company, their credentials are rarely revoked because they were never individual credentials to begin with. When a laptop is stolen from a service van, that device may still have an active VPN tunnel to every building in the contractor's portfolio.

This access model directly violates every IT security principle that exists: least privilege, individual accountability, session logging, access expiration. Yet it remains the norm in building automation because the industry has not had practical alternatives designed specifically for how BAS technicians work.

Threat 2: Ransomware targeting building systems

Ransomware groups have discovered that building systems are soft targets with high-pressure payoffs. Unlike traditional IT ransomware — where the threat is encrypted files and data theft — BAS ransomware creates physical consequences. Locked-out HVAC in a hospital. Disabled fire suppression in a high-rise. Non-functional elevators in a hotel. The urgency to pay is immediate and visceral.

Johnson Controls International (2023)

The world's largest building automation vendor was hit with a ransomware attack that stole over 27 TB of data, including building floor plans, industrial control system designs, and trade secrets. The attackers demanded $51 million. Johnson Controls reported spending $27 million on remediation ($23 million in response costs plus $4 million in lost revenue). Among the stolen data: U.S. federal agency building security details. When your BAS vendor gets compromised, the blast radius extends to every building they touch.

MGM Resorts (2023)

Attackers gained access to MGM's internal systems and caused widespread operational shutdowns across more than 30 casino and hotel properties. Building systems — door locks, elevators, HVAC — were disrupted alongside IT systems. The breach demonstrated how interconnected building systems amplify the blast radius. When building automation shares network infrastructure with corporate IT, an attack on one becomes an attack on both.

Omni Hotels (2024)

A cyberattack forced Omni Hotels to manual check-ins, disabled electronic room key systems, and took Wi-Fi offline across properties. The attackers claimed to have stolen data on approximately 3.5 million guests. The operational impact — guests unable to enter their rooms, front desk staff processing everything on paper — illustrates how BAS-adjacent systems become casualties when building networks are compromised.

Claroty's research found that 69% of organizations have BMS devices with known exploited vulnerabilities that have been used in ransomware attacks. More alarming: 51% have BMS devices that are both linked to ransomware KEVs and insecurely connected to the internet. These are not hidden vulnerabilities. They are documented, catalogued, and actively targeted.

Threat 3: Insecure legacy protocols

BACnet was standardized in 1995. Modbus was created in 1979. LonWorks dates to 1990. These protocols were designed for serial communication between controllers in the same mechanical room. Authentication, encryption, and access control were not design considerations because the threat model at the time was a locked door and a key.

Today, these same protocols carry control traffic across building networks that are increasingly IP-connected. The security implications are significant:

BACnet/IP has no native authentication. Any device on the network segment can read and write BACnet objects on any controller. There is no credential, no token, no certificate required. A BACnet session that reaches the network can communicate with every BACnet device on the subnet.
Modbus TCP has no encryption. Traffic is transmitted in plaintext. Anyone on the network can read Modbus commands and responses, including setpoint changes, register writes, and control commands.
LonWorks and KNX share similar limitations. The KNXlock vulnerability, first exploited in 2021 against a German engineering company, allowed threat actors to compromise a BAS over the internet and lock building owners out of their own systems — a scenario that continued to affect buildings through 2023.

The challenge with legacy BAS protocols is not that better alternatives do not exist. BACnet Secure Connect (BACnet/SC) adds TLS-based encryption to BACnet. But the installed base of BACnet controllers runs on 15- to 25-year replacement cycles. The BACnet/IP controller installed in 2010 will still be in service in 2030. It will never support BACnet/SC. It cannot be patched. It was never designed to be.

This means the security gap is not a temporary transition period. It is a permanent condition of building automation infrastructure. Protocols that lack native security will remain on building networks for decades. The security controls must come from the network layer, not the protocol itself.

Threat 4: IT/OT convergence without segmentation

The default architecture in most commercial buildings puts BAS devices on the corporate network. HVAC controllers share VLANs with workstations. Access control panels sit on the same subnet as email servers. The building automation system and the corporate IT system are, from a network perspective, one flat attack surface.

The Target breach: the definitive case study

In 2013, attackers compromised Fazio Mechanical Services, an HVAC contractor, through a phishing email. The contractor had network credentials for electronic billing and project management — not direct HVAC monitoring. But Target had failed to segment payment card systems from the broader corporate network. The attackers moved laterally from the HVAC contractor's access point to Target's point-of-sale systems. The result: 40 million credit and debit card numbers stolen, 70 million personal records compromised, and $202 million in total reported costs.

The Target breach did not exploit a sophisticated zero-day vulnerability. It exploited a flat network where an HVAC contractor's billing credentials provided a path to payment card data. The technical failure was straightforward: no network segmentation between building systems and corporate IT.

More than a decade later, the same architecture persists in the majority of commercial buildings. NIST SP 800-82 Rev. 3 explicitly requires separating enterprise IT from OT networks and mandates Industrial Demilitarized Zones (IDMZs) between them. IEC 62443 prescribes a Zone and Conduit model where OT assets live in separate security zones with managed communication pathways. ASHRAE's managed BACnet guidance dedicates an entire chapter to network segmentation.

Every major framework agrees. Yet Claroty found that 51% of organizations have BMS devices that are both linked to known ransomware vulnerabilities and insecurely connected to the internet. The frameworks exist. The implementation does not.

Cyber insurers have noticed. In 2026, carriers are asking specifically whether OT networks are separated from IT networks. Network segmentation is now part of the baseline requirements that insurers treat as mandatory. Missing it does not just increase premiums — it risks policy denial entirely.

Threat 5: Lack of visibility and audit trails

Ask most building owners a simple question: "Who accessed your BAS remotely in the last 30 days, what protocols did they use, and what did they change?" The answer, overwhelmingly, is: "We do not know."

This visibility gap is not a minor operational inconvenience. It is a fundamental security failure. Without session-level audit trails, building owners cannot detect unauthorized access. They cannot investigate incidents. They cannot demonstrate compliance to auditors or insurers. They cannot answer the most basic forensic question: what happened?

The problem has two dimensions. First, most BAS remote access tools — persistent VPNs, TeamViewer, AnyDesk, SSH tunnels — generate minimal logging. A VPN log shows that a connection was established from an IP address at a timestamp. It does not show which BAS protocols were used, which controllers were accessed, how much data was transferred, or what changes were made.

Second, even when logs exist, they are typically scattered across multiple tools with no central correlation. The VPN server logs one thing. The BAS controller logs another. The firewall logs something else. No single system provides a unified view of "Technician X connected at 2:15 PM, used BACnet/IP to communicate with three controllers, transferred 4.2 MB of data, and disconnected at 3:45 PM."

According to research from FlowFuse and Verve Industrial, 55% of organizations have inaccurate or no asset inventory for their OT devices. If you do not know what devices exist on your building network, you certainly cannot track who is accessing them.

For organizations facing compliance requirements — NIST 800-82, IEC 62443, or cyber insurance renewals — this gap is increasingly untenable. Carriers in 2026 expect documentation: screenshots, policies, logs, and proof of security controls. "We think our contractor accessed the system last Tuesday" does not meet that bar.

Building a defense: what practical BAS cybersecurity looks like

The five threats above share a common root cause: building automation systems were designed for reliability and interoperability, not security. The protocols lack encryption. The devices lack authentication. The networks lack segmentation. The access methods lack controls.

Solving this does not require replacing every BACnet controller or rewriting Modbus. It requires wrapping the existing infrastructure in a security layer that addresses each gap at the network level. Here is what that looks like in practice:

OT network separation

BAS devices belong on a separate, purpose-built OT network — physically isolated from corporate IT. Not a VLAN on a shared switch. A separate network with its own infrastructure, managed independently from the IT environment. This eliminates lateral movement. An attacker who compromises a workstation cannot reach the HVAC controllers because they are not on the same network.

Protocol-level firewalling

When technicians connect remotely, only the protocols they need should be allowed through. A BACnet maintenance session should pass BACnet/IP traffic on UDP 47808 and block everything else by default. No file sharing. No remote desktop. No database queries. A default-deny bridge filter at Layer 2 reduces the attack surface from "everything on the network" to "the specific protocols required for the task."

Time-limited, individually authenticated access

No standing access. No shared credentials. Every technician authenticates individually. Every session has a defined start time and auto-expiry. A two-hour maintenance window produces a two-hour access window — not a persistent VPN tunnel that stays active until someone remembers to disable it. When a technician leaves the company, their individual access is revoked immediately.

Traffic monitoring and session logging

Every remote session should produce a complete audit record: who connected, when, which protocols they used, how much data was transferred per protocol, and why the session ended. Per-protocol traffic accounting — updated every 60 seconds — provides the visibility to detect anomalies in real time and the documentation to satisfy auditors after the fact.

Compliance-ready reporting

Compliance should not require assembling logs from five different systems. A single platform should produce reports that answer the questions auditors, insurers, and risk teams actually ask. These reports are designed to support the frameworks that govern OT security — NIST 800-82, IEC 62443, and ASHRAE BACnet security guidance — without requiring building owners to become compliance experts.

This is the model SiteConduit was built on. A managed remote access and monitoring platform, purpose-built for building automation, that addresses each of these five threat vectors. A pre-configured CPE device at each building site creates a separate OT network with an encrypted tunnel back to a managed cloud platform. Technicians receive time-limited, protocol-restricted, individually authenticated access. Building owners see every session, every protocol, every byte — in real time and in historical reports. No persistent VPNs. No shared credentials. No standing access.

The technology exists today to secure BAS remote access without disrupting how technicians work. The question for building owners is not whether these threats are real — the breach data answers that. The question is how quickly you close the gaps before your building becomes the next case study.

For answers to common questions about BAS cybersecurity and remote access, see our FAQ.

SiteConduit is a managed remote access and monitoring platform purpose-built for building automation. We provide time-limited, protocol-restricted, fully audited remote access for BAS integrators, facility managers, and security teams.

Join the waitlist at siteconduit.com for early access.