What protocols does SiteConduit support for building automation remote access?

SiteConduit supports BACnet/IP (UDP 47808), Modbus/TCP (TCP 502), Niagara Fox (TCP 4911, 5011), HTTP/HTTPS (TCP 80, 443), and ICMP. The protocol allowlist is configurable per site, and a default-deny bridge filter blocks everything not explicitly permitted.

How does SiteConduit prevent unauthorized lateral movement on building networks?

Every session runs behind a protocol-level firewall with a default-deny bridge filter. Only approved BAS protocols are permitted. Technicians can reach their BACnet controllers and Niagara stations but cannot access file servers, printers, or IT infrastructure. Sessions are also bandwidth-limited to prevent data exfiltration.

Does SiteConduit support compliance and audit requirements?

SiteConduit generates detailed compliance reports with full session history including technician identity, session times, protocols used, and data transferred. Reports export to CSV and are designed to support industry compliance frameworks, insurance renewals, and vendor risk assessments.

How long does it take to deploy SiteConduit at a building site?

Minutes, not months. SiteConduit ships a pre-configured CPE device to your site. Your facilities team plugs it into the building automation network. The device auto-provisions via Zero Touch Provisioning with no on-site IT support required.

Can building owners terminate remote access sessions immediately?

Yes. SiteConduit provides a one-click kill switch that terminates any session in seconds. The encrypted tunnel is disabled, credentials are revoked, and the network bridge is destroyed. Bulk termination is available per-site or across all sites in your organization.

How BAS Integrators Can Offer Remote Access as a Managed Service

If you run a BAS integration company, you already know this pain: you have 30, 50, maybe 100 client sites, each with its own controllers, its own network, and its own way of handling remote access. Some clients gave you a persistent VPN years ago. Others have a TeamViewer box sitting on the BAS VLAN. A few insist on dispatching a truck for every alarm. And you're managing all of it with spreadsheets, shared credentials, and a growing sense that something is going to go wrong.

This article is for integrators who are ready to stop treating remote access as an afterthought and start treating it as a service — one that solves real problems for your clients and creates predictable monthly revenue for your business.

The integrator's problem: remote access across dozens of client sites

Every BAS integrator accumulates remote access debt. It starts simply enough: a client gives you a VPN credential so you can dial in and check their JACE controllers. Then another client sets up an SSH tunnel. A third installs a remote desktop tool on a spare PC. Within a few years, your team is juggling dozens of different access methods across dozens of sites, each with its own credentials, its own quirks, and its own security posture.

The problems compound fast:

Credential sprawl. Your technicians share VPN passwords in chat threads and text messages. When someone leaves your company, you have no way to revoke access across every client site without calling each one individually.
No visibility. You cannot tell your client who on your team accessed their building network last Tuesday, what they did, or how long they were connected. When they ask — and they will — you have nothing to show them.
Inconsistent security. One client has a properly segmented OT network. The next gives your VPN full access to their corporate LAN, the building management system, and the security cameras. You are inheriting their risk.
Truck rolls for minor issues. When remote access is unreliable or unavailable, you dispatch a truck. At $150-300 per roll, a few unnecessary site visits per month wipe out your margin on the service contract.

Most integrators accept this as the cost of doing business. It does not have to be.

Why shared VPNs and TeamViewer are a liability for your business

The tools most integrators rely on today were never designed for multi-tenant OT environments. They were built for IT departments managing their own networks — not for contractors managing access to someone else's building systems.

Persistent VPNs are the most common approach and the most dangerous. A VPN credential that was set up three years ago is probably still active. The technician who originally configured it may have left your company. The credential may be shared among your entire team. And the VPN provides unrestricted Layer 3 access to whatever network it terminates on — not just the BACnet controllers your team needs. For a deeper look at why persistent VPNs fail in building automation, see our guide on alternatives to VPN for building automation.

Remote desktop tools like TeamViewer and AnyDesk create a different risk. They require a persistent, always-on endpoint inside the client's building network. That endpoint becomes an unmonitored entry point — a machine that your client's IT team does not manage, running software that auto-updates on its own schedule, with a credential that may be written on a sticky note in your office. If that machine is compromised, the attacker is on the BAS network.

The business risk is real. 70% of OT security incidents involve third-party access. As an integrator, you are that third party. When a client's building network is compromised through the VPN credential your team uses, you are not just losing a contract — you are facing potential liability, reputational damage, and insurance complications.

And the risk is growing. Building owners are facing increasing pressure from insurers, corporate security teams, and compliance frameworks to document and control third-party access to OT networks. The days of "just give the HVAC guys a VPN" are ending. The question is whether you lead that transition or get caught on the wrong side of it.

The managed service opportunity: remote access as recurring revenue

Here is the opportunity most integrators miss: the problem you are solving for yourself — secure, reliable, auditable remote access — is the exact same problem your clients need solved. And they will pay for it.

Think about what your clients are dealing with. They have multiple contractors — not just you — accessing their building systems. The HVAC integrator, the lighting controls company, the fire alarm vendor, the access control installer. Each one has their own VPN, their own credentials, their own level of access. The building owner has no unified view of who is connecting to what, no way to enforce consistent security policies, and no audit trail that would survive a compliance review.

Managed remote access solves this for them. Instead of handing out VPN credentials to every contractor, the building owner subscribes to a remote access service — managed by you, their trusted integrator — that provides controlled, audited, time-limited access to every contractor who needs it.

The business model works because it aligns value with revenue:

For the building owner: One platform, one policy, one audit trail for all contractor access. No more managing five different VPN accounts. No more guessing who connected last week.
For you, the integrator: A monthly recurring revenue line on every service contract. Deeper client relationships. A differentiator that makes it harder for competitors to displace you. And a legitimate reason to be the one managing third-party access to the building — including your competitors' access.
For every contractor: Reliable, consistent remote access that works the same way at every building. No more hunting for the right VPN credential or calling the building manager for a TeamViewer password.

This is not theoretical. The OT secure remote access market is growing at over 14% annually. Building owners are actively looking for this. The integrator who offers it first becomes the trusted partner who controls the access layer.

What multi-tenant remote access looks like

Offering remote access as a service requires a platform built for multi-tenant operations from the ground up. The key word is isolation — every client's building network must be completely separated from every other client's network, even though you manage them all from a single pane of glass.

Here is what the architecture looks like in practice:

Per-client network isolation

Each client site gets its own isolated network segment with a dedicated CPE device on the building network. Traffic from Site A never touches Site B. This is not a shared VPN concentrator where all your clients land on the same subnet — it is full Layer 2 isolation using separate virtual routing domains. SiteConduit enforces this at the infrastructure level. Each tenant's sites, devices, and sessions are cryptographically separated. A compromised session at one building cannot reach another.

Per-technician authentication

No more shared credentials. Every technician on your team — and every technician from every other contractor — gets their own identity. When Sarah from your team connects to the HVAC controllers at 123 Main Street, the audit log shows Sarah's name, not "HVAC Vendor VPN." When she disconnects, her access ends. When she leaves your company, you disable her account once and she loses access to every site.

Protocol-level firewalling

Multi-tenant BAS remote access is not just about connectivity — it is about controlled connectivity. Each session is restricted to only the protocols the technician needs. A BACnet session allows BACnet/IP on UDP 47808, HTTP/HTTPS for controller web interfaces, and ICMP for diagnostics. Everything else is blocked by a default-deny bridge filter. A Modbus session allows Modbus TCP on port 502. The building owner defines the policy. The platform enforces it.

Time-limited sessions

Sessions expire automatically — configurable from 2 to 24 hours. There is no standing access between maintenance windows. When your technician finishes troubleshooting, the encrypted tunnel is torn down and the access path ceases to exist. No persistent backdoors. No forgotten connections.

Compliance reporting

Every session generates a compliance-ready record: who connected, when, for how long, which protocols were used, how much data was transferred per protocol, and why the session ended. SiteConduit logs per-protocol traffic volumes every 60 seconds, so you can show a client — or their auditor — exactly what happened during any session. This is the documentation that turns a security conversation into a selling point.

Building the service offering: scoping, pricing, and client communication

The technical architecture matters, but the business execution is what determines whether this becomes real revenue. Here is how to structure a managed remote access offering that clients will actually buy.

Scoping the service

Start with your existing service contract clients. You already have the relationship and the site knowledge. For each client, map out:

How many building sites need remote access
Which contractors (including you) need access to each site
Which protocols are required at each site (BACnet, Modbus, Niagara, HTTP)
Current remote access method and its gaps
Any compliance requirements (insurance, corporate security policy, industry regulation)

This scoping exercise often reveals problems the client did not know they had. A building owner who thought they had two contractors with VPN access may discover they have five — some with credentials that were never revoked.

Pricing models that work

Three approaches that integrators are using successfully:

Per-site monthly fee. The simplest model. The client pays a flat monthly fee per building site for managed remote access, including the CPE device, monitoring, and a defined number of technician accounts. Works well for portfolios of similar buildings.
Bundled with service contract. Roll remote access into your existing maintenance agreement as a line item. This increases the contract value while making the remote access cost nearly invisible to the client. It also makes your contract stickier — switching integrators means losing the remote access platform.
Tiered by usage. Base tier includes a set number of sessions per month. Higher tiers add more sessions, more technician accounts, or more advanced compliance reporting. This works for clients with variable access needs.

Communicating the value

Do not lead with technology. Lead with the problems the client already feels:

"Right now, you have no way to know who accessed your BAS network last month. This gives you a complete record."
"Your current VPN gives every contractor access to your entire network. This restricts them to only the protocols they need."
"When your insurer asks for documentation of third-party access controls, you will have a compliance-ready report for every session."

The conversation shifts from "we want to sell you another service" to "we want to help you solve a problem that is getting harder to ignore."

Compliance as a selling point: giving clients audit-ready documentation

Compliance is increasingly the trigger that gets building owners to act on remote access security. Three forces are driving this:

Cyber insurance. Insurers are tightening requirements for OT environments. Questionnaires now ask specifically about third-party access controls, session logging, and network segmentation. A building owner who cannot demonstrate controlled contractor access may face higher premiums or coverage gaps.

Corporate security policies. Enterprise tenants and portfolio owners are pushing security requirements down to their building operations teams. If your client manages buildings for a Fortune 500 tenant, that tenant's CISO may require documented access controls for every system that touches the building network.

Industry frameworks. Frameworks like NIST and ISA/IEC 62443 increasingly address OT remote access. While few building owners are required to comply today, the direction is clear — and being compliance-ready now is a competitive advantage.

As the integrator managing remote access, you are in a unique position to deliver this documentation. Every session through SiteConduit generates a detailed compliance record. You can provide your clients with monthly or quarterly reports showing:

Total sessions by contractor and technician
Protocols used during each session
Data volumes per protocol (flagging anomalies)
Session durations and termination reasons
Policy enforcement evidence (blocked protocols, expired sessions)

This turns compliance from a burden into a deliverable. Your client hands the report to their auditor or insurer, and the conversation is over. That is the kind of value that justifies a monthly fee and deepens the relationship.

Getting started: from ad-hoc VPNs to a managed remote access platform

You do not need to transform your entire operation overnight. The transition from ad-hoc remote access to a managed service is practical and incremental.

Phase 1: Standardize your own access

Start by replacing the patchwork of VPNs, TeamViewer instances, and SSH tunnels your team uses today with a single platform. Deploy a CPE device at each client site. Move your technicians onto per-user authentication with time-limited sessions. This immediately solves your own credential sprawl and gives you an audit trail for every site visit.

SiteConduit's CPE devices ship pre-configured and auto-provision through Zero Touch Provisioning. The facilities team plugs it into the BAS network. Your technicians connect through a lightweight desktop app with a session file — no VPN client configuration, no firewall rules to coordinate with the client's IT team.

Phase 2: Extend to your clients

Once your team is on the platform, offer it to your clients as a managed service. The same CPE device and platform that handles your team's access can manage every other contractor who needs access to that building. You become the gatekeeper — the integrator who manages the remote access layer for the entire building, not just your own systems.

Phase 3: Formalize the offering

Package the service with pricing, SLAs, and compliance reporting. Add it as a line item on new service contracts and renewals. Build case studies from early adopters. The platform handles the multi-tenant isolation, per-technician auth, protocol firewalling, and audit logging. You handle the client relationship, site deployment, and ongoing management.

The integrators who move first on this will define the category in their markets. The ones who wait will be responding to RFPs that require it.

The bottom line

Remote access is a problem every BAS integrator deals with and most handle poorly. The tools that got us here — shared VPNs, remote desktop software, open tunnels — are not going to survive the next wave of compliance pressure and insurance requirements.

But the transition does not have to be painful, and it does not have to be a cost center. Managed remote access is a service your clients need, a differentiator your competitors do not have, and a revenue stream that grows with every building you bring online.

The technology exists today to provide per-client isolation, per-technician authentication, protocol-level firewalling, time-limited sessions, and compliance-ready audit trails — all managed from a single multi-tenant platform. The question is not whether your clients will need this. The question is whether you will be the one to offer it.

SiteConduit is a managed remote access and monitoring platform purpose-built for building automation. We provide multi-tenant remote access with per-site isolation, protocol firewalling, time-limited sessions, and compliance-ready reporting — designed for BAS integrators who manage access across dozens of client sites.

Read the FAQ or join the waitlist at siteconduit.com for early access.