What protocols does SiteConduit support for building automation remote access?

SiteConduit supports BACnet/IP (UDP 47808), Modbus/TCP (TCP 502), Niagara Fox (TCP 4911, 5011), HTTP/HTTPS (TCP 80, 443), and ICMP. The protocol allowlist is configurable per site, and a default-deny bridge filter blocks everything not explicitly permitted.

How does SiteConduit prevent unauthorized lateral movement on building networks?

Every session runs behind a protocol-level firewall with a default-deny bridge filter. Only approved BAS protocols are permitted. Technicians can reach their BACnet controllers and Niagara stations but cannot access file servers, printers, or IT infrastructure. Sessions are also bandwidth-limited to prevent data exfiltration.

Does SiteConduit support compliance and audit requirements?

SiteConduit generates detailed compliance reports with full session history including technician identity, session times, protocols used, and data transferred. Reports export to CSV and are designed to support industry compliance frameworks, insurance renewals, and vendor risk assessments.

How long does it take to deploy SiteConduit at a building site?

Minutes, not months. SiteConduit ships a pre-configured CPE device to your site. Your facilities team plugs it into the building automation network. The device auto-provisions via Zero Touch Provisioning with no on-site IT support required.

Can building owners terminate remote access sessions immediately?

Yes. SiteConduit provides a one-click kill switch that terminates any session in seconds. The encrypted tunnel is disabled, credentials are revoked, and the network bridge is destroyed. Bulk termination is available per-site or across all sites in your organization.

Dispel vs SiteConduit: Which Fits Building Automation?

If you are evaluating secure remote access for building automation, Dispel is likely on your shortlist. They were named a Representative Vendor in Gartner's 2026 CPS Secure Remote Access Market Guide, they focus on operational technology, and they have a strong reputation in industrial environments.

The question is whether an OT remote access platform built for industrial control systems — PLCs, SCADA, HMIs — translates directly to building automation systems. The short answer: it depends on what protocols your building runs.

What Dispel does well

Dispel provides a moving-target defense approach to OT remote access. Their infrastructure randomizes network pathways, making sessions harder to intercept or target. Key strengths:

Gartner recognition — Named in the 2026 CPS Secure Remote Access Market Guide as a Representative Vendor
Agentless access — Does not require software installed on OT devices
Session recording — Full video recording of remote sessions for compliance
Moving-target defense — Network infrastructure that rotates to reduce attack surface
Industrial focus — Designed for OT environments, not repurposed IT tools

For organizations managing PLCs, SCADA systems, and industrial HMIs, Dispel is a serious platform with genuine OT security credentials.

Where Dispel stops: the BAS-specific gap

Building automation operates differently from industrial OT. BAS technicians do not access PLCs through a remote desktop. They need to:

Discover BACnet devices using WHO-IS/I-AM broadcast on UDP 47808
Read and write Modbus registers on HVAC controllers, power meters, and VFDs over TCP 502
Connect Niagara Workbench to JACE controllers over the FOX protocol on TCP 1911/4911
Use their local engineering tools (not remote desktop into a shared machine)

BACnet device discovery requires Layer 2 network connectivity. WHO-IS packets are broadcast, and broadcast does not cross Layer 3 boundaries. Dispel operates at the application and session layer — it does not provide Layer 2 connectivity.

This means a BAS technician using Dispel cannot open their local copy of Niagara Workbench or CAS BACnet Explorer and discover devices on the remote network the way they would on-site. They would need to remote-desktop into a machine already on the building network — losing the ability to use their own tools and their own workstation configuration.

Feature comparison

Here is a direct comparison of the features that matter most for building automation remote access:

BACnet/IP support (UDP 47808): Dispel — No native awareness. SiteConduit — Yes, with protocol-level filtering.
Modbus TCP support (TCP 502): Dispel — No protocol-level awareness. SiteConduit — Yes, with per-protocol traffic monitoring.
Niagara FOX support (TCP 1911/4911): Dispel — No. SiteConduit — Yes.
Layer 2 connectivity: Dispel — No. SiteConduit — Yes. BACnet broadcast discovery works natively.
Protocol-level firewall: Dispel — No default-deny bridge filter. SiteConduit — Yes, default-deny with per-protocol allow rules.
Time-limited sessions: Dispel — No auto-expiry. SiteConduit — 2 to 24-hour windows with automatic termination.
Per-protocol traffic monitoring: Dispel — No. SiteConduit — Yes, updated every 60 seconds.
Bandwidth limiting: Dispel — No. SiteConduit — Configurable per-site caps (anti-exfiltration).
One-click kill switch: Dispel — No. SiteConduit — Yes, instant session termination.
24/7 device monitoring: Dispel — No. SiteConduit — Yes, with alerting.
Session recording: Dispel — Yes (video). SiteConduit — Planned.
Gartner CPS SRA 2026: Dispel — Yes. SiteConduit — No (BAS-specific, not yet evaluated).
Deployment model: Dispel — Agentless, no hardware. SiteConduit — CPE device at each site with Zero Touch Provisioning.

The BAS-specific gap

The core difference is not about security quality. Dispel is a well-built OT security platform. The gap is specificity.

Industrial OT remote access focuses on point-to-point connections to individual devices: a PLC, an HMI, a SCADA server. The technician accesses one device at a time through a brokered session.

Building automation works differently. A BAS technician often needs to interact with dozens of controllers simultaneously — running a WHO-IS scan across an entire subnet, adjusting setpoints on multiple VAV controllers, or verifying Modbus register values from a chain of energy meters. This requires network-level access, not device-level access.

As we covered in our analysis of why VPNs fail for BAS, the challenge is providing enough network access for technicians to do their work while maintaining protocol-level security controls. Too restrictive and the technician cannot do their job. Too open and you have a security gap that Gartner's framework identifies as unacceptable for CPS environments.

Use case: a 20-building portfolio

Consider a commercial real estate firm managing 20 buildings. Each has a mix of BACnet/IP controllers for HVAC, Modbus meters for energy monitoring, and Niagara JACEs as supervisory controllers. Three different integrator firms provide maintenance.

With Dispel: Each integrator connects to individual devices through brokered sessions. BACnet discovery does not work over the session — the technician must know every device IP in advance or remote-desktop into a machine on the building network. No protocol-level filtering. No automatic session expiry. No per-protocol traffic visibility.

With SiteConduit: Each building has a pre-configured CPE device connected to the BAS network. The integrator's technician opens a time-limited session (2-24 hours) through a lightweight desktop app. Their workstation joins the BACnet subnet at Layer 2. WHO-IS discovers every controller. Niagara Workbench connects to JACEs. Modbus registers are accessible. The protocol firewall allows only BACnet (UDP 47808), Modbus (TCP 502), Niagara FOX (TCP 1911/4911), and HTTPS — blocking everything else. Per-protocol traffic monitoring updates every 60 seconds. The session auto-expires.

When Dispel makes sense

Dispel is a strong choice if your environment is primarily industrial OT — PLCs, SCADA, HMIs — and remote access means connecting to individual devices one at a time. If you do not need BACnet broadcast discovery, Layer 2 connectivity, or BAS-specific protocol awareness, Dispel's approach works well.

If your buildings run BACnet, Modbus, and Niagara — and your technicians need the same tools and workflows remotely that they use on-site — the BAS-specific approach fills gaps that generic OT remote access does not address.

SiteConduit is a managed remote access and monitoring platform purpose-built for building automation. Layer 2 connectivity, protocol firewalling, time-limited sessions, and 24/7 device monitoring — for BACnet, Modbus, and Niagara environments.

Join the waitlist for early access, or visit our FAQ for more details.