What protocols does SiteConduit support for building automation remote access?

SiteConduit supports BACnet/IP (UDP 47808), Modbus/TCP (TCP 502), Niagara Fox (TCP 4911, 5011), HTTP/HTTPS (TCP 80, 443), and ICMP. The protocol allowlist is configurable per site, and a default-deny bridge filter blocks everything not explicitly permitted.

How does SiteConduit prevent unauthorized lateral movement on building networks?

Every session runs behind a protocol-level firewall with a default-deny bridge filter. Only approved BAS protocols are permitted. Technicians can reach their BACnet controllers and Niagara stations but cannot access file servers, printers, or IT infrastructure. Sessions are also bandwidth-limited to prevent data exfiltration.

Does SiteConduit support compliance and audit requirements?

SiteConduit generates detailed compliance reports with full session history including technician identity, session times, protocols used, and data transferred. Reports export to CSV and are designed to support industry compliance frameworks, insurance renewals, and vendor risk assessments.

How long does it take to deploy SiteConduit at a building site?

Minutes, not months. SiteConduit ships a pre-configured CPE device to your site. Your facilities team plugs it into the building automation network. The device auto-provisions via Zero Touch Provisioning with no on-site IT support required.

Can building owners terminate remote access sessions immediately?

Yes. SiteConduit provides a one-click kill switch that terminates any session in seconds. The encrypted tunnel is disabled, credentials are revoked, and the network bridge is destroyed. Bulk termination is available per-site or across all sites in your organization.

Gartner's CPS Secure Remote Access Guide: What It Means for BAS

In February 2026, Gartner published its first-ever standalone Market Guide for CPS Secure Remote Access. Not a subsection of a broader OT security report. Not a footnote in a network security briefing. A dedicated guide, recognizing that secure remote access for cyber-physical systems is now a distinct product category.

For anyone working in building automation, this is a significant moment. HVAC systems, fire suppression controllers, elevators, lighting networks, and access control panels are all cyber-physical systems. They control physical processes in occupied buildings. And for the first time, a major analyst firm is saying the tools we use to remotely access these systems need to be fundamentally different from the tools IT uses to access servers and workstations.

Here is what the Gartner guide says, where it falls short for building automation, and what it means for how you evaluate remote access tools going forward.

What happened: Gartner draws a line in the sand

The 2026 Market Guide for CPS Secure Remote Access represents Gartner's formal acknowledgment that CPS remote access is not an IT problem with an IT solution. The guide names Representative Vendors in the category — Dispel, Tosibox, Secomea, and Cyolo among them — and draws a clear boundary between these purpose-built tools and the VPNs, jump servers, and remote desktop software that most organizations still rely on.

The central finding is direct: "VPNs, jump servers, and IT-centric access tools create unacceptable risk because they lack asset-level, protocol-aware, and operational controls."

That sentence carries weight. Gartner is not saying VPNs are suboptimal. They are saying VPNs create unacceptable risk when used for CPS environments. For building automation professionals who have spent years pushing back against IT departments that insist on using Cisco AnyConnect or OpenVPN for BAS technician access, this is long-overdue validation.

The guide also signals market maturity. When Gartner creates a standalone category, vendors take notice, budget holders take notice, and procurement processes change. CPS secure remote access is no longer a niche concern — it is a named product category with analyst coverage and a growing vendor market.

Why this matters for building automation

When most people hear "cyber-physical systems," they think of factory robots and power grid controllers. But building automation is one of the largest CPS deployments on the planet. Every commercial building with a BAS has dozens to thousands of controllers managing physical processes that directly affect occupant safety and comfort:

HVAC controllers regulate air temperature, humidity, and pressure in hospitals, data centers, and office towers
Fire suppression systems control sprinklers, smoke evacuation, and stairwell pressurization
Elevator controllers manage car dispatch, door timing, and emergency recall
Lighting control systems handle emergency egress lighting and occupancy-based scheduling
Access control panels lock and unlock doors, manage credential databases, and control emergency lockdown sequences

These are not monitoring dashboards. They are systems that move air, water, fire suppression agents, and elevator cars. A misconfigured HVAC setpoint in a hospital operating room is not an IT inconvenience — it is a patient safety event. A compromised fire alarm panel is a life-safety failure.

Yet the remote access tools used to maintain these systems are overwhelmingly the same VPNs and remote desktop tools that IT uses for help desk support. The Gartner guide validates what BAS professionals have known for years: that approach is not good enough.

Key findings: why IT-centric access tools fail for CPS

The Gartner guide identifies three fundamental gaps in how organizations currently handle CPS remote access:

No asset-level controls

Traditional VPNs provide network-level access. Once a technician connects, they can reach any device on the subnet — BACnet controllers, IT servers, printers, security cameras, everything. There is no mechanism to say "this technician can access the HVAC controllers on floor 3 but nothing else." The access is binary: you are on the network or you are not.

No protocol awareness

A VPN tunnel carries any traffic. It cannot distinguish BACnet/IP on UDP 47808 from an SMB file transfer or a SQL query. If a technician — or an attacker using stolen credentials — starts exfiltrating data through the tunnel, the VPN has no way to detect or prevent it. Every protocol looks the same inside the encrypted pipe.

No operational controls

CPS environments have operational requirements that IT environments do not. Maintenance windows matter. A BAS technician uploading firmware to an air handling unit controller during peak cooling season needs to be constrained to a specific window — not left with 24/7 standing access. IT remote access tools have no concept of operational scheduling, session time limits, or automatic expiry tied to maintenance workflows.

These three gaps compound. Without asset-level controls, a compromised credential exposes the entire building network. Without protocol awareness, malicious traffic is invisible. Without operational controls, the exposure window is permanent. Gartner's conclusion is that this combination creates risk that no amount of IT-layer security can adequately address.

The five capabilities Gartner identifies for CPS secure remote access

The Market Guide outlines five capabilities that define a purpose-built CPS secure remote access platform. These are the criteria Gartner uses to evaluate the Representative Vendors in the guide:

Identity-based, least-privilege access — Granular access controls tied to individual identity, with access scoped to specific assets rather than entire networks. Role-based permissions that limit what each technician can reach.
Session monitoring and recording — Real-time visibility into active sessions with the ability to observe, intervene, and terminate. Historical session logs for audit and forensic purposes.
Secure connectivity without persistent tunnels — Encrypted connections that are established on demand and terminated when work is complete. No standing access, no always-on VPN tunnels, no persistent attack surface.
Integration with CPS asset inventories — Awareness of the physical assets being accessed, their criticality, and their operational context. The remote access platform should know what the technician is connecting to, not just which IP address.
Compliance and audit support — Built-in logging, reporting, and evidence generation for regulatory frameworks. The platform should produce compliance artifacts natively, not require a separate SIEM to reconstruct session history.

The Representative Vendors named in the guide — Dispel, Tosibox, Secomea, Cyolo, and others — each address these capabilities to varying degrees. Dispel brings a Moving Target Defense approach with disposable virtual desktops. Tosibox uses a hardware Lock-and-Key model with no open inbound ports. Secomea is IEC 62443 certified with native support for industrial protocols like Modbus, Profinet, and EtherCAT. Cyolo offers agentless browser-based access with AI-powered session intelligence.

These are serious platforms solving real problems for manufacturing, energy, and utilities. The Gartner guide is right to recognize them.

But there is a gap.

Where BAS-specific needs go beyond Gartner's framework

The Gartner framework is built primarily around manufacturing and industrial control system use cases. The Representative Vendors reflect this — their customer stories feature factories, power plants, and water treatment facilities. Building automation is mentioned, but the specific technical requirements of BAS remote access are not addressed.

This matters because BAS environments have requirements that generic OT remote access does not solve:

Layer 2 connectivity for BACnet

BACnet/IP relies on broadcast discovery. When a technician opens their BACnet workstation software, it sends broadcast packets on UDP 47808 to discover controllers on the local network. This is a Layer 2 operation — it requires the technician's device to appear on the same network segment as the BACnet controllers. Standard IP routing (Layer 3) does not carry broadcast traffic.

None of the Gartner Representative Vendors provide Layer 2 remote access. Dispel uses virtual desktops. Tosibox and Secomea use Layer 3 VPN tunnels. Cyolo operates at the application layer. A BAS technician using any of these platforms cannot discover BACnet devices using standard broadcast discovery — the fundamental workflow for BACnet commissioning, troubleshooting, and maintenance.

BAS protocol awareness

Secomea supports industrial protocols: Modbus, Profinet, EtherCAT, Ethernet/IP. These are factory-floor protocols. BACnet/IP — the dominant protocol in commercial building automation — is not on the list. Neither is Niagara Framework, the platform that runs on a large percentage of BAS supervisory controllers.

Protocol awareness is not just about "supporting" a protocol in the sense that traffic can pass through. It means the remote access platform understands which protocols are expected on the connection, can enforce a default-deny policy that blocks everything except those protocols, and can monitor per-protocol traffic volumes in real time. If a BACnet maintenance session suddenly generates significant HTTP traffic to an unexpected destination, the platform should flag it instantly — not after a security team reviews firewall logs days later.

Multi-protocol BAS environments

Real buildings do not run a single protocol. A typical commercial BAS environment includes BACnet/IP controllers, Modbus RTU devices on legacy equipment, and Niagara supervisory stations tying it all together. A technician troubleshooting an air handling unit may need BACnet access to the controller, HTTP access to its web interface for configuration, and Niagara access to the supervisory station — all in a single session, all through a single encrypted tunnel.

The Gartner framework does not address multi-protocol BAS environments because its primary frame of reference is single-protocol industrial environments where a PLC speaks Modbus or Ethernet/IP, not both.

Protocol-level firewall with default-deny

Gartner calls for "asset-level controls," which the Representative Vendors implement through access control lists (ACLs) that restrict which IP addresses a technician can reach. This is necessary but insufficient for BAS. A protocol-level firewall operating at the bridge layer goes further: it inspects every frame crossing the tunnel and enforces rules based on Ethernet frame type, IP protocol number, and transport port. BACnet/IP on UDP 47808 passes. SMB, RDP, SQL, FTP — dropped. Not blocked by ACL at the IP level, but dropped at the frame level before it ever reaches the building network.

Anti-exfiltration bandwidth controls

BACnet traffic is lightweight. A typical BACnet controller exchange generates less than 50 Kbps. Firmware uploads to BAS controllers peak at a few megabits. There is no legitimate reason for a BAS maintenance session to sustain high-bandwidth transfers for extended periods. Per-session bandwidth caps (configurable per building site) make bulk data extraction impractical within a time-limited session window — even through allowed protocols.

No Gartner Representative Vendor offers per-session bandwidth limiting as a security control.

What this means for buying decisions

The Gartner guide is a useful starting point for evaluating CPS remote access. But if you are responsible for building automation — as an integrator, facility manager, or security professional — you need to ask questions that go beyond the Gartner framework.

When evaluating any CPS secure remote access platform for BAS environments, ask these questions:

Does it provide Layer 2 connectivity? Can your technicians discover BACnet controllers using broadcast-based discovery, or do they need to know every controller's IP address in advance?
Does it understand BAS protocols? Can it distinguish BACnet/IP from arbitrary UDP traffic? Can it enforce a default-deny policy at the protocol level, not just the IP level?
Does it support multi-protocol BAS environments? Can a single session carry BACnet, HTTP (for controller web interfaces), and Niagara traffic — while blocking everything else?
Do sessions auto-expire? Can you set a 2-hour, 8-hour, or 24-hour session window that terminates automatically? Or does the technician maintain access until someone manually revokes it?
Can you see per-protocol traffic? When a session is active, can you see how much BACnet traffic versus HTTP traffic is flowing? Can you see this in real time, not after the fact?
Can you kill a session in seconds? If something looks wrong, can a building owner or security team terminate the session immediately — without calling the integrator or the vendor?
Does it include bandwidth controls? Can you cap session throughput to prevent bulk data extraction through allowed protocols?
Does it monitor the devices 24/7? Outside of maintenance sessions, does the platform provide continuous monitoring of BAS device health, or is it access-only?

If the answer to several of these questions is "no," the platform may meet Gartner's CPS secure remote access criteria for manufacturing or utilities — but it does not meet the requirements of a building automation environment.

Where the market is heading

The Gartner guide marks a transition point. The CPS secure remote access market is moving away from generic "OT remote access" and toward domain-specific tools that understand the protocols, workflows, and operational constraints of specific CPS verticals.

In manufacturing, this means tools that understand Modbus, Profinet, and EtherCAT at a native level — which Secomea already provides. In energy and utilities, this means tools that support NERC-CIP compliance and integrate with SCADA historians. In building automation, this means tools that provide Layer 2 BACnet connectivity, multi-protocol support (BACnet, Modbus, Niagara), protocol-level firewalling, and operational controls designed around maintenance workflows rather than IT help desk models.

The current Representative Vendors in the Gartner guide are well-positioned for manufacturing and industrial use cases. But building automation is a $95.9 billion market growing at 7.9% CAGR, with an OT security segment growing even faster at 16.5% CAGR. The demand for BAS-specific remote access is not theoretical. Every commercial building with a BAS depends on third-party technician access. And the threat environment for building automation is intensifying — not slowing down.

The Gartner CPS Secure Remote Access Market Guide got the big picture right: VPNs and IT tools are not acceptable for CPS environments. The next evolution is vertical specialization — remote access platforms that are not just OT-aware but BAS-aware, protocol-aware, and built around the specific needs of the people who keep buildings running.

SiteConduit is a managed remote access and monitoring platform purpose-built for building automation. We provide Layer 2 connectivity for BACnet broadcast discovery, protocol-level firewalling with default-deny, time-limited auto-expiring sessions, per-protocol traffic monitoring, and 24/7 device health monitoring — designed specifically for BAS integrators, facility managers, and security teams who need more than what generic OT remote access provides.

Read the FAQ or join the waitlist at siteconduit.com for early access.