What protocols does SiteConduit support for building automation remote access?

SiteConduit supports BACnet/IP (UDP 47808), Modbus/TCP (TCP 502), Niagara Fox (TCP 4911, 5011), HTTP/HTTPS (TCP 80, 443), and ICMP. The protocol allowlist is configurable per site, and a default-deny bridge filter blocks everything not explicitly permitted.

How does SiteConduit prevent unauthorized lateral movement on building networks?

Every session runs behind a protocol-level firewall with a default-deny bridge filter. Only approved BAS protocols are permitted. Technicians can reach their BACnet controllers and Niagara stations but cannot access file servers, printers, or IT infrastructure. Sessions are also bandwidth-limited to prevent data exfiltration.

Does SiteConduit support compliance and audit requirements?

SiteConduit generates detailed compliance reports with full session history including technician identity, session times, protocols used, and data transferred. Reports export to CSV and are designed to support industry compliance frameworks, insurance renewals, and vendor risk assessments.

How long does it take to deploy SiteConduit at a building site?

Minutes, not months. SiteConduit ships a pre-configured CPE device to your site. Your facilities team plugs it into the building automation network. The device auto-provisions via Zero Touch Provisioning with no on-site IT support required.

Can building owners terminate remote access sessions immediately?

Yes. SiteConduit provides a one-click kill switch that terminates any session in seconds. The encrypted tunnel is disabled, credentials are revoked, and the network bridge is destroyed. Bulk termination is available per-site or across all sites in your organization.

Modbus Remote Access: How to Connect Securely to Modbus Devices

Modbus is the oldest and most widely deployed industrial protocol in building automation. Designed in 1979 by Modicon for serial communication between PLCs, it predates the modern internet by over a decade. Today, Modbus runs in millions of HVAC controllers, power meters, variable frequency drives, and boiler control systems across commercial and industrial buildings worldwide.

The protocol's simplicity is its greatest strength and its most dangerous weakness. Modbus has no authentication, no encryption, and no access control. Every device on the network trusts every request. When you add remote access to that equation, you inherit all of those gaps — unless you build the right controls around it.

This guide covers what makes Modbus remote access different from IT remote access, how to secure it properly, and what to watch for when technicians are connected to your Modbus network.

Why Modbus remote access is different from IT remote access

In IT, remote access means connecting to a server that authenticates you, encrypts the session, and logs your actions. The application layer handles security. You enter a password, receive a token, and the system tracks what you do.

Modbus has none of that. When a technician sends a Modbus TCP request to a controller on port 502, the controller executes it. There is no username. There is no password. There is no session token. The controller cannot distinguish between a legitimate maintenance request and a malicious write command from a compromised laptop. It processes both identically.

This means that securing Modbus remote access cannot happen at the protocol level — it has to happen at the network level. The tunnel, the firewall, and the session controls are your entire security surface. If those are weak, the Modbus devices behind them are fully exposed.

IT remote access tools were designed for protocols that can protect themselves. Modbus cannot. That distinction drives every architectural decision in this guide.

Modbus TCP vs Modbus RTU: what remote access looks like for each

Modbus exists in two primary forms, and remote access works differently for each.

Modbus TCP

Modbus TCP runs over standard Ethernet on TCP port 502. It wraps the original Modbus frame in a TCP/IP packet with a Modbus Application Protocol (MBAP) header. Devices have IP addresses. Communication is point-to-point. This is the variant you find in newer HVAC controllers, intelligent power meters, and modern building automation gateways.

Remote access to Modbus TCP devices requires IP connectivity to the building network. The technician needs to reach port 502 on the target device. In principle, this could be a simple TCP port forward — but that approach exposes the device directly to the internet with zero authentication. A proper remote access setup uses an encrypted tunnel that places the technician on the same network segment as the Modbus TCP devices, with a protocol firewall that restricts traffic to port 502 only.

Modbus RTU

Modbus RTU is the original serial variant. It runs over RS-485 or RS-232 at baud rates typically between 9,600 and 115,200. You find it in older HVAC controls, standalone VFDs, legacy boiler controllers, and many power meters still installed today. There are no IP addresses — devices are identified by a unit ID (1-247) on the serial bus.

Remote access to Modbus RTU requires a serial-to-Ethernet gateway at the building site. This gateway converts between Modbus RTU on the serial side and Modbus TCP on the Ethernet side, mapping each RTU device's unit ID to the gateway's IP address. The remote technician then connects to the gateway via Modbus TCP, and the gateway translates each request back to RTU for the serial bus.

From a remote access perspective, this means Modbus RTU sessions ultimately look like Modbus TCP sessions once the gateway is in place. The security considerations are the same: encrypted tunnel, protocol firewall on TCP 502, session limits, and traffic monitoring. The gateway simply bridges the physical gap between serial and IP.

The security challenge: Modbus has no native authentication or encryption

Modbus was created in 1979 for serial PLCs in controlled factory environments. The threat model was simple: if you had physical access to the RS-485 bus, you were authorized. There was no concept of remote access, no internet, and no adversary model beyond a disconnected cable.

Forty-seven years later, that same protocol controls critical building systems — and its security model has not changed. Here is what Modbus TCP lacks:

No authentication — any device that can reach port 502 can read registers, write coils, and reconfigure the controller. There is no credential check.
No encryption — all Modbus TCP traffic is plaintext. Register values, write commands, and diagnostic data are visible to anyone who can capture packets on the network.
No access control — Modbus has no concept of read-only vs. read-write users. A technician checking a temperature sensor has the same access as someone rewriting the controller's holding registers.
No integrity checking — beyond a basic CRC in Modbus RTU (which prevents transmission errors, not tampering), there is no mechanism to detect modified or injected commands.

The BAS cybersecurity threat environment in 2026 includes targeted attacks against building automation protocols. Modbus is particularly vulnerable because its simplicity makes it easy to reverse-engineer and exploit. A single malicious write to a holding register can change a setpoint, disable a safety interlock, or shut down a VFD — and the controller will comply without question.

This is not a theoretical risk. CISA has published multiple advisories about Modbus-based attacks on building and industrial control systems. When you provide remote access to Modbus devices, every gap in your tunnel, firewall, or session management becomes a direct path to unauthenticated control of physical equipment.

How to secure Modbus remote sessions

Since Modbus cannot protect itself, every layer of security must be applied externally. A properly secured Modbus remote access session has three components: an encrypted tunnel, a protocol firewall, and session controls.

Encrypted tunnels

All Modbus traffic between the remote technician and the building network must travel through an encrypted tunnel. This prevents packet capture, man-in-the-middle attacks, and eavesdropping on plaintext Modbus commands. The tunnel should provide strong encryption (AES-256 or equivalent) and authenticate both endpoints before any Modbus traffic flows.

The tunnel also solves a practical problem: most building networks sit behind NAT or cellular connections with no public IP. The encrypted tunnel creates a persistent outbound connection from the building's CPE device to a cloud relay, which the technician connects to from the other side. No inbound firewall rules needed on the building network.

Protocol firewalling on TCP 502

An encrypted tunnel alone is not enough. If the tunnel allows all traffic, the technician has unrestricted access to the building network — the same problem as a persistent VPN. A protocol firewall restricts the tunnel to only the traffic that Modbus maintenance requires.

For Modbus remote access, a default-deny protocol firewall should allow:

Modbus TCP (TCP 502) — the core protocol, both directions
HTTP/HTTPS (TCP 80, 443) — for web-based configuration interfaces on modern Modbus gateways and controllers
ICMP — for ping-based diagnostics and device reachability checks
ARP — required for Layer 2 address resolution on the local network
Everything else — dropped silently

This means no SMB file sharing, no RDP, no SQL, no FTP, no SSH — nothing that is not explicitly required for Modbus maintenance. The technician can read and write Modbus registers, access controller web interfaces, and run basic network diagnostics. They cannot pivot to other systems on the building network.

Session limits and auto-expiry

Modbus maintenance sessions are typically short: a technician checks a power meter's configuration, adjusts a VFD's parameters, or troubleshoots a controller fault. There is no reason for a Modbus session to persist for days or weeks.

Time-limited sessions (2 to 24 hours, configurable per site) eliminate the standing-access problem. When the session expires, the tunnel drops. The technician must request a new session to reconnect. No credentials to revoke, no VPN profiles to hunt down, no SSH keys to rotate. Access is temporary by design.

Monitoring Modbus traffic: what to watch and why

Because Modbus has no native audit trail, your monitoring layer is the only record of what happened during a remote session. Without it, you are blind to what the technician did — and you cannot answer the questions that auditors, insurers, and compliance frameworks will ask.

Effective Modbus session monitoring should track:

Per-protocol traffic volume — how much data flowed over TCP 502 vs. HTTP vs. ICMP. Modbus maintenance generates modest traffic: 10-50 Kbps of register reads and writes. If a session generates megabytes of Modbus traffic, something unusual is happening.
Session duration and termination reason — did the session expire on schedule, did the technician disconnect, or did the building owner terminate it early? Each tells a different story.
Bandwidth utilization — a sudden spike above the expected baseline may indicate data exfiltration through the allowed protocol or an automated scanning tool running against the Modbus devices.
Blocked traffic attempts — if the technician's machine is generating SMB, RDP, or DNS traffic that the protocol firewall is dropping, that is worth investigating. It may be innocent background OS traffic, or it may indicate a compromised endpoint.

SiteConduit records per-protocol traffic accounting every 60 seconds for every active session. Building owners and security teams can view this data in real time during a session or pull historical compliance reports after the fact. If a Modbus session generates unexpected traffic patterns, the session can be terminated in seconds — not hours or days later when someone reviews a log file.

Bandwidth caps add a second layer of protection. Modbus traffic is lightweight. A 10 Mbps cap per session (configurable per site) is generous for legitimate maintenance but makes bulk data extraction impractical within a time-limited window.

Common Modbus remote access use cases in BAS

Modbus is everywhere in building automation. Here are the most common scenarios where integrators and facility teams need secure remote Modbus access.

HVAC controllers

Many commercial HVAC systems use Modbus TCP or RTU for communication between the building automation controller and field devices — air handling units, rooftop units, fan coil units, and zone controllers. Technicians need remote access to read temperature and humidity registers, adjust setpoints, modify PID loop parameters, and troubleshoot fault codes. A typical HVAC Modbus session involves reading and writing 20-50 holding registers across a handful of controllers.

Power meters and energy monitoring

Modbus is the dominant protocol for commercial power metering. Meters from manufacturers like Schneider Electric (ION series), Eaton, and Siemens expose voltage, current, power factor, energy consumption, and harmonic data through Modbus registers. Remote access lets energy managers and commissioning engineers verify meter configurations, pull historical readings, and troubleshoot communication faults without a truck roll.

Variable frequency drives

VFDs that control pumps, fans, and compressors in commercial buildings commonly expose Modbus RTU on their RS-485 communication ports. Technicians need remote access to check operating parameters (speed, torque, current draw), adjust acceleration/deceleration ramps, clear fault conditions, and update configuration after a mechanical change. A misconfigured VFD can damage equipment or cause building comfort complaints — remote Modbus access lets the integrator respond in minutes rather than scheduling a site visit.

Boiler and chiller controls

Central plant equipment — boilers, chillers, cooling towers — frequently uses Modbus for supervisory control and monitoring. Remote access enables technicians to check firing rates, supply and return temperatures, safety interlocks, and alarm conditions. During heating season, a boiler fault at 2 AM needs immediate diagnosis. Remote Modbus troubleshooting can determine whether the issue requires an emergency dispatch or can wait until morning.

Building automation gateways

Many buildings run a mix of Modbus, BACnet, and proprietary protocols. Gateways that translate between these protocols often expose a Modbus TCP interface for configuration and monitoring. Remote access to these gateways allows integrators to verify point mappings, check communication statistics, and troubleshoot translation errors between protocol domains.

Setting up Modbus remote access with protocol-level controls

The right approach to Modbus remote access combines all the security layers discussed above into a deployment that is simple enough for any building site. Here is what that looks like in practice with SiteConduit.

At the building site

A small CPE device ships to the building, pre-configured for that site's network. The facilities team plugs it into the Modbus network segment — either directly to the Modbus TCP switch or through a serial-to-Ethernet gateway for RTU devices. The device auto-provisions through Zero Touch Provisioning. No on-site IT required, no firewall rules to configure, no VPN profiles to set up.

The CPE device establishes an encrypted outbound connection to SiteConduit's cloud infrastructure. This works over any internet path: broadband, LTE cellular, or satellite. Many remote building sites depend on cellular, and the encrypted tunnel is designed to handle the latency and packet loss that come with those connections.

For the technician

When a Modbus maintenance session is needed, the building owner or site administrator approves a time-limited session through the SiteConduit platform. The technician receives a session file and connects using a lightweight desktop app. Within seconds, they have Layer 2 connectivity to the building's Modbus network — their workstation appears on the same network segment as the Modbus TCP devices.

The protocol firewall is active from the moment the tunnel comes up. Only Modbus TCP (port 502), HTTP/HTTPS, ICMP, and ARP are permitted. The technician opens their Modbus polling software, connects to the target devices, and performs their maintenance. When the session window expires, the tunnel drops automatically.

For the building owner

During the session, the building owner has full visibility. Real-time traffic monitoring shows exactly which protocols the technician is using and how much data is flowing. Per-protocol accounting is updated every 60 seconds. If the session needs to end early, one click terminates it immediately.

After the session, a compliance-ready audit report is available showing who connected, when, for how long, which protocols were used, total data transferred, and how the session ended. This record satisfies the audit trail requirements that insurance providers, compliance frameworks, and risk teams increasingly demand for OT network access.

What this approach eliminates

No persistent VPN credentials to manage or revoke
No standing access between maintenance sessions
No unrestricted network connectivity for the technician
No blind spots in who accessed what and when
No dependence on the technician's own security practices

The bottom line

Modbus is not going away. Despite being nearly five decades old, it remains the most widely deployed industrial protocol in building automation. HVAC controllers, power meters, VFDs, and boiler controls will continue to speak Modbus for years to come.

Remote access to these devices is a necessity — building owners cannot afford a truck roll every time a technician needs to check a register value or adjust a setpoint. But Modbus's complete lack of native security means that the remote access layer must compensate for everything the protocol does not provide.

That means encrypted tunnels, not plaintext connections. Protocol firewalls on TCP 502, not open network access. Time-limited sessions, not persistent credentials. Per-protocol traffic monitoring, not blind trust. And compliance-ready audit trails, not empty log files.

The technician gets the access they need to do their job. The building owner gets the controls and visibility they require. The security team gets evidence that access was scoped, monitored, and temporary. That is what Modbus remote access should look like in 2026.

SiteConduit is a managed remote access and monitoring platform purpose-built for building automation. We provide time-limited, protocol-restricted, fully audited remote access for Modbus, BACnet, and Niagara environments — plus 24/7 device monitoring — for BAS integrators, facility managers, and security teams.

Read the FAQ or join the waitlist at siteconduit.com for early access.