What protocols does SiteConduit support for building automation remote access?

SiteConduit supports BACnet/IP (UDP 47808), Modbus/TCP (TCP 502), Niagara Fox (TCP 4911, 5011), HTTP/HTTPS (TCP 80, 443), and ICMP. The protocol allowlist is configurable per site, and a default-deny bridge filter blocks everything not explicitly permitted.

How does SiteConduit prevent unauthorized lateral movement on building networks?

Every session runs behind a protocol-level firewall with a default-deny bridge filter. Only approved BAS protocols are permitted. Technicians can reach their BACnet controllers and Niagara stations but cannot access file servers, printers, or IT infrastructure. Sessions are also bandwidth-limited to prevent data exfiltration.

Does SiteConduit support compliance and audit requirements?

SiteConduit generates detailed compliance reports with full session history including technician identity, session times, protocols used, and data transferred. Reports export to CSV and are designed to support industry compliance frameworks, insurance renewals, and vendor risk assessments.

How long does it take to deploy SiteConduit at a building site?

Minutes, not months. SiteConduit ships a pre-configured CPE device to your site. Your facilities team plugs it into the building automation network. The device auto-provisions via Zero Touch Provisioning with no on-site IT support required.

Can building owners terminate remote access sessions immediately?

Yes. SiteConduit provides a one-click kill switch that terminates any session in seconds. The encrypted tunnel is disabled, credentials are revoked, and the network bridge is destroyed. Bulk termination is available per-site or across all sites in your organization.

Tailscale and ZeroTier for BAS: Why Mesh VPNs Fall Short

If you have a BAS integrator who is technically savvy, there is a reasonable chance they have tried connecting to building networks using Tailscale or ZeroTier. These mesh VPN platforms are fast to set up, inexpensive, and require no firewall port forwarding. Compared to wrestling with a traditional VPN concentrator, Tailscale or ZeroTier can feel like a revelation.

But building automation remote access is not a networking problem. It is a security and compliance problem. And that is where mesh VPNs — designed for software developers and IT infrastructure — leave gaps that matter.

Why tech-savvy integrators reach for mesh VPNs

The appeal is obvious:

No port forwarding: Tailscale and ZeroTier use NAT traversal to establish peer-to-peer connections without opening inbound firewall ports. For integrators who fight IT departments for firewall changes, this alone is worth the price.
Free tiers: ZeroTier offers a free plan for up to 10 devices and 3 networks. Tailscale's free tier covers personal use. For a small integrator with a handful of building sites, the cost is zero.
Simple setup: Install the client, join the network, and you have connectivity. No certificates to manage, no complex configuration files, no VPN concentrators to maintain.
Encryption: Both platforms encrypt all traffic. Tailscale uses a well-regarded encrypted tunnel protocol. ZeroTier uses its own end-to-end encryption layer.

For connecting to development servers, home labs, and IT infrastructure, these tools are excellent. The question is whether they meet the requirements for accessing physical building systems.

What mesh VPNs get right

Credit where it is due. Tailscale and ZeroTier solve real problems:

Encrypted connectivity without infrastructure: No VPN server, no hardware, no firewall rules. The connection is encrypted end-to-end.
Peer-to-peer performance: Traffic goes directly between endpoints (when possible), avoiding a central chokepoint. Latency is often lower than hub-and-spoke VPNs.
Identity-based access (Tailscale): Tailscale integrates with SSO providers (Google, Microsoft, Okta) for identity-aware network access. This is better than shared VPN credentials.
Layer 2 Ethernet emulation (ZeroTier): ZeroTier can create Layer 2 overlay networks, which could technically carry BACnet broadcast traffic. This is a notable capability that most VPNs lack.

What they miss for building automation

No protocol awareness

Neither Tailscale nor ZeroTier understands what traffic is flowing through the connection. They cannot distinguish BACnet (UDP 47808) from SSH, SMB, or SQL traffic. Every protocol passes equally. There is no way to restrict a session to only BACnet and Modbus while blocking everything else.

This matters because 70% of OT security incidents involve third-party access, according to Dragos. An integrator who accidentally browses the network or whose machine is compromised has the same unrestricted access as a deliberate attacker.

No session time limits

Tailscale and ZeroTier connections are persistent. Once a device joins the network, it stays connected until someone explicitly removes it. There is no concept of a 4-hour maintenance window that auto-expires.

For BAS remote access, standing access is the primary risk. A technician who connected three months ago to troubleshoot a chiller may still have a live network connection to the building. Mesh VPNs offer no mechanism for automatic session expiry.

No per-protocol traffic monitoring

Neither platform provides visibility into what protocols are being used during a session. Tailscale shows connection status (online/offline) and bytes transferred. ZeroTier provides basic network statistics. Neither reports that "the technician used 14 MB of BACnet traffic and 200 KB of ICMP over a 3-hour session."

Without per-protocol monitoring, there is no way to verify that a maintenance session was limited to its intended purpose. The auditor has to take the integrator's word for it.

No audit trail for compliance

When your auditor, cyber insurer, or risk team asks "who accessed the building automation network, when, using which protocols, and for how long?" — Tailscale and ZeroTier cannot produce that report. They track device connectivity, not session-level access with protocol details.

NIST 800-82, IEC 62443, and most cyber insurance questionnaires require session-level audit trails for remote access to OT systems. A mesh VPN that shows "device was connected from 8am to 5pm" does not meet this requirement.

No device monitoring

Tailscale and ZeroTier are connectivity platforms. They do not monitor the health, uptime, or status of devices on the remote network. There is no alerting when a BACnet controller goes offline, no LTE signal quality monitoring for cellular-connected sites, and no proactive notifications.

No multi-tenant management

An integrator managing 30 client sites needs per-client isolation — no cross-site access, individual technician authentication, client-specific session policies. Tailscale's ACLs can partially achieve this, but it requires manual policy management for each site. ZeroTier's network isolation provides some boundary, but there is no centralized multi-tenant management console designed for the integrator workflow.

ZeroTier's Layer 2: close but not secure enough

ZeroTier deserves special attention because it provides Layer 2 Ethernet emulation. In theory, a ZeroTier Layer 2 network could carry BACnet broadcast traffic, allowing WHO-IS/I-AM discovery to work remotely.

In practice, there are significant limitations for BAS use:

No protocol-level filtering: ZeroTier's Layer 2 network passes all Ethernet frames. There is no bridge filter, no default-deny policy, and no way to restrict the connection to BACnet and Modbus while blocking SMB, RDP, and other protocols.
No bandwidth limiting: Without traffic shaping, a compromised session could exfiltrate data at full link speed through the Layer 2 tunnel.
No session management: ZeroTier networks are persistent. There is no session window, no auto-expiry, and no one-click kill switch.
Requires client on BAS network: To bridge a ZeroTier network to the physical BAS network, a device on the building network must run the ZeroTier client and act as a bridge. This device must be managed, updated, and secured — an ongoing responsibility.

ZeroTier's Layer 2 capability is a building block, not a finished product for OT remote access. It provides the raw connectivity but none of the security controls that building automation environments require.

The compliance gap

When your auditor evaluates your BAS remote access, they will ask questions that Tailscale and ZeroTier cannot answer:

"Can you show me which protocols each technician used during their session?" — No. Mesh VPNs do not track protocol-level activity.
"How long was each remote access session, and what caused it to end?" — Partially. They show connection time, but sessions do not have defined windows or termination reasons.
"Is remote access restricted to only the protocols needed for maintenance?" — No. All protocols pass through the encrypted tunnel.
"Can you terminate a session in progress if you detect anomalous behavior?" — Only by removing the device from the network, which is not instant and requires admin access to the mesh VPN dashboard.
"Is access time-limited with no standing privileges?" — No. Connections are persistent by design.

When mesh VPNs work and when they do not

Mesh VPNs are fine for: Internal IT access between your own devices. Connecting your laptop to your home lab. Developer access to staging servers. Situations where all devices are under your control and compliance requirements are minimal.

Mesh VPNs are not sufficient for: Third-party access to building automation systems. Multi-site integrator management. Environments subject to NIST 800-82, IEC 62443, or cyber insurance requirements. Any scenario where you need per-protocol visibility, session limits, and compliance-ready audit trails.

The price difference between a free mesh VPN and a purpose-built BAS remote access platform is real. But the cost of a BAS security incident — Johnson Controls spent $27M cleaning up their ransomware attack — makes that price difference irrelevant.

SiteConduit provides purpose-built remote access for building automation: Layer 2 connectivity, protocol firewalling with default-deny, time-limited sessions, per-protocol traffic monitoring, and compliance-ready audit trails. Built for BAS integrators managing multiple client sites.

Join the waitlist for early access, or visit our FAQ for details.