What protocols does SiteConduit support for building automation remote access?

SiteConduit supports BACnet/IP (UDP 47808), Modbus/TCP (TCP 502), Niagara Fox (TCP 4911, 5011), HTTP/HTTPS (TCP 80, 443), and ICMP. The protocol allowlist is configurable per site, and a default-deny bridge filter blocks everything not explicitly permitted.

How does SiteConduit prevent unauthorized lateral movement on building networks?

Every session runs behind a protocol-level firewall with a default-deny bridge filter. Only approved BAS protocols are permitted. Technicians can reach their BACnet controllers and Niagara stations but cannot access file servers, printers, or IT infrastructure. Sessions are also bandwidth-limited to prevent data exfiltration.

Does SiteConduit support compliance and audit requirements?

SiteConduit generates detailed compliance reports with full session history including technician identity, session times, protocols used, and data transferred. Reports export to CSV and are designed to support industry compliance frameworks, insurance renewals, and vendor risk assessments.

How long does it take to deploy SiteConduit at a building site?

Minutes, not months. SiteConduit ships a pre-configured CPE device to your site. Your facilities team plugs it into the building automation network. The device auto-provisions via Zero Touch Provisioning with no on-site IT support required.

Can building owners terminate remote access sessions immediately?

Yes. SiteConduit provides a one-click kill switch that terminates any session in seconds. The encrypted tunnel is disabled, credentials are revoked, and the network bridge is destroyed. Bulk termination is available per-site or across all sites in your organization.

How to Configure VLANs for Building Automation Networks

Your building has HVAC controllers, lighting panels, energy meters, and access control systems all sitting on the same network as corporate email and accounting software. One compromised BACnet controller — and the attacker has a path to your finance database. This is not a theoretical risk. It is the documented reality in a majority of commercial buildings.

VLAN segmentation fixes this by isolating building automation systems from corporate IT traffic. But doing it wrong — breaking BACnet discovery, cutting off vendor remote access, or over-segmenting into a management nightmare — is almost as common as not segmenting at all. This guide covers how to design VLANs specifically for BAS environments, with protocol-port mappings, firewall rules, and remote access considerations.

Why VLANs matter for building automation

VLAN segmentation serves three purposes in a BAS environment:

Isolation: A compromised HVAC controller cannot reach corporate systems if the BAS network is on a separate VLAN with firewall rules blocking cross-VLAN traffic to IT subnets.
Compliance: NIST 800-82, IEC 62443, and ASHRAE's BACnet security guidance all require network separation between OT and IT systems. Many cyber insurance policies now mandate it.
Reduced blast radius: If ransomware hits your corporate network, building systems continue operating on their isolated VLAN. The reverse is also true — a BAS-targeted attack stays contained.

VLAN design for BAS: which systems get their own VLAN

The level of segmentation depends on the building size and risk tolerance. Here are three approaches, from minimum to maximum segmentation:

Minimum: one BAS VLAN

All building automation devices — HVAC, lighting, metering, fire alarm, access control — on a single VLAN, separate from corporate IT. This is the simplest approach and addresses the primary risk (IT/OT separation). It is appropriate for smaller buildings with a single integrator.

Recommended: segmented by system type

VLAN 100: HVAC — BACnet/IP controllers, Modbus HVAC devices, rooftop units, chillers, AHUs
VLAN 110: Lighting — Lighting controllers, DALI gateways, occupancy sensors
VLAN 120: Metering — Power meters, water meters, gas meters (Modbus TCP)
VLAN 130: Access control and fire — Card readers, fire alarm panels, elevator controls
VLAN 140: BAS management — Supervisory controllers (JACEs, Niagara supervisors), BAS servers, head-end workstations

This structure isolates systems by function while keeping the number of VLANs manageable. The BAS management VLAN communicates with all other BAS VLANs through controlled firewall rules.

Maximum: per-vendor or per-floor segmentation

Large campuses with multiple buildings and multiple integrators may segment further — per vendor, per floor, or per building. This provides the finest-grained access control but increases management complexity. Only pursue this level if you have the staff and tools to maintain the firewall rules.

Protocol-port reference table

When writing firewall rules between BAS VLANs, these are the protocols and ports you need to allow:

BACnet/IP: UDP 47808 (both directions). Required for device discovery (WHO-IS/I-AM) and all BACnet communication.
Modbus TCP: TCP 502. Used by energy meters, VFDs, and many HVAC controllers.
Niagara FOX: TCP 1911 (unencrypted) and TCP 4911 (TLS). Used by Niagara Workbench to connect to JACE controllers.
HTTPS: TCP 443. Controller web interfaces for configuration and status.
HTTP: TCP 80. Legacy controller web interfaces (many BACnet controllers still use unencrypted HTTP).
NTP: UDP 123. Time synchronization — critical for audit logs and scheduled operations.
DNS: UDP/TCP 53. Name resolution if controllers use hostnames.
ICMP: Allow ping for network diagnostics.
BACnet/SC: TCP 443 (WebSocket upgrade with TLS). The newer BACnet Secure Connect standard uses TLS-encrypted WebSocket connections.

Inter-VLAN firewall rules

The default rule for all inter-VLAN traffic should be deny. Then add specific allow rules:

BAS management VLAN to HVAC VLAN

Allow UDP 47808 (BACnet/IP) — both directions
Allow TCP 502 (Modbus) — initiated from management
Allow TCP 443, 80 (HTTPS/HTTP) — initiated from management
Allow ICMP
Deny all else

BAS management VLAN to metering VLAN

Allow TCP 502 (Modbus) — initiated from management
Allow TCP 443, 80 (HTTPS/HTTP) — initiated from management
Allow ICMP
Deny all else

Corporate IT VLAN to any BAS VLAN

Deny all. No direct path from corporate IT to BAS. Remote access goes through a managed access platform, not through a corporate firewall rule.

BACnet broadcast handling

BACnet/IP uses broadcast for device discovery. After segmenting BACnet devices across VLANs, broadcast packets do not cross VLAN boundaries. You have two options:

Configure BBMDs on each BACnet VLAN to forward broadcast between subnets (see our BACnet remote access guide for protocol details)
Keep all BACnet/IP devices on one VLAN and segment other systems (Modbus, lighting) onto separate VLANs

For most buildings, keeping all BACnet/IP devices on a single VLAN (separate from IT) is the practical choice. It avoids BBMD complexity while achieving the primary goal of IT/OT separation.

The remote access question

Network segmentation creates an immediate problem: how do your BAS integrators access the building remotely?

Before segmentation, the integrator connected through a VPN to the corporate network and reached BAS devices because everything was on the same flat network. After segmentation, the BAS VLAN is isolated. The corporate VPN no longer reaches it — which is exactly the point.

There are two approaches to restoring remote access:

Option 1: Firewall rules for VPN access to BAS VLAN

Add firewall rules allowing VPN users to reach the BAS VLAN. This technically works but reintroduces the same problems that segmentation was supposed to solve: full network access through the VPN, no protocol filtering, no session limits, no audit trail. The integrator is back to having unrestricted access to the BAS network.

Option 2: Purpose-built remote access on the BAS VLAN

Place a managed remote access device on the BAS VLAN. The integrator connects through that device, not through the corporate network. Sessions are time-limited, protocol-restricted, and fully audited. The corporate network is never involved.

Option 2 is the approach that compliance frameworks expect. NIST 800-82 and IEC 62443 both require that remote access to OT networks be controlled separately from IT remote access, with OT-specific session management.

Common mistakes

Flat OT networks

Creating a single BAS VLAN but not applying any firewall rules between the BAS VLAN and IT VLANs. A VLAN without firewall rules is a cosmetic change — Layer 3 traffic still flows freely. Every VLAN needs explicit firewall rules to be effective.

Over-segmentation

Creating 20 VLANs for a single building with 50 BACnet devices. The management overhead (firewall rules, BBMD configuration, routing) exceeds the security benefit. Start with 3-5 VLANs and add more only when a specific risk justifies it.

Forgetting about BACnet broadcast

Putting BACnet/IP devices on two VLANs without configuring BBMDs or IP-directed broadcast forwarding. The BAS supervisor loses visibility to half the controllers. Test device discovery from every subnet after segmentation.

Blocking NTP

BAS controllers need accurate time for scheduling (HVAC start/stop times, lighting scenes) and audit logging. Blocking NTP between the BAS VLAN and a time server causes clock drift that breaks scheduled operations and makes audit logs unreliable.

Verification checklist

After implementing VLAN segmentation, verify the following:

BACnet WHO-IS from the BAS supervisor discovers all controllers on all BAS VLANs
Modbus registers are readable from the BAS management VLAN to metering devices
Niagara Workbench connects to JACEs over FOX (TCP 1911/4911)
Controller web interfaces (HTTP/HTTPS) are accessible from the management VLAN
Ping works between BAS VLANs (ICMP allowed)
Ping from corporate IT VLAN to any BAS VLAN fails (deny rule confirmed)
Remote access works through the managed access platform, not through the corporate VPN
NTP is reachable from all BAS VLANs
DNS is reachable from BAS VLANs (if needed)
No BAS traffic appears on the corporate IT VLAN (verify with a packet capture)

SiteConduit provides the remote access layer for segmented BAS networks. When you move your building automation to its own VLAN, SiteConduit gives your integrators protocol-restricted, time-limited, fully audited access — without routing through the corporate network.

Join the waitlist for early access, or visit our FAQ to learn more.