FAQ

Building Automation Remote Access & OT Security — Frequently Asked Questions

Everything you need to know about secure BAS remote access, protocol firewalling, device monitoring, and how SiteConduit works.

About SiteConduitBACnet, Modbus & Niagara Remote AccessSecurity & ComplianceDeployment & Getting StartedMonitoring & Alerts

About SiteConduit

What is SiteConduit?

SiteConduit is a managed remote access and monitoring platform purpose-built for building automation systems (BAS) and operational technology (OT) environments. It gives technicians time-limited, protocol-restricted, fully audited connectivity to building networks — while giving building owners complete visibility and instant kill-switch control over every session.

What is BAS remote access?

BAS remote access refers to the ability for technicians to connect to building automation system controllers — such as BACnet controllers, Niagara JACE stations, and Modbus PLCs — without being physically on-site. SiteConduit provides secure BAS remote access through encrypted tunnels with protocol-level firewalling, so technicians can service equipment remotely while building owners maintain full control.

How does SiteConduit differ from a traditional VPN?

Traditional VPNs provide always-on, unrestricted network access with no visibility into what the user does once connected. SiteConduit provides time-limited sessions (2-24 hours) that auto-expire, a protocol-level firewall that only allows BAS protocols through (BACnet, Modbus, Niagara), per-protocol traffic monitoring updated every 60 seconds, bandwidth limiting to prevent data exfiltration, and a one-click kill switch. There is no standing access between sessions.

Who is SiteConduit for?

SiteConduit serves three audiences: BAS integrators and HVAC contractors who need to service building equipment remotely, facility managers and building owners who need visibility and control over third-party access, and IT/OT security teams who need protocol firewalling, encryption, audit trails, and compliance reporting.

Is SiteConduit a SaaS product?

Yes. SiteConduit is a multi-tenant SaaS platform where each customer organization is fully isolated — separate data, users, sites, and audit trails. Administrators manage everything through a web portal, and technicians connect using our lightweight desktop Connect app.

BACnet, Modbus & Niagara Remote Access

How do I remotely access BACnet controllers securely?

SiteConduit provides Layer 2 BACnet remote access through encrypted tunnels. When a technician starts a session, they receive a temporary, protocol-restricted connection that allows BACnet/IP traffic (UDP 47808) to pass through while blocking everything else. The technician can discover and communicate with BACnet controllers as if they were on the local building network — without exposing the rest of the network.

Can I use SiteConduit for Niagara remote access?

Yes. SiteConduit supports Niagara Fox protocol (TCP 4911, 5011) in its protocol allowlist. Technicians can access Niagara JACE and FX controllers remotely through the encrypted tunnel, using Niagara Workbench or a web browser — just as they would on-site. HTTP/HTTPS (TCP 80, 443) is also allowed for Niagara's web interface.

Does SiteConduit support Modbus remote access?

Yes. Modbus/TCP (TCP 502) is included in the default protocol allowlist. Technicians can communicate with Modbus PLCs and devices through the encrypted tunnel. Like all protocols, Modbus traffic is monitored and accounted for in the session's traffic report.

What is a protocol firewall for building automation?

A protocol firewall inspects network traffic at the protocol level and only allows specific, approved protocols to pass through. SiteConduit's protocol firewall uses a default-deny bridge filter: only BACnet/IP, Modbus/TCP, Niagara Fox, HTTP/HTTPS, ICMP, and ARP are allowed. Everything else — including SMB file sharing, RDP, SQL database access, and FTP — is silently dropped. The allowlist is configurable per site.

What is Layer 2 remote access?

Layer 2 remote access extends the building automation network directly to the technician's laptop at the Ethernet frame level, rather than just routing IP packets. This means the technician can use broadcast-based protocols like BACnet (which uses broadcast discovery) and appear as if they are physically plugged into the building network. SiteConduit creates a temporary Layer 2 bridge between the technician and the building site through encrypted tunnels.

Security & Compliance

How does OT remote access differ from IT VPN security?

OT environments have fundamentally different security requirements than IT. Building automation systems control physical infrastructure — HVAC, fire suppression, elevators, door locks — so a security breach is a physical safety risk, not just a data breach. OT remote access needs protocol-level restrictions (only BAS protocols, not general network access), time-limited sessions (no standing access), traffic visibility at the protocol level, and immediate termination capabilities. SiteConduit was designed specifically for these OT security requirements.

Is my traffic encrypted?

Yes. All traffic between the technician's device and the building site travels through end-to-end encrypted tunnels using modern cryptography. There is no unencrypted path at any point in the connection. The encryption protects against eavesdropping and tampering even on untrusted networks.

Does SiteConduit support compliance reporting?

Yes. SiteConduit generates detailed compliance reports that include every remote access session: who connected, when, for how long, which protocols they used, how much data was transferred, and why the session ended. Reports are exportable to CSV and are designed to support industry compliance frameworks, insurance renewals, and vendor risk assessments.

Can I terminate a session immediately if something goes wrong?

Yes. SiteConduit provides a one-click kill switch that terminates any session in seconds. The encrypted tunnel is disabled, credentials are revoked, and the network bridge is destroyed — all in a single operation. You can terminate individual sessions, all sessions at a specific site, or all sessions across your entire organization. No coordination with the vendor is required.

What happens when a session expires?

When a session reaches its time limit, SiteConduit automatically tears down all network resources: the encrypted tunnel is disabled, firewall rules are removed, the network bridge is destroyed, and the session is marked as expired in the audit log. There is no grace period. The technician must request a new session to reconnect. Sessions can be extended up to 3 times if the technician needs more time.

How does SiteConduit prevent data exfiltration?

Every session is bandwidth-limited to 10 Mbps by default (configurable per site). This is generous for BAS protocol traffic — a typical BACnet controller uses less than 50 Kbps — but makes bulk data exfiltration impractical within a time-limited session window. Combined with the protocol firewall blocking non-BAS protocols, the attack surface is dramatically reduced.

Deployment & Getting Started

How long does it take to deploy SiteConduit at a building site?

Minutes, not months. SiteConduit ships a small, pre-configured CPE device to your building site. Your facilities team plugs it into the building automation network. The device auto-provisions itself through Zero Touch Provisioning — no on-site IT support required. Once the device is online, technicians can start accessing the building network immediately.

What is Zero Touch Provisioning?

Zero Touch Provisioning (ZTP) means the CPE device shipped to your site arrives pre-configured with everything it needs to connect securely to the SiteConduit platform. When it's plugged in and powered on, it automatically establishes its encrypted tunnel, registers with the management portal, and begins reporting telemetry. No manual configuration, no IT team on-site, no firewall rules to set up.

What internet connection does SiteConduit need?

SiteConduit works over any internet connection — broadband, LTE cellular, or satellite. The encrypted tunneling protocol is designed to perform well even on high-latency or constrained connections. Many building sites use LTE cellular connections, and SiteConduit includes signal quality monitoring (RSRP, RSRQ, SINR) for cellular-connected sites.

Does the technician need special software?

Technicians use the SiteConduit Connect app, a lightweight desktop application available for Windows, Linux, and macOS. They open their session configuration file in the app and are connected — Layer 2 adjacent to the building network in seconds. No VPN client to configure, no IT support tickets, no manual setup.

Monitoring & Alerts

What does SiteConduit monitor?

SiteConduit monitors every CPE device 24/7: tunnel status (up/down), LTE signal quality (RSRP, RSRQ, SINR, band, carrier), CPU utilization, memory usage, and device uptime. Telemetry is collected every 60 seconds and stored for up to 90 days. You get a single-pane-of-glass dashboard across all your sites.

How do alerts work?

SiteConduit classifies alerts by severity level. When a device goes offline, signal quality degrades below threshold, or system metrics exceed limits, an alert is generated and displayed on your dashboard in real time. Alerts can be acknowledged with notes by your team. All alert history is retained for audit purposes.

Can I see what a technician is doing during a session?

Yes. While a session is active, SiteConduit provides per-protocol traffic breakdown updated every 60 seconds. You can see exactly how much BACnet, Modbus, Niagara, and HTTP traffic the technician is generating. If a technician who should only be polling BACnet controllers starts generating unusual HTTP traffic, you'll see it immediately. All traffic data is retained after the session ends.

Ready to Secure Your Building Automation Network?

Join the waitlist for early access to SiteConduit.

No spam. We'll only email you about SiteConduit access.