A BAS cybersecurity audit evaluates network segmentation, access controls, firmware patch status, protocol security, and physical access across every controller, server, and workstation in the building automation system. Start with a complete asset inventory, review network architecture against a segmented VLAN design, verify that every device has had default credentials changed, confirm firmware is current against vendor advisories, and document all findings in a repeatable checklist. This process is designed to support NIST 800-82 guidelines for operational technology security.
Why Audit BAS Cybersecurity
Building automation systems were designed for reliability and comfort, not cybersecurity. Most BAS installations use protocols like BACnet and Modbus that transmit data in cleartext with no built-in authentication. This was acceptable when these networks were physically isolated, but modern BAS deployments now connect to enterprise IT networks, cloud analytics platforms, and remote access gateways—dramatically expanding the attack surface.
Cyber insurance underwriters increasingly require evidence of OT network segmentation and access controls before issuing or renewing policies. Regulations such as the EU's NIS2 directive and US state data protection laws now explicitly cover building systems connected to enterprise networks. NIST SP 800-82 (Guide to Operational Technology Security) identifies building automation as OT infrastructure that demands the same security rigor as industrial control systems.
Beyond compliance, the operational risk is real. A compromised BAS can disable HVAC in a data center, unlock access-controlled doors, or serve as a lateral-movement pathway into the corporate network. The 2013 Target breach—which originated through an HVAC vendor's network credentials—remains the most cited example, but less publicized BAS compromises occur routinely across commercial real estate and healthcare facilities.
Pre-Audit Preparation
A successful BAS cybersecurity audit requires preparation before anyone touches a controller or opens a network scanner. Skipping this phase leads to incomplete audits that miss entire subsystems.
Build a Complete Asset Inventory
Document every device on the BAS network. This includes supervisory controllers, field controllers (VAV, AHU, plant controllers), network-level controllers, operator workstations, BAS servers, IP-to-MS/TP routers, gateways, and any IoT sensors or actuators with network connectivity. For each device, record:
- Manufacturer, model, and serial number
- Firmware version currently installed
- IP address or MS/TP MAC address
- Physical location (floor, mechanical room, ceiling plenum)
- Protocol(s) in use (BACnet/IP, BACnet MS/TP, Modbus TCP, Modbus RTU, LonWorks)
- Network segment or VLAN assignment
- Date of last firmware update
If no asset inventory exists, treat creating one as the first audit deliverable. You cannot audit what you have not identified. BACnet device discovery tools can help enumerate BACnet/IP and MS/TP devices, but manual inspection is required for Modbus and proprietary devices that do not respond to broadcast discovery.
Gather Documentation
Collect network diagrams, controller programming backups, user account lists, remote access configurations, vendor maintenance contracts, and any previous audit reports. Request the original sequence of operations and compare it to the current running configuration—undocumented changes are a security indicator that access controls may be weak.
Define Scope and Boundaries
Clarify which systems are included. Does the scope cover fire alarm panels connected via BACnet? Lighting control systems on the same VLAN? Access control panels sharing infrastructure? Document the scope boundary before starting so findings are attributable to specific systems.
Network Segmentation Review
Network segmentation is the single most effective cybersecurity measure for building automation systems. The goal is to isolate BAS traffic from enterprise IT traffic and from the internet, limiting the blast radius of any compromise.
What to Verify
- BAS devices on a dedicated VLAN. Controllers, BAS servers, and operator workstations should reside on one or more VLANs dedicated exclusively to building automation. If BAS controllers share a VLAN with office printers, guest Wi-Fi access points, or general IT workstations, segmentation does not exist regardless of what the network diagram claims.
- Firewall or ACL enforcement at VLAN boundaries. A VLAN alone is not a security boundary—it requires firewall rules or ACLs that restrict cross-segment traffic. Verify that rules are host-specific (only the BAS server IP can reach controllers) and protocol-specific (only UDP 47808 for BACnet/IP, not all UDP).
- No direct internet access from BAS VLANs. Controllers should never route to the public internet. Verify by checking default routes on BAS devices and attempting outbound connections from the BAS VLAN.
- Remote access through a controlled entry point. Technicians and integrators should connect through a dedicated, monitored jump host or VPN—not through port forwarding or a controller's built-in web server exposed to the internet.
- Separate VLANs for different trust levels. In larger facilities, separate supervisory-level devices (servers, head-end workstations) from field-level controllers, and isolate vendor or contractor access onto a constrained VLAN limited to specific devices during maintenance windows.
Common Finding
The most frequent segmentation failure is a "flat network"—every BAS device, IT workstation, and printer sharing a single subnet with no access restrictions. This means any compromised device can directly communicate with every controller. Even partial segmentation (BAS on its own VLAN with basic firewall rules) is a significant improvement.
Access Control Audit
Access control failures are the most exploitable vulnerabilities in building automation. Unlike protocol-level attacks, exploiting weak access controls requires no specialized tools—just a web browser and a default password list.
Credential Review
- Default credentials. Check every controller, server, and workstation for factory-default usernames and passwords. Vendor default credential lists are publicly available for every major BAS manufacturer (Trane, Johnson Controls, Siemens, Honeywell, Schneider Electric, Automated Logic, Distech). Any device still running factory defaults is a critical finding.
- Shared accounts. Identify accounts used by multiple technicians or integrators. Shared accounts eliminate accountability—each person who accesses the BAS should have individual credentials.
- Orphaned accounts. Review user lists for former employees, departed contractors, or vendor accounts from completed projects. Disable or remove these immediately.
- Password complexity. Verify that passwords meet a minimum complexity standard and that service accounts are not using simple or blank passwords.
Role-Based Access
Modern BAS platforms support role-based access control (RBAC). Verify that operator accounts cannot modify controller programming, that read-only accounts are available for monitoring dashboards, and that administrative functions (user management, network configuration, firmware updates) are restricted to named administrator accounts. Document which roles exist and who holds each role.
Remote Access Controls
Document every method of remote access: VPN connections, web portals, vendor cloud platforms, cellular gateways, and direct port forwards. For each, verify that multi-factor authentication (MFA) is enforced, sessions time out after inactivity, and access logs are retained. Any remote access pathway without authentication is a critical finding.
Firmware and Patch Status
BAS controllers are embedded devices that run firmware, and that firmware contains vulnerabilities just like any other software. Unlike IT systems that receive automatic updates, BAS firmware must be updated manually—and in practice, it rarely is.
Audit Steps
- Record current firmware versions. For every device in the asset inventory, document the running firmware version. Most BACnet devices report this via the
Firmware-Revisionproperty. For non-BACnet devices, check the controller's web interface or configuration tool. - Compare against vendor advisories. Check each manufacturer's security advisory page for published vulnerabilities affecting your installed versions. Trane, Johnson Controls (Tyco), Siemens, Honeywell, and Schneider Electric all publish security bulletins through ICS-CERT (now CISA) and their own portals. Any device running firmware with known CVEs is a finding.
- Document patching history. Determine whether a firmware update process exists. Can the facility team apply firmware updates, or does it require a vendor service call? Is there a test environment for validating updates before production deployment? Facilities with no documented patching process are at significantly higher risk.
- Identify end-of-life devices. Controllers that are no longer supported by the manufacturer will never receive security patches. Document these devices and recommend a replacement timeline. Legacy controllers running Windows XP Embedded, Windows CE, or unsupported Linux kernels are especially high-risk.
Practical Reality
Most commercial buildings have controllers ranging from 2 to 20 years old from multiple manufacturers. Expecting every device to run the latest firmware is unrealistic. The audit should categorize findings by risk: devices accessible from the enterprise network with known CVEs are critical, while isolated field controllers on a segmented MS/TP bus are lower priority.
Protocol Security Review
The protocols used in building automation were designed for interoperability, not security. Understanding their limitations is essential for an accurate audit.
BACnet
Standard BACnet/IP (ASHRAE 135, Annex J) transmits all data—including point values, schedules, trend data, and device configurations—as unencrypted UDP on port 47808. There is no authentication at the protocol level. Any device on the same network segment can read from or write to any BACnet object on any controller. The audit should verify that network segmentation compensates for this protocol-level weakness, and document whether BACnet Secure Connect (BACnet/SC), which adds TLS encryption and certificate-based authentication, is available on installed equipment and whether migration has been planned.
Modbus
Modbus TCP and Modbus RTU provide no authentication, encryption, or access control whatsoever. Any device that can reach a Modbus slave on TCP port 502 (or the serial bus) can read and write registers without restriction. For Modbus devices, network segmentation and physical access control are the only available defenses. The audit should confirm that Modbus TCP devices are not reachable from untrusted network segments.
Web Interfaces and APIs
Many modern controllers expose web-based configuration interfaces and REST APIs. The audit should verify: Are these interfaces served over HTTPS with valid TLS certificates, or unencrypted HTTP? Do API endpoints require authentication tokens, or are they open? Are management interfaces accessible only from the BAS management VLAN, or from any network? Controllers serving HTTP on port 80 with no authentication from any reachable network segment represent a critical finding.
Physical Security
Cybersecurity audits often overlook physical access, but in building automation, physical access frequently equals network access. A BACnet MS/TP trunk cable in an unlocked electrical closet provides direct, unauthenticated access to every controller on that bus segment.
What to Inspect
- Mechanical and electrical rooms. Are rooms containing BAS controllers, network switches, and servers locked? Who has keys or badge access? Is access logged?
- Network ports. Are unused Ethernet ports on BAS switches disabled? An active port in a public hallway or tenant space allows anyone to plug in a laptop and join the BAS VLAN.
- Controller enclosures. Are field controllers in locked enclosures, or mounted open in accessible ceiling plenums and electrical panels? Can someone physically access a controller's USB, serial, or Ethernet port without authorization?
- Cabling and trunk lines. MS/TP and RS-485 trunk cables running through accessible areas (above ceiling tiles, through open cable trays) can be tapped with inexpensive hardware. Document where trunk lines pass through unsecured spaces.
- Portable media. Verify that USB ports on BAS workstations and servers are disabled or restricted. Malware delivered via USB drives remains a proven attack vector for OT systems.
BAS Cybersecurity Audit Checklist
Use this checklist as a repeatable framework for BAS cybersecurity audits. It is designed to support NIST 800-82 guidelines for operational technology security. Adapt the scope to your facility's size and risk profile.
| Category | Audit Item | Status |
|---|---|---|
| Asset Inventory | Complete inventory of all BAS devices with IP/MAC addresses, firmware versions, and physical locations | |
| Asset Inventory | End-of-life devices identified with replacement timeline | |
| Network Segmentation | BAS devices on dedicated VLAN(s) separate from enterprise IT | |
| Network Segmentation | Firewall or ACL rules enforce traffic restrictions at VLAN boundaries | |
| Network Segmentation | No direct internet access from BAS VLANs (verified by testing outbound connections) | |
| Network Segmentation | Remote access restricted to monitored VPN or jump host | |
| Access Control | No devices using factory-default credentials | |
| Access Control | Individual user accounts (no shared credentials) | |
| Access Control | Orphaned accounts from former employees/contractors removed | |
| Access Control | Role-based access control configured (operator, admin, read-only roles) | |
| Access Control | Multi-factor authentication enabled for all remote access | |
| Firmware & Patching | All firmware versions documented and compared against vendor security advisories | |
| Firmware & Patching | Devices with known CVEs identified and remediation plan documented | |
| Firmware & Patching | Firmware update process documented (who, how, testing procedure) | |
| Firmware & Patching | Controller configuration backups stored securely offline | |
| Protocol Security | BACnet/IP restricted to dedicated VLAN (compensating for lack of protocol-level auth) | |
| Protocol Security | Modbus TCP devices not reachable from untrusted segments | |
| Protocol Security | Web interfaces using HTTPS with valid certificates (no HTTP-only management) | |
| Protocol Security | BACnet/SC migration feasibility assessed for internet-facing or high-risk segments | |
| Physical Security | Mechanical rooms and network closets locked with logged access | |
| Physical Security | Unused switch ports disabled | |
| Physical Security | USB ports on BAS workstations restricted or disabled | |
| Physical Security | Controller enclosures locked where physically accessible | |
| Monitoring | Network traffic monitoring or anomaly detection in place on BAS VLAN | |
| Monitoring | Access logs retained for remote sessions and administrative actions | |
| Documentation | Network diagrams current and accurately reflect physical topology | |
| Documentation | Incident response plan includes BAS-specific scenarios |
Common Audit Mistakes
- Auditing only the head-end and ignoring field controllers. Many auditors check the BAS server and operator workstations but never inspect the controllers in mechanical rooms. Field controllers often run older firmware, retain default passwords, and sit on unsegmented network segments. A comprehensive audit must extend to every IP-addressable device, including IP-to-MS/TP routers and network-connected sensors.
- Treating the BAS audit as a standard IT audit. IT auditors unfamiliar with OT environments miss BAS-specific risks—like cleartext BACnet communication, Modbus register write access, or MS/TP bus tapping—while flagging irrelevant IT issues. The audit team should include someone with building automation experience.
- Running active vulnerability scanners against BAS controllers. Enterprise vulnerability scanners (Nessus, Qualys, Rapid7) can crash or reboot embedded controllers that were never designed to handle aggressive port scans. This can disrupt HVAC operations in an occupied building. Use passive network monitoring and manual firmware version checks instead.
- Documenting findings without risk prioritization. An audit that lists 200 findings with no severity ranking is not actionable. A controller with default credentials on an internet-reachable subnet is critical; the same controller on an isolated MS/TP bus is low severity. The building owner needs to know what to fix first.
- Performing a one-time audit with no follow-up schedule. BAS environments change continuously—new controllers get commissioned, contractors create temporary accounts, firmware updates get deferred. Establish a recurring audit schedule (annually at minimum, quarterly for high-risk facilities) and track remediation between cycles.
Source Attribution
This guide draws on technical documentation and guidance from the following sources:
- NIST SP 800-82 Rev. 3 — Guide to Operational Technology (OT) Security— Provides the foundational framework for OT security assessments, including building automation systems. This audit checklist is designed to support NIST 800-82 guidelines.
- Trane — Cybersecurity for Building Automation Systems— Trane's security guidance covers access control hardening, firmware update practices, and network segmentation recommendations for Tracer controllers and Trane BAS platforms.
- Smart Buildings Academy — IT for BAS Professionals (BASIT100)— Training curriculum covering BAS network security fundamentals, cybersecurity awareness for controls technicians, and IT/OT convergence concepts.
- Veridify Security — BACnet Security Issues and How to Mitigate Cyber Risks— Detailed analysis of BACnet protocol vulnerabilities including default credential risks, lack of encryption, and authentication gaps.
- CISA — Industrial Control Systems Security— ICS-CERT advisories and the CSET (Cybersecurity Evaluation Tool) for structured OT security assessments.
Was this article helpful?
Related Articles
Need to do this remotely? SiteConduit connects remote technicians directly to the BAS VLAN without exposing corporate IT networks. Join the waitlist.
SiteConduit Technical Team
Idea Networks Inc.
SiteConduit builds managed remote access for building automation. Our knowledge base is maintained by BAS professionals with hands-on experience deploying and troubleshooting BACnet, Niagara, Modbus, and Facility Explorer systems.