Problem

Owners and IT ask, "Is this BAS secure?" following publicized vulnerabilities in Niagara and other automation platforms.

Root Cause

Many BAS were deployed before cybersecurity was a strong focus, with defaults left in place: shared accounts, open ports, weak passwords, no TLS.

Solution

1. Inventory All BAS Components

• List all JACEs, Supervisors, Metasys Servers, controllers
• Map which networks they touch
• Identify internet-exposed devices

2. Apply Vendor Hardening Guides

Apply Niagara Hardening Guide, Metasys security guidance, vendor security notices:

• Enforce unique accounts and strong passwords
• Enable TLS and replace default/self-signed certs with managed ones
• Disable unused services and ports

3. Isolate BAS Networks

• Use firewalls/VPNs between BAS and corporate networks
• Restrict access to known management subnets
• Never expose BAS devices directly to internet

4. Establish Patch Management

• Create a patch and firmware management plan
• Keep Niagara/Metasys and OS layers up to date
• Test patches in non-production before deploying

Quick Wins Checklist

• Change all default passwords (TODAY)
• Enable HTTPS on all web interfaces
• Disable Telnet/FTP if enabled
• Verify no BAS devices have public IP addresses
• Document all BAS network connections
• Schedule quarterly security reviews