Network segmentation isolates building automation systems from enterprise networks and the internet, reducing attack surface and limiting breach impact.
| Benefit | Description |
|---|---|
| Reduced attack surface | Limits exposure to threats |
| Breach containment | Prevents lateral movement |
| Access control | Restricts who can reach BAS |
| Monitoring | Easier to detect anomalies |
| Compliance | Meets security standards |
| Benefit | Description |
|---|---|
| Traffic isolation | BAS traffic separate from IT |
| Performance | Dedicated bandwidth for BAS |
| Troubleshooting | Easier network analysis |
| Change management | IT changes don't affect BAS |
| VLAN | Purpose | Example Range |
|---|---|---|
| BAS Management | Servers, workstations | VLAN 100 |
| BACnet/IP | IP-based controllers | VLAN 101 |
| BACnet/MSTP | Router connections | VLAN 102 |
| Integrations | Meters, third-party | VLAN 103 |
| Remote Access | VPN termination | VLAN 110 |
Use private address ranges per RFC 1918:
| Network | Suggested Range |
|---|---|
| BAS Servers | 10.100.1.0/24 |
| BACnet/IP Controllers | 10.100.10.0/24 |
| Integration Devices | 10.100.20.0/24 |
Only allow necessary traffic:
Rule: Allow BAS Server to Controllers
Source: 10.100.1.0/24
Destination: 10.100.10.0/24
Port: 47808 (BACnet)
Action: Allow
Rule: Allow Workstation to BAS Server
Source: 10.10.50.100 (specific workstation)
Destination: 10.100.1.10 (BAS server)
Port: 443 (HTTPS)
Action: Allow
Rule: Deny all other to BAS
Source: Any
Destination: 10.100.0.0/16
Action: Deny + Log
| Port | Protocol | Purpose |
|---|---|---|
| 47808 | BACnet/IP | BACnet communication |
| 443 | HTTPS | Web interface |
| 4911 | Niagara | Niagara platform |
| 502 | Modbus TCP | Modbus devices |
| 22 | SSH | Secure management |
| Port | Reason |
|---|---|
| 23 (Telnet) | Unencrypted |
| 80 (HTTP) | Use HTTPS instead |
| 21 (FTP) | Use SFTP instead |
| 161/162 (SNMP v1/2) | Use SNMPv3 or block |
| Role | Access Level |
|---|---|
| BAS Engineer | Full BAS network access |
| Operator | Web interface only |
| IT Administrator | Management VLAN only |
| Contractor | Specific devices, time-limited |
| Remote Support | VPN + jump host + logging |
| Practice | Implementation |
|---|---|
| VPN required | No direct internet exposure |
| MFA | Two-factor for all remote |
| Session logging | Record all remote sessions |
| Time limits | Auto-disconnect after inactivity |
| Least privilege | Only necessary access granted |
| Monitor | Purpose |
|---|---|
| Firewall logs | Blocked connection attempts |
| Authentication logs | Failed login attempts |
| Traffic flows | Unusual patterns |
| Device inventory | Unauthorized devices |
| Configuration changes | Unauthorized modifications |
Configure alerts for:
| Mistake | Impact | Solution |
|---|---|---|
| Flat network | Easy lateral movement | Implement VLANs |
| Over-permissive rules | Unnecessary exposure | Principle of least privilege |
| No logging | Can't detect issues | Enable comprehensive logging |
| Direct internet | Exposed to attacks | Require VPN |
| Shared passwords | No accountability | Individual accounts |