BAS Network Security Hardening Checklist
Building automation systems are increasingly targeted by cyber attacks. This checklist provides actionable steps to harden your BAS network, organized by priority and effort level.
Why BAS Security Matters
BAS networks are attractive targets:
- Often use default credentials
- Frequently connected to corporate networks without segmentation
- Run legacy software with known vulnerabilities
- Lack encryption on most protocols (BACnet, Modbus, LON)
- Physical access to controllers is often unsecured
Priority 1: Immediate Actions
1.1 Default Credential Audit
Check Every Device:
[ ] Controllers (Niagara, Metasys, Tridium, etc.)
[ ] Network switches and routers
[ ] Protocol gateways
[ ] VFDs with network interfaces
[ ] Lighting controllers
[ ] Metering equipment
[ ] Webcams and sensors with web interfaces
Common Defaults to Eliminate:
admin / admin
tridium / tridium
Niagara / Niagara
guest / guest
user / user
MetasysSysAgent / (varies)
1.2 Password Policy Implementation
| Requirement | Minimum Standard |
|---|
| Length | 12+ characters |
| Complexity | Upper, lower, number, special character |
| Rotation | Every 90 days for admin accounts |
| Reuse | No reuse of last 5 passwords |
| Shared accounts | Eliminate; use individual accounts |
| Service accounts | Document and rotate annually |
1.3 Disable Unnecessary Services
On each controller, disable services not in use:
Services to Evaluate:
[ ] FTP (disable; use SFTP or HTTPS)
[ ] Telnet (disable; use SSH)
[ ] HTTP (disable; use HTTPS only)
[ ] SNMP v1/v2 (disable; use v3 if needed)
[ ] UPnP (disable)
[ ] mDNS/Bonjour (disable if not needed)
[ ] Unused serial ports
[ ] Debug interfaces
Priority 2: Network Architecture
2.1 Network Segmentation
Recommended Architecture:
┌─────────────────────────────────────────────┐
│ Corporate Network │
│ VLAN 100 │
└──────────────────┬──────────────────────────┘
│ Firewall
┌──────────────────┴──────────────────────────┐
│ BAS Management │
│ VLAN 200 │
│ (Workstations, Supervisors) │
└──────────────────┬──────────────────────────┘
│ ACLs
┌──────────────────┴──────────────────────────┐
│ BAS Field Network │
│ VLAN 300-399 │
│ (Controllers, Sensors, Actuators) │
└─────────────────────────────────────────────┘
2.2 Firewall Rules
| Source | Destination | Port | Protocol | Action |
|---|
| BAS Mgmt | BAS Field | 443, 47808 | HTTPS, BACnet | Allow |
| BAS Field | BAS Field | 47808 | BACnet | Allow |
| BAS Mgmt | Corporate | 443 | HTTPS | Allow (limited) |
| Corporate | BAS Field | Any | Any | Deny |
| BAS Field | Internet | Any | Any | Deny |
| BAS Mgmt | Internet | 443 | HTTPS | Allow (cloud only) |
2.3 Physical Security
Physical Security Checklist:
[ ] Controller panels locked
[ ] Wiring closets have restricted access
[ ] USB ports disabled or monitored
[ ] Console ports require authentication
[ ] Visitor access to mechanical rooms logged
[ ] Network drops in public areas disabled
[ ] Security cameras on critical equipment
Priority 3: Access Management
3.1 Role-Based Access Control
| Role | View | Command | Configure | Admin |
|---|
| Viewer | Yes | No | No | No |
| Operator | Yes | Yes | No | No |
| Technician | Yes | Yes | Limited | No |
| Engineer | Yes | Yes | Yes | No |
| Administrator | Yes | Yes | Yes | Yes |
3.2 Authentication Best Practices
- Implement centralized authentication (LDAP/Active Directory)
- Enable multi-factor authentication where supported
- Set session timeouts (15 minutes for admin, 30 for operator)
- Log all authentication attempts (success and failure)
- Lock accounts after 5 failed attempts
- Maintain local emergency admin account with documented break-glass procedure
3.3 Audit Logging
Events to Log:
[ ] Login/logout (success and failure)
[ ] Configuration changes
[ ] Override commands
[ ] Alarm acknowledgments
[ ] Schedule modifications
[ ] Firmware updates
[ ] User account changes
[ ] Network configuration changes
Log Retention: Minimum 1 year
Log Storage: Centralized syslog server (not on controllers)
Priority 4: Software Management
4.1 Firmware and Software Updates
Update Process:
1. Subscribe to vendor security advisories
2. Test updates in lab environment first
3. Back up all controllers before updating
4. Schedule updates during low-occupancy periods
5. Apply updates to one controller, verify operation
6. Roll out to remaining controllers
7. Document firmware versions for each device
4.2 Vulnerability Management
| Activity | Frequency |
|---|
| Review vendor security bulletins | Monthly |
| Scan BAS network for vulnerabilities | Quarterly |
| Assess patch compliance | Monthly |
| Review open CVEs for BAS products | Monthly |
| Penetration testing | Annually |
Priority 5: Monitoring and Incident Response
5.1 Network Monitoring
Monitor For:
- Unauthorized devices on BAS VLANs
- Unusual traffic patterns (volume, destination)
- Failed authentication attempts (brute force)
- Changes to controller configurations
- Unexpected firmware modifications
- Communication with unknown external IPs
5.2 Incident Response Plan
Incident Response Steps:
1. Detect: Automated monitoring alerts
2. Contain: Isolate affected network segment
3. Assess: Determine scope and impact
4. Recover: Restore from known-good backups
5. Report: Document and notify stakeholders
6. Improve: Update defenses based on lessons learned
Key Contacts:
- BAS service provider
- IT security team
- Building operations
- Facility management
- Insurance provider (if applicable)
Compliance Reference
| Framework | Applicability |
|---|
| NIST CSF | General cybersecurity framework |
| ISA/IEC 62443 | Industrial control system security |
| ASHRAE Standard 135.1 | BACnet security |
| NIST SP 800-82 | Guide to ICS security |
| UL 2900-2-3 | Cybersecurity for BAS |
References
- CISA: Securing Building Automation Systems
- NIST SP 800-82: Guide to ICS Security
- BACnet International: BACnet Security Guide
- ASHRAE Standing Standard Project Committee 135
Security is not a project with an end date. It is an ongoing process that requires regular attention, updates, and vigilance.