Episode Description:
Remote access is no longer optional in building automation. But every connection to your BAS can also become a pathway for risk if security is treated as an afterthought.
In this episode, you’ll learn how VPNs, remote desktop tools, and zero trust strategies are reshaping the way automation professionals manage buildings remotely. You’ll also hear why many BAS networks remain vulnerable and where even experienced teams make costly mistakes.
Topics Covered
• Why BAS cybersecurity is different from traditional IT security
• The real differences between site-to-site, client-to-site, and zero trust access
• How network segmentation protects building systems from larger threats
• Common remote access mistakes that create hidden vulnerabilities
• What a practical and secure remote access strategy should include
As building systems become more connected, the challenge is no longer just enabling access. It’s securing it without compromising operations.
Podcast Video
Remote access has become a standard expectation in modern building automation systems. Facility teams want visibility from anywhere. Service providers need the ability to troubleshoot remotely. Owners expect cloud analytics, dashboards, and centralized oversight across portfolios.
At the same time, every remote connection creates a potential entry point into operational technology systems.
Building automation systems were never originally designed for internet connectivity. Many systems still operate with legacy controllers, outdated firmware, proprietary protocols, and long upgrade cycles. As connectivity expands, cybersecurity risks increase alongside convenience.
In this episode, we break down the fundamentals of VPNs, secure remote access strategies, and the security pitfalls that continue to expose BAS environments.
Traditional IT security practices do not always translate cleanly into operational technology environments.
Building automation systems contain devices that often remain in service for decades. Many controllers cannot tolerate downtime for frequent patching or upgrades. Some devices were built long before cybersecurity became a priority.
A typical BAS network also contains multiple layers:
Each layer introduces different risks and different access requirements.
Treating the entire BAS environment like a flat IT network creates major vulnerabilities.
A VPN, or Virtual Private Network, creates an encrypted tunnel between two endpoints across a public network.
The purpose is simple:
The episode explains several common VPN architectures used in building automation:
These create permanent encrypted connections between locations, such as a remote facility and a central operations center.
They are commonly used for:
These allow individual users to securely connect to a BAS network remotely from laptops or mobile devices.
This is the most common approach for technicians and facility operators working remotely.
Zero trust takes a different approach entirely.
Instead of granting broad network access, users only receive access to specific resources for limited periods of time.
For example:
Everything else on the network remains invisible.
One of the most important concepts covered in the episode is network segmentation.
Many BAS environments still operate on flat networks where building systems sit too close to corporate IT infrastructure.
That creates unnecessary risk.
A properly segmented architecture separates:
Segmentation limits exposure when a compromise occurs.
If an attacker gains access to one segment, they cannot automatically move throughout the entire environment.
Defense in depth becomes essential for operational technology security.
The episode also highlights several common failures that continue to appear in BAS deployments.
A VPN installed years ago without updates becomes a liability.
Remote access infrastructure requires:
Security is an operational responsibility, not a completed task.
Convenience often creates risk.
When users avoid VPNs because they are slow or difficult to use, they may create unauthorized workarounds using tools like remote desktop sharing applications.
These shortcuts often bypass security controls entirely.
Remote Desktop Protocol remains one of the most exploited attack vectors in operational technology.
Any remote desktop solution should sit behind secure access controls such as:
Direct internet exposure creates unacceptable risk.
Controls professionals understand BAS operations extremely well. Cybersecurity, however, is its own discipline.
Strong remote access strategies require collaboration between:
The best results happen when security planning begins during system design, not after deployment.
Zero-trust architecture is gaining momentum because it aligns well with operational technology security goals.
Instead of assuming users should trust the network once connected, zero trust continuously verifies:
This significantly reduces the impact of compromised credentials or insider threats.
As BAS environments continue moving toward cloud connectivity, centralized management, and remote service delivery, zero trust models will likely become more common across the industry.
Connectivity delivers real operational value.
Remote monitoring, cloud analytics, digital twins, and centralized management platforms can improve efficiency and reduce service costs.
But connectivity without security creates exposure.
A secure BAS remote access strategy should include:
The organizations that succeed will be the ones that balance operational flexibility with disciplined cybersecurity practices.
Building automation systems are no longer isolated systems sitting quietly inside buildings. They are connected operational platforms that require the same level of security attention as any critical infrastructure environment.
For a deeper discussion and insights from the field, listen to this episode on the Smart Buildings Academy podcast.