BAS Device Cybersecurity: What IT Needs to Know Before Approving a Field Device

BAS device cybersecurity is now a step every building automation system (BAS) field device must clear before going on a network. An IT or security team often reviews the device first, and a growing share of those reviews end in rejection. A device that doesn't address security questions will likely not get installed, and on a tight construction or retrofit schedule, an unapproved device can hold up the job.
Functional Devices, Inc. manufactures BAS field devices in both serial and IP-networked forms, which affects how each one fits a security review.
Why IT Now Reviews BAS Field Device Purchases
Building controls used to run on their own wiring, separate from the corporate network. That separation has now mostly disappeared. Controllers, sensors, and relays now share IP networks and, in many buildings, reach the internet. Operational technology (OT) and IT have converged, and security teams treat anything on the network as part of their responsibility.
The concern is lateral movement, where access to one device becomes a path to the rest of the network. In the 2013 Target breach, attackers used a heating, ventilation, and air conditioning (HVAC) vendor's stolen network credentials to get in, and because that vendor's access wasn't segmented from the payment network, they reached point-of-sale systems and tens of millions of card records. The building systems themselves weren't the target; the network path through that vendor's access was.
What IT Evaluates in a BAS Device Security Review
A security review typically asks a consistent set of questions. Knowing them in advance lets you specify a device that answers them.
- Network exposure. What can reach the device, and what can the device reach? A device on an isolated serial bus has a different exposure than one with an IP address on a shared network.
- Protocol and encryption. Standard BACnet/IP traffic is unencrypted and readable with a packet sniffer. BACnet Secure Connect (BACnet/SC), an ASHRAE addendum to the BACnet standard, uses TLS and certificate-based authentication to encrypt traffic and verify a device before it joins the network. IT will ask which one a device uses.
- Authentication and default credentials. Any device with a web or network login should allow the default password to be changed. Default credentials left in place are among the first things an attacker checks.
- Firmware and patching. Can the firmware be updated if a vulnerability is found, and how? A device with no update path is a long-term liability.
- Vendor security documentation. IT looks for a clear statement of how the device communicates, what ports it uses, and how it is hardened. A vendor who can produce this clears review faster.
How Connectivity Changes the Attack Surface
A field device's security profile follows its connection type more than its function. The same relay is a different security proposition depending on how it communicates with the system.
- A non-networked relay switched by a controller has no network identity of its own. It can't be addressed or reached over the network, so it adds nothing to the attack surface.
- A serial MS/TP device sits on an RS-485 bus, not the IP network. It has no IP address and can't be reached from the internet or the corporate network without physical access to the bus.
- A BACnet/IP device has an IP address on the network and, in many cases, a configuration web page. That makes it convenient to commission and reach, but also a host that has to be segmented, credentialed, and patched like any other networked device.
- A BACnet/SC device adds the encryption and authentication layer above, which is what lets a connected device meet stricter requirements on a managed IT network.
Matching the connection type to the application is the lever a specifier controls. A device that only switches a load on a command from a local controller doesn't need an IP address, and leaving it off the IP network removes it from that attack surface.
Specifying Field Devices That Clear IT Review
Functional Devices manufactures BAS field devices across these connection types, which lets a specifier match the device to the security posture of the network.
- For control points that don't need a network identity, a standard relay switched by the controller stays off the network entirely.
- For serial networks, the RIBTW2401B-BC is a BACnet MS/TP relay on an RS-485 bus, with no IP address to expose.
- For IP networks, the RIBTW2421B-BCIP is a BACnet/IP relay that connects over Ethernet. On an IP device, change the default credentials and place it on a segmented building network rather than a flat shared one.
Whichever connection type a project uses, a security review is easier to clear when the answers are set at specification time: choose the lightest connectivity the application needs, plan for segmentation and credentialing on anything with an IP address, and have the device's communication details ready for the security team.
Frequently Asked Questions
Why does IT need to approve a BAS field device?
Because a device on the building network can become a path into the rest of it. Security teams review connected building devices to confirm they can be segmented, credentialed, and patched before the device goes on the network.
Is a BACnet MS/TP device a network security risk?
It has a smaller attack surface than an IP device. An MS/TP device sits on a serial RS-485 bus with no IP address, so it can't be reached from the internet or the corporate network without physical access to the bus.
What is BACnet Secure Connect (BACnet/SC)?
A secure version of BACnet, defined as an ASHRAE addendum, that uses TLS and certificate-based authentication to encrypt communication and verify devices before they join the network. It runs on IP networks and complements BACnet/IP and MS/TP rather than replacing them.
How do I get a connected building device through IT review?
Choose the lightest connection type the application needs, change default credentials, plan for network segmentation on anything with an IP address, and have the device's communication and hardening details ready for the security team.
Specify BAS Field Devices for Your Network
To match BAS field devices to a project's security requirements, contact Functional Devices at 800-888-5538, or find an authorized distributor in your region.