17 May 2026 · AmbiAutomation

Contents

  1. The realistic threat model
  2. BACnet on a flat network is the most common failure mode
  3. What to demand from a vendor
  4. Authentication and access
  5. Updates and lifecycle
  6. FAQ

The realistic threat model

Building-automation systems are rarely the direct target of sophisticated nation-state attackers. The realistic threats are mundane and far more likely: untargeted scanning that finds an exposed BACnet endpoint, opportunistic ransomware that reaches a building network through a shared IT path, and insider mistakes that leave a system reachable from the public internet.

BACnet on a flat network is the most common failure mode

The single most common building-automation security failure is BACnet (or MODBUS) exposed on a flat network, often unintentionally bridged to the building's general IT network. Anything reachable from the public internet on a BACnet port is being scanned within minutes. The fix is architectural: isolate the HVAC network, use an on-site gateway with encrypted outbound backhaul, and never expose BACnet inbound.

What to demand from a vendor

  1. Encrypted backhaul. TLS to the cloud / management plane. No clear-text protocols over WAN.
  2. No inbound holes. The on-site server should only make outbound connections. No port forwarding required.
  3. Edge logic. Control plane survives cloud outages — both an availability and a security property.
  4. Network isolation. RS485 / RJ45 ports galvanically isolated (1.5 kV typical). HVAC network logically separated from corporate LAN.
  5. Role-based access. Least privilege by default. No shared service accounts.
  6. Audit log. Every override, schedule change, and user action timestamped and attributed.
  7. Signed firmware. The on-site server must validate firmware updates against vendor signatures.
  8. Disclosed update lifecycle. A clear policy on how long the product receives security updates.

Authentication and access

The app side: enforced strong passwords, optional SSO integration, session expiry, and a route to MFA. The device side: provisioning credentials are tied to the specific device and rotate on factory reset. No default passwords.

Updates and lifecycle

Building automation devices live in the field for 5–10 years. The realistic security posture depends on whether they keep receiving updates that long. Ask any vendor up-front about their long-term update commitment, and confirm OTA exists — pulling devices for manual firmware updates is rarely operationally feasible.

FAQ

Should the HVAC network share Wi-Fi with the office?

No. The HVAC network should be logically separated. Where physically possible, prefer Ethernet or a dedicated VLAN. Cellular backhaul is often the cleanest segmentation.

How is AmbiAutomation hardened?

Outbound-only encrypted backhaul, galvanic / serial isolation on every port, edge-resident control, role-based access on the app, audit logging by default, signed firmware updates. See the On-Site Automation Server spec for details.

Want a security review for your site?

Our team can review your existing building-automation security and propose hardening steps. No commitment required.

Request a security review