Three Things to Do to Keep Your BAS Secure

Increased remote working and IoT mean more exposure to trouble

Work-from-home arrangements as a result of the COVID-19 pandemic have presented information security officers and their teams with unprecedented challenges.

As reported by cyber-security firm Kaspersky, RDP (Remote Desktop Protocol) brute-force attacks have increased significantly in the last month.

But BAS security issues aren’t solely a result of the pandemic. They’ve existed for years. While not tied directly to BAS, consider the security breach at Target in 2013, when a refrigerator contractor left a “door” open for hackers to access the corporate system.

Here are three things you can do to keep your building automation system secure from online bad actors.

1) Work with a contractor that sets up your system properly

Building automation systems have increased in scope, due in large part to parallel evolutions of systems’ technologies and the Internet. When a provider or contractor installs a BAS in ways that exposes it to the World Wide Web, hackers can potentially access the system using known hacker tools such as brute force attacks, and username and password lists from the dark web.

If your contractor doesn’t use the appropriate credentials, such as strong usernames and passwords, and fails to put the systems behind a VPN and make appropriate firewall rules, the BAS is exposed to the Internet and hackers.

Adding to your risk is the growing use of IoT, which includes tying a BAS into security systems, fire alarm systems and more. It may seem like convenient and safe networking strategies, but it’s not always the case. Without the correct parameters between systems, you run the risk of exposing a building to a hacker or a greater security breach event if you’re putting these systems on your corporate network.

Lesson: Separate the networks, ensure your BAS is behind a VPN, and implement security protocols, including complex usernames and passwords.

2) Keep your system up to date. (Have you considered a Support Agreement?)

Most building automation systems are server based, and therefore software updates – a key to increased security against hackers – are not automatically completed. For example, your laptop or PC will prompt you to update: “Restart to update.” This is usually not the case with your BAS.

The easiest way to make certain software and server updates are installed is to be on a Support Agreement. ACES customers with Support Agreements can rest easy with the knowledge their systems are at peak performance, and all current security patches and updates are installed.

If you’re managing your system without a Support Agreement, get in touch with your system provider for directions on how to secure your system and keep it properly patched with Windows and system updates.

3) Work with a system that’s designed for security

Automated Logic Corporation (ALC), the systems and technologies provided by ACES, is manufacturer agnostic. ALC works well with any brand of HVAC system. As such, it’s designed for optimal performance and security. And ALC is vigilant about communications with users around the world to learn the latest threats and fixes to ensure customers can learn and implement best-practice installation and maintenance guidelines for protecting their BAS.

To make your BAS more secure, contact your ACES rep or go to


Subscribe to News