BMS Device Inventory

Project Summary

Complete discovery, inventory, and diagramming of all Building Management System (BMS) devices across CHLA — HVAC, lighting, access control, fire safety, elevators. Replace legacy Visio diagrams with D2 code-as-diagram. Validate ISE profiling accuracy and segmentation policy for all BMS endpoints.

Feeds into Mandiant remediation (BMS segmentation) and the broader zero-trust network posture.

Discovery Results (2026-04-24)

Metric Value

Total BMS devices

72 unique MACs

Primary vendor

Johnson Controls (SNE11001, CVE03050, NAE5510, NAE4510, NAE3510, NAE3514, SNE22002, SNC25150)

Secondary vendors

Tridium/Niagara (6), KMC Controls (4), EasyIO (1), Daikin (1)

Profiling source

Claroty + Medigate (third-party) — not native ISE profiling

Identity group

All 72 in IoT_Onboard (intentional failsafe)

Primary auth rule

"BMS supervisor" → BMS_Supervisor_CM_dACL (70 devices)

Legacy auth

"Windows CE temp allow http" → BMS_Supervisor_CM_DACL_retire (4 devices)

Switches

37 unique across Duque, Gateway, McAlister, NHB, OPT, Page, SRT, Saban

Dominant OUI

00:10:8D — Johnson Controls (46 of 72 devices)

Architecture

Policy is profile-driven, not group-driven. As long as Claroty/Medigate profiles a device correctly, the endpoint profile triggers the authorization rule directly. The IoT_Onboard identity group is a failsafe — if profiling breaks, devices land in a known group with baseline policy instead of Default/DenyAccess.

4 dedicated BMS test groups exist but are empty (0 members) — created for testing, never populated for production. Cleanup pending.

Status

Phase Description Status Notes

0: Discovery

DataConnect + ERS queries — 16 queries, run against production

✅ Done

72 devices found. 37 switches. Results in data/d001/projects/bms-device-inventory/output/2026-04-24/

1: Classification

Categorize by function (HVAC, lighting, access, fire, elevator). Map MAC → controller → building → floor.

❌ Not started

Cross-reference with Visio diagrams needed

2: Diagram

Convert Visio topology to D2. Controller hierarchy, network view, building view.

❌ Not started

Prior Visio diagrams exist as reference

2b: Cleanup

Delete 4 orphaned test groups. Migrate 4 retire-dACL devices. Fix 3 null-profile devices. Update query patterns.

❌ Not started

Verify no policy rule references before deleting groups

3: ISE Policy Validation

Verify profile-driven auth. Assess Claroty/Medigate dependency. Validate failsafe policy.

❌ Not started

Depends on Phase 1 + 2b

Metadata

Field Value

PRJ ID

PRJ-2026-04-bms-device-inventory

Author

Evan Rosado

Created

2026-04-24

Updated

2026-04-24

Status

Active

Category

Infrastructure / Network Security

Priority

P1

Related