BMS Device Inventory — Action Items

Action Items

Phase 0: Discovery

  • Run Q1-Q8 discovery queries against production ISE DataConnect

  • Export results to data/d001/projects/bms-device-inventory/output/

  • Retrieve Visio diagrams from SharePoint/local archives

  • Cross-reference Visio controller IPs against DataConnect MAC/NAS results

  • Identify Johnson Controls OUI prefixes from Visio device list — update Q6

  • Document any devices in Visio not found in ISE (offline or unmanaged)

  • Document any devices in ISE not in Visio (undocumented additions)

Phase 1: Classification

  • Categorize each device by function: HVAC, lighting, access control, fire, elevator, supervisory

  • Map MAC → controller → building → floor using switch name and Visio reference

  • Identify profiled vs unprofiled (Unknown) devices — Q7 output

  • Identify devices in wrong ISE identity group

  • Build classification table (encrypted in d001)

Phase 2: Diagram

  • Create D2 source: controller hierarchy (supervisory → field → sensor/actuator)

  • Create D2 source: network view (VLAN, switch port, ISE policy per device)

  • Create D2 source: building view (physical location)

  • Render SVGs via Kroki

  • Compare D2 output against original Visio for accuracy

Phase 2b: Cleanup

  • Verify 4 empty test groups are not referenced in any authorization rule condition

  • Delete orphaned test groups via ERS (0 members, not in production policy):

    • BMS_Supervisory_Test_Grp (a5ff7db0-872c-11ef-9e89-46637f695c46)

    • claroty_BASrouter_Contemporary_Control_BMS_BACnet (91cef4e0-882d-11ef-9e89-46637f695c46)

    • claroty_CVE03050_Johnson_Controls_BMS_Controller (b2bd33d0-882b-11ef-9e89-46637f695c46)

    • Claroty_Legacy_BMS_Server (705b3570-0c09-11f0-9e89-46637f695c46)

  • Investigate 3 devices with null endpoint profile — profiling failed, relying on IoT_Onboard fallback

  • Migrate 4 devices from BMS_Supervisor_CM_DACL_retire to current BMS_Supervisor_CM_dACL

  • Update Q6 OUI query — correct JCI OUI is 00:10:8D (46 devices), not the original 4 prefixes

  • Update Q7 switch name patterns — CHLA uses Duque, NHB, Saban, SRT, Gateway, McAlister, Page, OPT (not mech/bldg/plant/facility)

Phase 3: ISE Policy Validation

  • Verify profile-driven authorization is matching correctly for all 72 BMS devices

  • Verify dACL enforcement — BMS devices should only reach supervisory controllers

  • Verify Claroty/Medigate profiling feed is active — all profiling depends on third-party integration

  • Assess native ISE profiler backup — if Claroty feed breaks, do devices fall to Unknown?

  • Verify IoT_Onboard failsafe policy is appropriate for BMS devices that lose profiling

  • Document devices needing profiler policy updates

  • CR for any ISE policy changes required