BMS Controller Segmentation

Overview

Building Management Systems (BMS) include critical infrastructure that requires network isolation:

HVAC controllers
Lighting controls
Access control systems
Fire and safety systems
Energy management
Elevator controls

Security Concerns

Legacy protocols without authentication
Unpatched firmware
Default credentials
Flat network access to IT systems

Segmentation Strategy

┌─────────────────────────────────────────────────────────────┐
│                         Network                              │
├─────────────────────────────────────────────────────────────┤
│                                                              │
│  ┌──────────────┐    ┌──────────────┐    ┌──────────────┐   │
│  │  IT Network  │    │  BMS Network │    │  IoT Network │   │
│  │  VLAN 10     │    │  VLAN 100    │    │  VLAN 200    │   │
│  └──────┬───────┘    └──────┬───────┘    └──────┬───────┘   │
│         │                   │                   │            │
│         │     ┌─────────────┴─────────────┐     │            │
│         │     │         Firewall          │     │            │
│         │     │    (Inter-VLAN ACLs)      │     │            │
│         │     └───────────────────────────┘     │            │
│         │                   │                   │            │
│  ┌──────▼───────┐    ┌──────▼───────┐    ┌──────▼───────┐   │
│  │ Workstations │    │   BMS Mgmt   │    │  Supervisors │   │
│  │              │    │   Station    │    │              │   │
│  └──────────────┘    └──────────────┘    └──────────────┘   │
└─────────────────────────────────────────────────────────────┘

Topics

Implementation Phases

Discovery - Profile all BMS devices
Classification - Create endpoint identity groups
Policy - Build authorization rules
Enforcement - Apply DACLs/SGTs
Monitoring - Verify traffic patterns

Related