Building Management System networks are critical to the daily operation of modern buildings, but they are often not managed with the same care, control, or security discipline as corporate IT systems.
Over time, many buildings accumulate unmanaged remote access routes. One contractor installs a 4G router. Another adds a Teltonika modem. Another sets up their own VPN. Another leaves remote access in place after commissioning. Years later, the building owner may no longer have a clear view of who can access the BMS network, how they connect, or what systems they can reach.
Future Decisions helps building owners take back control. We provide secure BMS network architecture using enterprise-grade firewalls — OPNsense and Fortinet FortiGate — with controlled VPN access, network segmentation, vendor access governance, monitoring, logging, and protection for legacy controllers and IoT devices. We also provide consultancy on network design, cybersecurity, SD-WAN, MPLS, and secure multi-site connectivity.
Many BMS networks were designed to make buildings work, not to defend against modern cybersecurity threats. The problem is not that these systems are connected — connectivity is essential for support, maintenance, reporting, and optimisation. The problem is that connectivity is often unmanaged.
A building may have multiple vendors with separate remote access routes, different passwords, unknown firewall rules, and limited logging. These routes may sit outside the control of the building owner, the facilities team, and even corporate IT. That creates unnecessary risk.
In many buildings, the BMS controls heating, ventilation, cooling, lighting, metering, water systems, plant equipment, comfort conditions, and energy performance. These systems deserve proper protection.
Many BMS controllers, meters, gateways, sensors, and IoT devices were installed years ago. They were designed to control buildings, not withstand today's cybersecurity threats. In many cases these devices cannot be easily patched, upgraded, or hardened. Some are running old firmware. Some are no longer supported. Some use legacy protocols. Some cannot be updated without major cost, disruption, or replacement.
That means the network around them becomes the first and most important line of defence. Future Decisions protects legacy building systems by placing them behind a secure, managed network architecture. We reduce exposure, control access, segment traffic, monitor activity, and restrict who can reach these devices.
We do not pretend every old controller can be fixed. We protect it properly.
Future Decisions designs, deploys, and manages secure network architectures for building control environments. We use enterprise-grade firewall platforms — OPNsense and Fortinet FortiGate — depending on the site requirement, budget, risk profile, compliance needs, and existing IT standards.
The aim is simple: replace unmanaged access with controlled, secure, auditable access. This gives building owners control over who can access the BMS network, how they connect, what systems they can reach, when access is allowed, and how legacy systems are protected.
A powerful, flexible, cost-effective open-source firewall and VPN platform. Provides firewalling, VPN, intrusion prevention (Suricata IDS/IPS), two-factor authentication, scheduling, and high availability via CARP. Works well for many BMS and building control environments.
Best for: single sites, cost-conscious projects, flexible environments
A commercial next-generation enterprise firewall with NGFW, SD-WAN, FortiGuard security services including OT-focused threat protection, FortiToken MFA, FortiManager central management, and FGCP high availability. Used in enterprise and critical infrastructure environments.
Best for: enterprise sites, multi-site estates, high-risk or regulated environments
The right platform depends on the building. The outcome is the same: controlled access, segmented networks, monitored traffic, protected systems.
A managed firewall layer around the BMS network controls traffic between controllers, Niagara/JACE systems, metering, sensors, IoT gateways, vendor systems, engineering workstations, cloud platforms, corporate IT, and the internet. Firewall rules are designed around real operational requirements — not left open because a vendor needs access.
We are not tied to a single platform. We select the right firewall — OPNsense or Fortinet FortiGate — based on site requirements, budget, risk profile, compliance needs, and existing IT standards.
Replaces unmanaged remote access with controlled VPN-based connectivity. Access is limited by named user, vendor, device, source address, destination system, port, protocol, time window, and maintenance purpose. A lighting contractor does not get access to HVAC controllers. They get access only to what they need.
A controlled access model for every vendor. No more blanket access. No more permanent backdoors. No more unknown remote routes. Vendors can still support the building — but access is controlled by policy, not convenience.
Many BMS networks are too flat. Future Decisions segments the network into controlled zones: core BMS controllers, Niagara/JACE, metering, wireless sensors, IoT gateways, vendor access zone, cloud data exchange zone, engineering workstation access, corporate IT boundary, and temporary contractor networks.
Many building control devices cannot be secured at the device level — old firmware, unsupported hardware, legacy protocols. We protect these by controlling the network paths around them: which systems can reach them, which ports are allowed, which vendors can connect, and when.
Remote access should not rely on passwords alone. We strengthen access with 2FA/MFA — FortiToken for FortiGate environments, built-in 2FA workflows for OPNsense — to reduce risk of stolen or shared credentials accessing critical building systems.
Vendor access does not need to be permanently open. We design access windows for planned maintenance, remote diagnostics, commissioning, contractor visits, emergency support, and temporary project access. Access when required. Closed when not.
VPN access activity, firewall rule activity, vendor login records, traffic patterns, blocked connection attempts, network utilisation, and suspicious traffic — all logged and visible. Vendor support becomes accountable. Audits become straightforward.
For higher-risk sites: IDS/IPS using Suricata on OPNsense, or FortiGuard security services and FortiGate NGFW capabilities including OT-focused threat protection on Fortinet. An additional layer on top of firewalling, segmentation, and access control.
Controlled outbound-only communication, firewall rules for approved services, segregated data exchange zones, encrypted data paths, monitoring of data traffic, and clear documentation of what leaves the building network. Building data becomes useful without making the building vulnerable.
Redundant firewall pairs for critical environments — prisons, healthcare buildings, public sector sites, large commercial buildings, multi-building estates. OPNsense supports HA via CARP. Fortinet FortiGate supports HA via FGCP.
Standard firewall templates, consistent VPN policies, vendor access governance, site-by-site segmentation, estate-wide monitoring, centralised documentation, and repeatable deployment patterns across the estate. FortiManager supports central management for FortiGate deployments.
For single buildings: secure BMS network architecture, firewall placement, segmentation, vendor access, and cloud data exchange. For multi-site clients: SD-WAN, MPLS, site-to-site VPNs, resilient connectivity, centralised firewall policy, and multi-site routing design. We help clients move away from isolated ad-hoc networks towards a consistent, secure estate architecture.
We review the existing BMS network, vendor access routes, internet connections, controllers, gateways, and switches. We identify unmanaged 4G routers, Teltonika modems, unknown VPNs, flat networks, unsupported devices, unclear firewall rules, shared credentials, poorly documented vendor routes, and gaps in monitoring.
We design a secure network architecture based on how the building actually operates — firewall platform selection, segmentation, vendor access model, VPN design, SD-WAN or MPLS requirements, monitoring, legacy device protection, cloud data exchange, HA requirements, and documentation.
We install and configure OPNsense or Fortinet FortiGate, migrate access away from unmanaged routes, and create controlled access for authorised users and vendors. Where required, we also support SD-WAN, MPLS, site-to-site VPNs, and secure multi-site access.
We define who can access what, when, and how. Access is controlled by policy. Vendors get what they need to support their systems — and not open access to everything else.
We provide visibility of remote access, firewall activity, traffic behaviour, and system health — so building owners understand what is happening on the BMS network and can spot issues earlier.
As the building evolves, the security architecture evolves with it. New systems, new vendors, new sensors, new cloud platforms, new sites, and new operational requirements are added in a controlled way.
Understand firewalls, network segmentation, VPN, and threat detection.
But they do not understand BMS networks, building controls, Niagara environments, vendor access requirements, or what a chiller controller actually does.
The only team that speaks both languages fluently.
Understand building controls, commissioning, plant, and control sequences.
But they do not understand whole-site cybersecurity, firewall policy, intrusion detection, network monitoring, or enterprise security governance.
A BMS network cannot be secured properly if you do not understand what the building systems actually do.
IT security teams applying standard enterprise security to building control networks create operational problems. BMS engineers opening ports and installing 4G modems create security risks. Neither understands the other's domain well enough. That is the gap Future Decisions fills — and it is a gap that leaves most building estates dangerously exposed.
Replace vendor-installed 4G routers, Teltonika modems, shared passwords, and unknown remote access routes with a single, controlled, auditable layer.
Secure old controllers, meters, gateways, and IoT devices that cannot be patched or replaced easily. If the device cannot defend itself, the network has to.
Allow contractors to support their systems without giving them unnecessary access to the wider building network. Right access. Right time. Right systems.
Gain clearer insight into traffic, remote access, firewall activity, and vendor support usage. Know what is happening on your building network.
Use firewalling, segmentation, VPN controls, monitoring, and access governance to reduce exposure across the building control network.
Create better evidence around access control, network security, operational governance, and remote support for audits and regulatory requirements.
Consistent network security across multiple buildings using secure VPN, SD-WAN, MPLS, firewall policy, and centralised access governance.
Secure the network layer needed for safe data exchange, monitoring, optimisation, automated reporting, and AI augmentation of building systems.
Our platform architecture is designed from the ground up to require no inbound IP access to your building. Your firewall stays locked. Your network stays protected.
Your BMS, SCADA, PLCs, sensors, and actuators remain on a physically or logically isolated OT network. No direct internet exposure. No direct IT network access.
Our edge device sits between OT and IT. It reads data outbound only, applies local processing, and forwards normalised data via encrypted outbound connection. Nothing comes back in unsolicited.
Receives normalised building data, runs AI models, stores trends, and serves dashboards. All communications are initiated by the edge device. The platform cannot push unsolicited commands to the building.
Future Decisions can assess your existing BMS remote access, identify unmanaged risks, and deploy a secure firewall and VPN architecture designed specifically for building control systems.
Whether the right solution is OPNsense, Fortinet FortiGate, or a wider enterprise security architecture, we help you protect the systems your building depends on.