BMS Cybersecurity & Secure Remote Access

Secure your building controls before they become your weakest link.

Building Management System networks are critical to the daily operation of modern buildings, but they are often not managed with the same care, control, or security discipline as corporate IT systems.

Over time, many buildings accumulate unmanaged remote access routes. One contractor installs a 4G router. Another adds a Teltonika modem. Another sets up their own VPN. Another leaves remote access in place after commissioning. Years later, the building owner may no longer have a clear view of who can access the BMS network, how they connect, or what systems they can reach.

Future Decisions helps building owners take back control. We provide secure BMS network architecture using enterprise-grade firewalls — OPNsense and Fortinet FortiGate — with controlled VPN access, network segmentation, vendor access governance, monitoring, logging, and protection for legacy controllers and IoT devices. We also provide consultancy on network design, cybersecurity, SD-WAN, MPLS, and secure multi-site connectivity.

Secure access.Controlled vendors.Protected building systems.
The Problem

BMS networks are often unmanaged

Many BMS networks were designed to make buildings work, not to defend against modern cybersecurity threats. The problem is not that these systems are connected — connectivity is essential for support, maintenance, reporting, and optimisation. The problem is that connectivity is often unmanaged.

A building may have multiple vendors with separate remote access routes, different passwords, unknown firewall rules, and limited logging. These routes may sit outside the control of the building owner, the facilities team, and even corporate IT. That creates unnecessary risk.

BMS controllers
Niagara / JACE systems
Metering equipment
IoT gateways
Wireless sensors
Lighting controllers
HVAC plant
Water systems
4G modems
Legacy switches
The Risk

Uncontrolled access creates blind spots

In many buildings, the BMS controls heating, ventilation, cooling, lighting, metering, water systems, plant equipment, comfort conditions, and energy performance. These systems deserve proper protection.

Unknown external access into the BMS network
Vendor-installed 4G routers with limited oversight
Multiple contractors using separate remote access methods
Shared passwords and unmanaged credentials
No clear record of who connected and when
Poor separation between BMS, corporate IT, and the internet
Legacy controllers exposed to unnecessary network traffic
No consistent firewall policy or proper audit trail
No clear ownership of BMS cybersecurity
Legacy Controllers & IoT Devices

If the device cannot defend itself, the network has to.

Many BMS controllers, meters, gateways, sensors, and IoT devices were installed years ago. They were designed to control buildings, not withstand today's cybersecurity threats. In many cases these devices cannot be easily patched, upgraded, or hardened. Some are running old firmware. Some are no longer supported. Some use legacy protocols. Some cannot be updated without major cost, disruption, or replacement.

That means the network around them becomes the first and most important line of defence. Future Decisions protects legacy building systems by placing them behind a secure, managed network architecture. We reduce exposure, control access, segment traffic, monitor activity, and restrict who can reach these devices.

We do not pretend every old controller can be fixed. We protect it properly.

Our Solution

Enterprise-grade cybersecurity for BMS networks

Future Decisions designs, deploys, and manages secure network architectures for building control environments. We use enterprise-grade firewall platforms — OPNsense and Fortinet FortiGate — depending on the site requirement, budget, risk profile, compliance needs, and existing IT standards.

The aim is simple: replace unmanaged access with controlled, secure, auditable access. This gives building owners control over who can access the BMS network, how they connect, what systems they can reach, when access is allowed, and how legacy systems are protected.

OPNsense

A powerful, flexible, cost-effective open-source firewall and VPN platform. Provides firewalling, VPN, intrusion prevention (Suricata IDS/IPS), two-factor authentication, scheduling, and high availability via CARP. Works well for many BMS and building control environments.

Best for: single sites, cost-conscious projects, flexible environments

Fortinet FortiGate

A commercial next-generation enterprise firewall with NGFW, SD-WAN, FortiGuard security services including OT-focused threat protection, FortiToken MFA, FortiManager central management, and FGCP high availability. Used in enterprise and critical infrastructure environments.

Best for: enterprise sites, multi-site estates, high-risk or regulated environments

The right platform depends on the building. The outcome is the same: controlled access, segmented networks, monitored traffic, protected systems.

What We Provide

14 capabilities to secure your BMS

01

Managed BMS Firewalling

A managed firewall layer around the BMS network controls traffic between controllers, Niagara/JACE systems, metering, sensors, IoT gateways, vendor systems, engineering workstations, cloud platforms, corporate IT, and the internet. Firewall rules are designed around real operational requirements — not left open because a vendor needs access.

02

OPNsense or FortiGate Deployment

We are not tied to a single platform. We select the right firewall — OPNsense or Fortinet FortiGate — based on site requirements, budget, risk profile, compliance needs, and existing IT standards.

03

Secure VPN Access

Replaces unmanaged remote access with controlled VPN-based connectivity. Access is limited by named user, vendor, device, source address, destination system, port, protocol, time window, and maintenance purpose. A lighting contractor does not get access to HVAC controllers. They get access only to what they need.

04

Vendor Access Control

A controlled access model for every vendor. No more blanket access. No more permanent backdoors. No more unknown remote routes. Vendors can still support the building — but access is controlled by policy, not convenience.

05

Network Segmentation

Many BMS networks are too flat. Future Decisions segments the network into controlled zones: core BMS controllers, Niagara/JACE, metering, wireless sensors, IoT gateways, vendor access zone, cloud data exchange zone, engineering workstation access, corporate IT boundary, and temporary contractor networks.

06

Protection for Unpatchable Devices

Many building control devices cannot be secured at the device level — old firmware, unsupported hardware, legacy protocols. We protect these by controlling the network paths around them: which systems can reach them, which ports are allowed, which vendors can connect, and when.

07

Two-Factor & Multi-Factor Authentication

Remote access should not rely on passwords alone. We strengthen access with 2FA/MFA — FortiToken for FortiGate environments, built-in 2FA workflows for OPNsense — to reduce risk of stolen or shared credentials accessing critical building systems.

08

Time-Limited Access

Vendor access does not need to be permanently open. We design access windows for planned maintenance, remote diagnostics, commissioning, contractor visits, emergency support, and temporary project access. Access when required. Closed when not.

09

Monitoring and Logging

VPN access activity, firewall rule activity, vendor login records, traffic patterns, blocked connection attempts, network utilisation, and suspicious traffic — all logged and visible. Vendor support becomes accountable. Audits become straightforward.

10

Intrusion Detection & Threat Protection

For higher-risk sites: IDS/IPS using Suricata on OPNsense, or FortiGuard security services and FortiGate NGFW capabilities including OT-focused threat protection on Fortinet. An additional layer on top of firewalling, segmentation, and access control.

11

Secure Cloud Data Exchange

Controlled outbound-only communication, firewall rules for approved services, segregated data exchange zones, encrypted data paths, monitoring of data traffic, and clear documentation of what leaves the building network. Building data becomes useful without making the building vulnerable.

12

High Availability for Critical Sites

Redundant firewall pairs for critical environments — prisons, healthcare buildings, public sector sites, large commercial buildings, multi-building estates. OPNsense supports HA via CARP. Fortinet FortiGate supports HA via FGCP.

13

Multi-Site Estate Security

Standard firewall templates, consistent VPN policies, vendor access governance, site-by-site segmentation, estate-wide monitoring, centralised documentation, and repeatable deployment patterns across the estate. FortiManager supports central management for FortiGate deployments.

14

Network Design, SD-WAN & MPLS Consultancy

For single buildings: secure BMS network architecture, firewall placement, segmentation, vendor access, and cloud data exchange. For multi-site clients: SD-WAN, MPLS, site-to-site VPNs, resilient connectivity, centralised firewall policy, and multi-site routing design. We help clients move away from isolated ad-hoc networks towards a consistent, secure estate architecture.

Our Process

How we work

01

Assess

We review the existing BMS network, vendor access routes, internet connections, controllers, gateways, and switches. We identify unmanaged 4G routers, Teltonika modems, unknown VPNs, flat networks, unsupported devices, unclear firewall rules, shared credentials, poorly documented vendor routes, and gaps in monitoring.

02

Design

We design a secure network architecture based on how the building actually operates — firewall platform selection, segmentation, vendor access model, VPN design, SD-WAN or MPLS requirements, monitoring, legacy device protection, cloud data exchange, HA requirements, and documentation.

03

Deploy

We install and configure OPNsense or Fortinet FortiGate, migrate access away from unmanaged routes, and create controlled access for authorised users and vendors. Where required, we also support SD-WAN, MPLS, site-to-site VPNs, and secure multi-site access.

04

Control

We define who can access what, when, and how. Access is controlled by policy. Vendors get what they need to support their systems — and not open access to everything else.

05

Monitor

We provide visibility of remote access, firewall activity, traffic behaviour, and system health — so building owners understand what is happening on the BMS network and can spot issues earlier.

06

Improve

As the building evolves, the security architecture evolves with it. New systems, new vendors, new sensors, new cloud platforms, new sites, and new operational requirements are added in a controlled way.

The Gap No One Talks About
IT

Traditional IT Providers

Understand firewalls, network segmentation, VPN, and threat detection.

But they do not understand BMS networks, building controls, Niagara environments, vendor access requirements, or what a chiller controller actually does.

Future Decisions
sits between both worlds

The only team that speaks both languages fluently.

BMS

BMS Vendors

Understand building controls, commissioning, plant, and control sequences.

But they do not understand whole-site cybersecurity, firewall policy, intrusion detection, network monitoring, or enterprise security governance.

A BMS network cannot be secured properly if you do not understand what the building systems actually do.

IT security teams applying standard enterprise security to building control networks create operational problems. BMS engineers opening ports and installing 4G modems create security risks. Neither understands the other's domain well enough. That is the gap Future Decisions fills — and it is a gap that leaves most building estates dangerously exposed.

We understand buildings

Building Management Systems
Niagara / JACE environments
BMS controllers
Metering networks
Wireless sensors
IoT gateways
Vendor access requirements
Plant networks
Cloud data exchange
AI augmentation
Operational building requirements

We understand cybersecurity

Firewalling
VPN access
Network segmentation
Monitoring & logging
Access control
Secure remote support
Legacy device protection
SD-WAN
MPLS
Multi-site network design
Secure cloud connectivity
Intrusion detection
Key Benefits

Take back control

Remove unmanaged access

Replace vendor-installed 4G routers, Teltonika modems, shared passwords, and unknown remote access routes with a single, controlled, auditable layer.

Protect legacy devices

Secure old controllers, meters, gateways, and IoT devices that cannot be patched or replaced easily. If the device cannot defend itself, the network has to.

Support vendors safely

Allow contractors to support their systems without giving them unnecessary access to the wider building network. Right access. Right time. Right systems.

Improve visibility

Gain clearer insight into traffic, remote access, firewall activity, and vendor support usage. Know what is happening on your building network.

Reduce risk

Use firewalling, segmentation, VPN controls, monitoring, and access governance to reduce exposure across the building control network.

Support compliance

Create better evidence around access control, network security, operational governance, and remote support for audits and regulatory requirements.

Secure multi-site estates

Consistent network security across multiple buildings using secure VPN, SD-WAN, MPLS, firewall policy, and centralised access governance.

Build a secure AI foundation

Secure the network layer needed for safe data exchange, monitoring, optimisation, automated reporting, and AI augmentation of building systems.

Platform Architecture

Zero inbound access. Outbound only.

Our platform architecture is designed from the ground up to require no inbound IP access to your building. Your firewall stays locked. Your network stays protected.

OT Layer

BMS / Controls

Your BMS, SCADA, PLCs, sensors, and actuators remain on a physically or logically isolated OT network. No direct internet exposure. No direct IT network access.

Edge Gateway

The Bridge

Our edge device sits between OT and IT. It reads data outbound only, applies local processing, and forwards normalised data via encrypted outbound connection. Nothing comes back in unsolicited.

Cloud Platform

Future Decisions Platform

Receives normalised building data, runs AI models, stores trends, and serves dashboards. All communications are initiated by the edge device. The platform cannot push unsolicited commands to the building.

What We Do NOT Require

  • No open inbound firewall ports
  • No inbound VPN connections
  • No static inbound IP whitelist entries
  • No DMZ exceptions for inbound traffic
  • No remote desktop or SSH access to your systems
  • No agent software on IT-managed servers
  • No changes to your existing network topology

What We Do Provide

  • Full architecture documentation for review
  • Data flow diagrams for security sign-off
  • ISO 27001-aligned security practices
  • Data Processing Agreement (DPA) on request
  • Third-party penetration test results available
  • Clear data residency and sovereignty documentation
  • Dedicated security Q&A with your IT team

Take control of your BMS network

Future Decisions can assess your existing BMS remote access, identify unmanaged risks, and deploy a secure firewall and VPN architecture designed specifically for building control systems.

Whether the right solution is OPNsense, Fortinet FortiGate, or a wider enterprise security architecture, we help you protect the systems your building depends on.