A BMS VPN solution

These articles make some assumptions and hopefully these are familiar to you;

  1. You are a BMS vendor or service BMS systems for your customers.
  2. You have BMS equipment on customer networks that you do not control.

Point 2 is the especially difficult part that you are likely already very familiar with. Generally many BMS vendors stick the network architecture and management of these IT issues on the customer. We can help them with requirements but dealing with BMS is never going to be a priority for IT, or maybe your customer doesn’t have an IT person. You are likely also aware of the classic conflict between facilities management and IT, facilities wants to put a bunch of esoteric device on the network and IT wants to do everything they can to keep these suspicious devices with open protocols off of the network. Frankly BMS vendors have a justifiably bad reputation for IT security issues which is going to be an attitude you will have to turn around. The only way I know to do that is show that you have a thorough understanding of the vulnerabilities your devices have and demonstrate how you are mitigating that risk.

I don’t claim ownership of any of this information, these are things that are freely available in many places. The goal here is to put together a system that works with all the necessary information in one place.

A note and an apology:

I have done a lot of browsing and reading on OpenVPN and I see so many support question posts saying “x stopped working but OpenVPN says it is connected”. Most OpenVPN articles don’t really cover the infrastructure around the tunnel. Without understanding what’s going on in the network you won’t ever be completely successful, and that’s why this collection of articles are a little long.

Part 1; Planning

Part 2; Network Layout

Part 3; OpenVPN Server

Part 4; Crypto Keys

Part 5; Client Configuration Directory

Part 6; Ubiquiti Edgerouter X

Part 7; Security

Part 8; BACnet BBMD/FDR