🛡️

Cybersecurity & Resilience Program

Enterprise-grade security controls protecting your building automation systems around the clock.

Continuously Monitored Against
AWS Foundational Security Best Practices
CIS Benchmark v5.0
NIST 800-53
🔒
End-to-End
Encryption
📡
24/7
Threat Monitoring
Weekly
Automated Patching
🔑
MFA
All Access Points

🔐Encryption

Data in Transit

  • All site-to-cloud communication encrypted end-to-end (ChaCha20-Poly1305)
  • Web interfaces use TLS 1.3 with modern cipher suites
  • All internal cloud API communication enforces HTTPS

Data at Rest

  • Server volumes encrypted using cloud-managed encryption keys
  • Backup data encrypted with dedicated keys that rotate annually
  • All file storage uses AES-256 server-side encryption

🔑Access Control

Multi-Factor Authentication

  • Cloud account root access protected with hardware MFA (FIDO2)
  • Administrative users require MFA for console access
  • Server access requires MFA via push notification or one-time code
  • VPN connectivity requires cryptographic key authentication

Segregation of Duties

  • Administrative access restricted to the platform owner
  • Field technicians operate under separate, limited accounts
  • Technician accounts provide application access only
  • No shared accounts or shared credentials

Least Privilege

  • Access policies follow least-privilege principles
  • Network access restricted to required ports and source ranges
  • VPN clients isolated from each other
  • Service accounts scoped to their specific function

🌐Network Security

Site Isolation

  • Each customer site operates on its own isolated IP subnet
  • Site routers provide NAT isolation between BAS devices and the building network
  • No BAS device traffic touches the building owner's LAN
  • No switching protocols or broadcast traffic introduced to the building network

Encrypted Tunnels

  • Each site connects via a dedicated encrypted tunnel
  • Cloud endpoint uses a static IP with deletion protection
  • Persistent connectivity with automatic reconnection
  • Administrative access separate from site connectivity

Firewall Controls

  • All server firewalls enforce explicit allow rules (default deny)
  • Only required ports exposed per server role
  • No inbound ports opened on the building owner's network

📡Monitoring & Threat Detection

Continuous Monitoring

  • Automated threat detection analyzes network traffic, API calls, and DNS queries
  • Vulnerability scanning checks servers for known software vulnerabilities
  • Security findings aggregated and prioritized in a central dashboard
  • Instance health, connectivity, and performance tracked in real time

Alerting

  • Site router connectivity monitored every 5 minutes
  • Server health issues trigger immediate alerts
  • Threat detection findings generate real-time notifications
  • Cost anomalies flagged automatically

Audit Logging

  • All cloud API activity logged across all regions
  • Logs stored with integrity validation (tamper detection)
  • Administrative session activity logged
  • File access activity tracked on all storage
  • Network flow logs capture all traffic metadata

🩹Vulnerability Management

  • All servers patched weekly through automated patch management
  • Patches applied with reboot when required
  • Patch compliance tracked and reported
  • Continuous vulnerability scanning identifies known CVEs
  • Critical and High findings remediated within the current patch cycle

💾Backup & Disaster Recovery

Backup Strategy

  • Critical server data backed up monthly
  • VPN configuration and encryption keys backed up with versioning
  • Backup vault protected against manual deletion
  • Backups encrypted and transitioned to cold storage

Recovery Capabilities

  • VPN server rebuilds automatically from backup in under 5 minutes
  • Site routers reconnect automatically when cloud services are restored
  • Application servers recoverable from backup within 1 hour
  • Full environment can be recreated from infrastructure-as-code

📋Infrastructure as Code

  • All cloud infrastructure defined and managed through code
  • Configuration changes are version-controlled
  • Changes reviewed before deployment
  • Infrastructure can be fully recreated from its definition
  • No manual changes to production resources

🏢Physical Security

Cloud Infrastructure

  • Hosted in AWS US East (Ohio) data centers
  • AWS facilities meet SOC 2, ISO 27001, and FedRAMP physical security requirements

Site Equipment

  • Compact, fanless devices installed in building IT closets
  • Pre-configured and managed remotely — no exposed management interfaces
  • Operates on an isolated network segment with no inbound connectivity from the building LAN

🚨Incident Response

We maintain a documented operations runbook covering failure scenarios including:

  • VPN server failure and automated recovery
  • Application server failure and backup restoration
  • Network connectivity loss and diagnosis
  • Customer site tunnel failures
  • Certificate and DNS issues

Alerts route to the infrastructure team within minutes of detection via multiple channels.

What We Handle

We manage the security and availability of the SCADA Connect platform, including:

  • Cloud infrastructure protection
  • Encrypted tunnel management
  • Server patching and hardening
  • Backup and disaster recovery
  • Monitoring, alerting, and incident response
  • Access control and credential management
  • Site router configuration and remote management

Questions?

For security questions, incident reports, or to request detailed documentation.

Contact Us

Last updated: