Helping OEM Engineers Enhance Building Equipment Cyber Security

The importance of Internet and cloud security can’t be understated when it comes to designing, owning and managing today’s large commercial buildings, institutional facilities, entertainment complexes and industrial plants. The potential impact of a serious security breach could affect or disable the automated systems providing building security, fire safety, communications, lighting, HVAC or equipment and instruments on the factory floor.

The Challenges

Cyber hackers and criminals know that today’s building management systems (BMS’s) and the equipment they control are highly sophisticated, complex and automated. They are constantly looking for back doors into building equipment and systems, the BMS or the cloud for myriad criminal purposes ranging from mischief to sabotage to theft or even terrorism. The consequences of a breach are potentially devastating in terms of damage or even loss of life.

No matter the communication protocol, a best-practice response to potential cyber threats always includes redundant layers of Internet security at multiple levels. At the top level, highly sophisticated and costly security systems are in place to protect the cloud, its communication networks and BMS operations. There are additional important precautions, however, further down at the device level that savvy original equipment manufacturers (OEMs) can take to harden and support their customers’ BMS, LANs/WANs and cloud installations.

The OEM design engineers responsible for today’s advanced IoT equipment and systems are not only tasked with device functional performance, but must now also consider cyber threats to secure communications. As today’s highly intelligent equipment and systems report device status continuously to the BMS and to the cloud, including self-diagnostics for predictive maintenance, secure communication via LANs and WANs is essential to assure safe 24-x-7 continuous building operations.  The maxim cyber security is everyone’s job extends all the way to the OEM IoT equipment level.

One of these critical security vulnerabilities includes a common Local Area Network (LAN) for the wide range of on-site building infrastructure equipment and systems, which is often connected to the Internet.  This flat layered network exposes all devices to vulnerabilities on the LAN when an Internet or Wide Area Network (WAN) connection is made.

The Solution

For these reasons, MSA’s FieldServer ProtoNode Model FPC-N64 Gateway has been designed with two Ethernet ports, with one Ethernet port for the LAN and the other Ethernet port for the WAN (Internet).  This approach gives OEM design engineers the most cost-effective, secure interface to the BMS and the Cloud Port screening is a built in function in the FPC-N64 which adds an additional layer of security by preventing unwanted incoming connections.

Integration with MSA Grid FieldServer Manager enhances the ProtoNode Gateway’s value by enabling remote monitoring, control, cloud-based alarm notifications (SMS or E-Mail) for trouble or alarm conditions and data visualization through the Grid dashboards. Users can view data, configure dashboards, download historical data and provide remote monitor/control for any connected devices. Additionally, when integrated with the FieldServer Manager, the ProtoNode dramatically reduces the time it takes for an OEM to implement its IoT product cloud strategy.

With two Ethernet ports, the ProtoNode Gateway allows data to move seamlessly and securely across disparate subnets using a dedicated port for each subnet and from a LAN to a WAN (Internet). This port isolation allows for enhanced LAN security from the BMS/WAN/Cloud. Besides connectivity to the Cloud the FPC-N64 also offers a secure VPN connection for remote diagnostics and maintenance of local equipment from a remote site.

Every ProtoNode Gateway is preprogrammed to seamlessly connect one or many OEM devices into BMS networks and instantly Cloud-enable building infrastructure equipment. In addition to the two Ethernet ports, the ProtoNode Gateway also includes one RS-485/RS-232 port and one RS-485 port.


With the ProtoNode Gateway, multiple serial and Ethernet devices can be connected to a wide range of field protocol networks including BACnet MS/TP, BACnet/IP, Metasys N2, SNMP, XML over HTTP, EtherNet/IP, DNP 3.0 and many others. OEM engineers will find this flexibility allows them to address virtually any customer’s network communication and BMS needs in a secure manner.

The ProtoNode Gateway allows for an easy connection to disparate subnets and for a secure remote connection to cloud connected devices putting the building owners mind at ease about cyber security.

To learn more, contact us today!

Richard Theron
Richard Theron is the product line manager for FieldServer at MSA, where he works intimately with companies in the building automation, industrial automation, energy management and life safety markets to help them cloud-enable their equipment.

Read This Next

Industrial Fire and Gas Protection and Detection: 3 Questions to Help You Evaluate Your Performance

If you’re in the life and safety business, you’re also in the business of asking the hard questions so you can ensure the safety of your people, places, and high-value...
Keep reading