Consulting engineers writing BAS specifications in 2026 are increasingly being asked by IT departments to justify their network design in security terms – TLS, PKI, segmentation, monitoring, audit logging, and Zero Trust architectures. Integrators deploying BACnet/SC are discovering that the protocol solves some problems, but also introduces new operational questions around hubs, certificates, and network architecture.
The new Secured by Cimetrics™ BACnet Network Design Guide v1.0 was written for exactly those conversations.
The guide is aimed at consulting engineers, system integrators, and IT departments designing BACnet/SC, BACnet/IP, and MS/TP networks. Rather than focusing on device configuration, it focuses on architecture: segmentation, certificate infrastructure, hub sizing, firewall policy, IT/OT coordination, and deployment patterns for both greenfield and retrofit BAS projects.
One of the strongest aspects of the guide is its use of ISA/IEC 62443 “Zones and Conduits” concepts to frame BAS security. In this model, segmented BACnet networks become Security Zones, while the communication paths between them are controlled through BACnet Network Segmentation Devices (BNSDs) acting as secure conduits.
That architecture maps directly onto the Secured by Cimetrics™ product family:
- SbC4000 and SbC410x platforms operate as BACnet/SC hubs and Site Certificate Authorities for BACnet/SC identity management.
- SbC3100 and SbC3200 BNSDs enforce network policy and BACnet firewall rules between segments.
- BACnet Authentication and Authorization (ANSI/ASHRAE Standard 135-2024 Clause 17) provides the per-operation authorization model often associated with Zero Trust architectures.
The guide makes an important distinction that is often blurred in BAS discussions: BACnet/SC is not itself a Zero Trust architecture. BACnet/SC authenticates devices and encrypts communications, but Clause 17 is where BACnet device authentication and authorization actually live. The guide uses this distinction to explain how identity, network policy, and authorization work together as separate security layers.
What makes the document useful is that it stays grounded in deployment realities. Instead of generic cybersecurity language, it includes practical engineering guidance, such as:
- Reference architectures for BACnet/SC retrofits, large campuses, and multi-building portfolios
- BBMD topology guidance for BACnet/IP networks
- Deployment strategies for BACnet/SC across NAT’d VLANs without inbound port forwarding
- Certificate lifecycle and CSR workflows for multi-vendor environments
- Pre-Design, Specification, and Installation Verification checklists written as verifiable engineering checkpoints
The result is a working design reference for engineers navigating the transition from traditional BACnet/IP networks to segmented, certificate-managed BAS infrastructures.
The industry has spent years talking about secure BAS architectures in abstract terms. This guide attempts to document what those architectures actually look like in practice.
The Cimetrics article What is BACnet Secure Connect and Why It Matters provides a practical introduction to BACnet/SC concepts. The Automated Buildings article How Digital Certificates Are Used in BACnet/SC covers digital certificate management in depth. The Whole Building Design Guide (WBDG) Cybersecurity Resource provides the broader facility OT/ICS security context within which BACnet security should be evaluated.
