Building Automation System -BAS- Vendor Access Review Guide

BAS Vendor Remote Access Review Guide

Note: This guide is an educational starting point that is not a substitute for a formal cybersecurity audit, penetration test, or assessment by a qualified industrial cybersecurity professional.

Vendor access to your Building Automation Systems (BAS) can quietly become a security gap over time. This structured guide provides facility and operations teams with a clear, auditable set of questions to review and strengthen their third-party remote access posture.

What You Get:

• Structured Audit: A comprehensive, fillable form designed to be completed for each vendor with remote BAS access.

• Targeted Questions: Covers critical areas including Purpose & Scope, Access Method & Technology, Credential & Authentication Controls, Session Monitoring & Oversight, and Contract & Agreement Status.

• Risk Identification: Includes a dedicated section (Section G) to flag common security concerns, such as shared credentials, lack of MFA, or internet-facing access.

• Action Planning: A final section (Section H) to document follow-up actions, assign owners, and set target dates for remediation.

• Clear Picture: Helps you build a clear, informed picture of what's in place and identify gaps so you can have productive conversations with your IT, OT, and security teams.

Suggested Use Frequency: Annually, or whenever a vendor changes personnel, access method, or scope of work.

• By SCADA & Beyond with Alana