By: Douglas Frey, PE, LEED AP, Vice President
Let’s be honest: Designing a building automation system (BAS) today isn’t just about controlling HVAC and lighting. It’s about navigating firewalls, VLANs, cybersecurity frameworks, and cloud policies. If you’re an engineer walking into a kickoff meeting with a building owner and their IT department, you need more than your spec sheets. You need the right questions.
Here’s a field-tested list of questions that can save you headaches down the road, inspired by real-world projects and best practices from pros in the trenches.
- What type of communication do you want in your BAS network?
The answer(s) to this question can dictate the answers to many other BAS network issues. IP-based communication is faster but creates potential security issues. MSTP-based communication is slower, but it’s more secure and out of the purview of IT. - What level of redundancy do you want in your BAS communication network?
Ring, star, hybrid, and many other types of topologies are available for both IP-based and MSTP-based systems, with varying levels of installation cost, equipment maintenance, and communication redundancy. Most buildings will use a mix of topologies. Understanding the importance of each system will help tailor the topology to the risk and reduce cost while keeping critical systems operational. Learn more about IP and MSTP topologies. - What’s the process for getting third-party devices approved for use on an IT network?
Some enterprises have lengthy review processes for third-party devices like BAS network engines and IP-based controllers. Anything that is on the enterprise IT network must be reviewed for compliance with the client’s security policies and requirements. This process can take months, or even years. Has this delay been factored into the construction schedule? Are any network layout decisions available that can limit the impact of this review? The review process can dictate how the system is designed. - What are your cybersecurity policies for third-party systems?
In a recent high-rise BAS replacement project, the client’s IT team required all BAS devices to comply with their enterprise cybersecurity framework: meaning encrypted traffic, password policies, and regular firmware updates. If you don’t ask this question up front, you might specify devices that get rejected later. - Will the BAS be on a dedicated network or shared?
A hospital project on the East Coast ran into trouble when the BAS was placed on the same network as patient records. IT quickly shut it down. Lesson learned: Always ask if the BAS will live on its own VLAN or piggyback on existing infrastructure. - Who manages the network: IT or facilities?
This one’s deceptively simple. In a recent project, the facilities team assumed IT would handle switch configurations. IT assumed the opposite. The result? Delays and finger-pointing. Clarify roles early. - What are your remote access requirements?
Some owners want remote access via VPN with multi-factor authentication. Others want zero remote access. In one LEED-certified building, the owner insisted on a cloud dashboard, but IT required a secure tunnel and monthly access audits. - Do you require encrypted communication between devices?
If your controllers talk in plain text, they might be flagged by IT. Ask if TLS or other encryption protocols are required. Some enterprise clients won’t allow anything less. - What’s your policy on cloud-based services?
Cloud analytics are hot—but not every IT team is on board. A data center in Texas banned cloud connections entirely due to compliance concerns. Knowing where your client stands can drive the decision between a cloud-based solution or a fully independent solution like Trend Sumo®. - Are there existing VLANs or subnets for building systems?
The answer to this question affects topology design. If the building already has a “BAS VLAN,” you’ll need to integrate cleanly. If not, you might be designing from scratch. - What are your IP addressing requirements?
Static or DHCP? Reserved ranges? Naming conventions? These details matter. One integrator had to reprogram 200 devices because they didn’t follow the client’s IP schema. - Do you require MAC address whitelisting or port security?
Some IT departments lock down switch ports to prevent rogue devices. If your BAS gear isn’t whitelisted, it won’t connect. Increasingly, 802.1X authentication is being used. Ask early. - What’s your backup power strategy for network equipment?
If your BAS depends on network switches, those switches need UPS backup. Otherwise, your controls go dark during outages. Ask if IT has a power redundancy plan for edge devices. - How is network monitoring handled?
Will IT monitor the BAS network with SNMP or Syslog? If so, you’ll need to configure devices to support it. This issue is often overlooked until commissioning, and it can delay turnover. - What’s your policy on firmware updates and patching?
Some IT departments require regular patching schedules and may even want to test updates in a sandbox. Ask who’s responsible and how updates are approved, and whether downtime windows are available. - Will the BAS need to integrate with other enterprise systems?
Think energy dashboards, CMMS, or even Enterprise Resource Planning (ERP) platforms. Integration can affect protocol choices (BACnet/IP vs. MQTT) and data formatting. Ask if APIs or middleware are already in place. - Are there data retention or logging requirements?
Some owners want 3+ years of trend data for ESG reporting or fault diagnostics. That requirement affects storage sizing and cloud-vs.-local decisions. Ask if data needs to be archived or exported regularly. - What’s your incident response plan for OT systems?
This is rarely discussed but critical. If a BAS device is hacked, who gets notified? What’s the containment plan? Is there a cybersecurity insurance policy that covers OT systems? - Do you require compliance with standards like ISO 27001 or NIST?
Some owners—especially in finance or healthcare—require strict compliance. This policy can affect device selection, documentation, and even how you handle updates. - What’s your preferred method for firmware and software updates?
Some IT teams want full control. Others are hands-off. One BAS integrator was locked out of updating devices because IT hadn’t approved the update process. - Who owns the BAS network after commissioning?
Is it IT? Facilities? A third-party service provider? Ownership affects maintenance, troubleshooting, and future upgrades. - Bonus: Ask about AI and machine learning.
Some newer services offer predictive maintenance and energy optimization using AI. If this is on the roadmap for the client, it may affect hardware selection, remote access setup, data architecture, and even sensor density.
Final Thoughts
The best BAS designs start with the right conversations. These questions aren’t just technical; they’re strategic. They help you build trust, avoid rework, and deliver systems that work for everyone: engineers, owners, IT teams, and occupants.
Want to make your next BAS installation or upgrade go smoother? Want to add data analytics to your BAS without creating IT security risks? Contact our experts today to learn about how we can help you move forward with a secure and stable system.
Image Source: iStock.com/NicoElNino
Doug Frey is responsible for supporting company growth and success in the healthcare, hospitality, and education sectors. He has extensive experience in environmentally friendly HVAC, plumbing, and electrical system design for all types of buildings, as well as existing condition assessments and master planning. He is a licensed Professional Engineer in Illinois, Michigan, North Carolina, Texas, and Wisconsin, and has been a LEED Accredited Professional since 2009. He is a member of ASHRAE.
