BAS Cybersecurity Hardening Acceptance Checklist

Acceptance inspection for building automation system (BAS/BMS) cybersecurity hardening before owner turnover, covering credential changes, network segmentation, firmware status, remote access controls, and baseline documentation.

Inspection Details and Scope

• Project or site name recorded
• BAS/BMS scope and covered systems identified
• Owner turnover or acceptance date recorded
• Inspector and responsible commissioning contact identified

Credential and Account Hardening

• All vendor and factory default passwords changed
  Verify that no default passwords remain on controllers, servers, gateways, workstations, or network devices.
• Unique user accounts are used for administrative access
  Shared administrative logins should not be used for routine BAS administration unless explicitly approved and documented.
• Inactive, test, and temporary accounts removed or disabled
  Confirm that accounts created for installation, testing, or factory support are disabled or removed before turnover.
• Password policy meets site minimum requirements
  Verify minimum length, complexity, and change requirements are documented and enforced where supported by the platform.
• Administrative access is limited to authorized personnel
  Confirm access lists are restricted to approved owner, integrator, and support personnel with a documented need.

Network Segmentation and Architecture

• BAS network is segmented from enterprise user networks
  Verify separation using VLANs, firewalls, ACLs, or equivalent controls.
• Internet-facing BAS devices are prohibited or explicitly approved
  Confirm no BAS controllers, HMIs, or gateways are directly exposed to the internet unless formally approved and risk-assessed.
• Firewall rules and allowed ports are documented
  Verify that inbound and outbound rules supporting BAS communications are documented and limited to required services.
• Remote vendor access traverses a controlled jump path
  Confirm remote support access uses an approved VPN, jump host, or secure gateway rather than direct device access.
• Network diagram reflects current BAS topology
  Verify the as-built network diagram shows controllers, servers, gateways, firewalls, and remote access points.

Firmware, Patch, and Device Baseline

• Controller and server firmware versions documented
  Record firmware or software versions for BAS servers, supervisory controllers, field controllers, gateways, and network appliances.
• Installed firmware matches approved baseline
  Verify versions are at or above the approved project baseline and do not include known unsupported releases.
• Security patches and updates applied where supported
  Confirm available security updates have been applied or deferred with documented owner approval and risk acceptance.
• Default service ports and unused services disabled where feasible
  Confirm unnecessary services, ports, and protocols are disabled or blocked at the device or network layer.
• Device backup or restore image captured
  Verify a current configuration backup or restore image exists for critical BAS servers and controllers.

Remote Access and Monitoring Controls

• Remote access is disabled by default when not required
  Verify remote access pathways are closed or disabled unless actively needed and approved.
• Multi-factor authentication is enabled for remote access where supported
  Confirm MFA is enabled for VPN, remote desktop, cloud portals, or other remote access methods when available.
• Remote access sessions are logged
  Verify login events, session start/stop, and administrative actions are retained in system logs or SIEM forwarding where available.
• Time synchronization is configured across BAS devices
  Confirm servers, controllers, and gateways use a consistent time source for accurate event logging and incident review.
• Security alerts or abnormal access events are reviewed
  Verify there is a defined process for reviewing failed logins, configuration changes, and suspicious remote access activity.

Turnover Documentation and Acceptance

• As-built cybersecurity documentation delivered
  Confirm delivery of network diagrams, account inventory, firmware baseline, backup/restore procedure, and remote access instructions.
• Open deficiencies and non-conformances documented
  Record any unresolved items, compensating controls, and target dates for closure.
• Inspector signature completed