Separate OT networks: The future of smart buildings

separate OT networks for smart buildings
Separation means OT networks can be aggressively firewalled, or even isolated entirely

With the proliferation of smart devices in buildings around the world, cybersecurity is the concern of the day. There are many potent examples of smart buildings’ triumphs and follies: Target and Home Depot shocked the world with breaches a few years ago; universities, hotels, and others have followed suit. Growth in IoT can only mean increased security risks — right?

The problem isn’t always with smart devices themselves. While there are factory default passwords that often don’t get changed, many smart devices in buildings aren’t being secured the way they ought to be. Operational technology (OT) — including HVAC, lighting, and security — is regularly managed by IT departments alongside computers and phones. This is referred to as convergence, and it’s been seen as the simpler, cheaper approach to building management.

Convergence makes sense for devices with similar characteristics and management needs. This becomes difficult, though, as more OT devices are added to the building networks. Reports show that over eight billion connected devices will be installed globally by the end of 2017. It’s harder for IT departments to manage hundreds of smart OT devices — which often don’t support the traditional IT security methods — at this massive scale. OT devices have characteristic differences in management, Internet access, and update frequency. With OT devices left unsecured and connected to the IT network, hackers can target HVAC, lighting, and the like to reach IT devices and their data.

Of course, OT network security breaches are serious on their own; one Austrian hotel had to pay a ransom after hackers disabled all the doors that were accessible by electronic key-card, for example. Still, backdoor access through OT to supposedly secure data is seriously unsettling. What will hackers find, if they make their way into businesses’, universities’, or even governments’ IT networks? As hackers advance their techniques, it’s important to advance our defenses. Unfortunately, converged networks are an easy opportunity for criminal hackers.

Because OT devices have limited, specific, and predictable needs for Internet access, separation means OT networks can be aggressively firewalled, or even isolated entirely. The limited connection between IT and OT makes the OT network a less appealing target for hackers and mitigates attacks on IT. If the interconnection is necessary, it can be reduced to a single point and monitored closely for any signs of attack; this single point of connection can also be quickly and easily cut off in emergency situations.

It’s not enough to only separate your IT and OT networks. If your OT network is not protected, hackers can still take your device systems hostage and demand a ransom. Disabling security systems can allow criminals to enter your building without detection physically. For a truly impenetrable system, you need to secure both networks properly. Intrusion detection monitoring, locked and disabled ports, and regular monitoring and auditing of the network; these all help to ensure the building is running as it should, and the network is not vulnerable to outside interference.

Controlco and Optigo Networks are both advocates of separate OT networks. As smart buildings become increasingly common, separation is a best practice that cannot be ignored. We’re joining forces to advance the separation of OT networks, with a new primary distribution partnership of Optigo Connect.

Optigo’s suite of hardware products, Optigo Connect, offers easy-to-manage switches available with secure networks and a fraction of traditional infrastructure requirements. This partnership with Controlco makes these packages widely available in North America, with support from a leading operational technology distributor. This partnership makes integrating Optigo Connect and separating networks easier and more affordable.

Smart buildings are the future of where we work, play, and live. As we modernize our spaces, we must also modernize how we manage them.

Visit Controlco to buy Optigo Connect and keep your building secure. Watch our webinar on OT networks and this new primary distribution partnership.

This article was originally published on Automated Buildings.

Recent Blog Posts

Over the years, we’ve dug into solutions for the most common problems we see on BACnet networks: everything from MS/TP issues, to Global Who-Is broadcasts, duplications, and Circular Networks.

When I really think about it, I’m astounded by how much movement and change there is among companies in the building automation industry.

The world of IT does not look quite like it did 40, or even 30 years ago. 

June 12, 2018, Vancouver, BC – Vancouver-based Optigo Networks, the network connectivity, monitoring, and analytics company, has released a new report on the challenges and opportunities for BACnet in smart b

Not so long ago, Penn State had big network problems.

Think tons of network traffic, buildings dropping offline — that sort of thing.

Recent Projects

Penn State University Visual BACnet Site Monitoring Optigo Networks


When Tom Walker first started working at Penn State University four years ago, there were a lot of network issues. Buildings were dropping offline. Broadcast traffic was pushing 90,000 packets per hour. Walker was on the phone almost every single night because devices were down or had to be reset.


Torre Manacar Optigo Networks Optigo Connect Mexico City High-rise shopping centre


When MR Soluciones began work on Torre Manacar, they knew they needed a flexible and scalable network infrastructure to support a wide array of integrated systems. Optigo Networks was a natural fit for the massive project, designing a robust network at a competitive cost.



Short Pump Town Center, an upscale retail center, underwent a complete renovation in 2014. The flexibility of Optigo Networks’ solution meant the retail center’s unknown final design was not a barrier to placing IP surveillance equipment in the field.



Optigo Networks connected New York-based Boulevard Mall’s security surveillance devices in December 2015, using a Passive Daisy Chain topology.

Tech Support Team


One tech support team at a manufacturer purchased an account with Visual BACnet in April 2017, for technical problems around the world.

Aster Conservatory Green


The Aster Conservatory Green is a residential community comprising 352 residences across 24 low-rise buildings. The buildings use advanced surveillance and access control technology, including 40 HD video cameras and 60 FOB-access-tele-entry points for access control.



When Delta Building Automation (Australia) won the BMS Upgrade at 25 National Circuit for the Australian Trucking Association, they partnered with Optigo Networks to create a secure and robust Building Services Network (BSN). Optigo Connect more than delivered on this project with a scalable solution that restored the building network to perfection.

Optigo Connect Seattle Stadium


Optigo Connect offered a simple, cost-efficient solution for a premier Seattle-based stadium. Optigo Networks’ design improved the surveillance system to crystal clear perfection, made it dependable, and allowed the security system to scale with the addition of more than 40 16MP cameras.



Optigo Networks and Controlco offered a secure and scalable solution for four data centers’ HVAC and Access Control systems throughout the United States. Optigo Connect’s performance in the first data center was so impressive, the client asked that Optigo replicate the network design for three other data centers.



Energy analytics company BUENO Systems was working on a mall when the worst happened. The network failed and equipment failed to “ON,” which kept units running 24 hours a day. As it turns out, the mall’s network was overloaded and glitching before BUENO even deployed. It had been for a while. These latent issues were a ticking time bomb and would have resulted in a failure if any new devices were added to the network. Because it was BUENO’s device, though, they had to fix it. The only way to fix it was out of pocket.