Originally published February 2019. Fully revised April 2026 with updated technical guidance and new cybersecurity content.

Picture this. It’s 7 a.m. on a Tuesday. A controls tech is in the basement of a four-story office building, one hand on a flashlight, one hand on a laptop, staring at a BACnet MS/TP trunk that runs across three floors. Something on that trunk is pulling the whole network down. Twenty minutes ago the building engineer called the owner to say the HVAC controls are offline. Now the tech is about to walk the line — controller by controller, forty-something of them — to find the one bad device or the one nicked wire that’s taking everything down with it.

Every controls tech reading this has a version of that story. Every facility director has been on the receiving end of one.

Here’s the thing. The reason that morning is so miserable isn’t the tech’s fault and it isn’t the controllers’ fault. It’s the wiring. Traditional BACnet MS/TP — the two-wire backbone most of us grew up on — is a daisy chain, which is a fancy way of saying every device on the trunk depends on every other device. One bad cable. One accidentally swapped pair when a controller gets replaced. One nicked conductor behind a ceiling tile during a tenant improvement. The whole thing goes quiet.

This is the problem IP controllers were invented to solve.

What IP Controllers Actually Changed

We wrote the original version of this article back in 2019, when Schneider Electric’s SmartX IP line was new enough that it felt like a revelation. Seven years later, IP controllers aren’t new anymore — they’re the default. But the why still matters, especially if you’re writing a spec, planning a retrofit, or wondering whether the aging system in your building needs to be replaced.

The big deal with IP controllers is topology flexibility. With MS/TP, you get one option: a daisy chain. With IP, you can wire your controllers in:

• A daisy chain (same idea as before, but on Ethernet — so a bad cable doesn’t automatically take down the trunk)
• A star, where every controller connects directly to a network switch
• An RSTP ring, where controllers are wired in a loop so a single break still leaves a functioning network

That last one is the quiet hero. Cut an RSTP ring anywhere and what you have is now two daisy chains — both still functional, with the system alarming to tell you exactly where the failure happened. Nobody’s walking the line for three hours at 7 a.m. You know where the break is before you leave your truck.

Private Subnetworks, DHCP, and the IT Department That Doesn’t Want to Talk to You

The other quietly-great thing about modern IP controllers is that they can host their own private subnetwork off the automation server’s secondary IP port. Meaning the forty controllers in your building don’t land on the client’s corporate IT network. They live on a dedicated BAS network that the automation server manages.

For the owner, this matters because IT departments have enough to worry about without inheriting your HVAC controllers. For the engineer, it means DHCP — the automation server hands out IP addresses automatically. No spreadsheet of static IPs. No calling IT to ask for a /24 subnet. Swap a controller, it gets an IP, it starts talking.

This is the boring, unglamorous thing that actually makes IP controllers worth specifying.

The New Chapter: BACnet/SC

OK, here’s what’s changed since we first wrote this article. Everything above — topology flexibility, private subnetworks, DHCP — is still true. Still matters. But it’s no longer the most important conversation in building automation.

The most important conversation is cybersecurity.

In 2021, a European engineering firm lost contact with hundreds of BAS devices after attackers exploited vulnerabilities in the KNX protocol and locked the firm out using the system’s own security key. The attackers essentially bricked the lighting, HVAC, and shutter controllers for an entire office building. The engineering firm had to manually flip circuit breakers to turn on the lights. Let that sink in — a modern commercial office building reduced to operating on wall switches because someone exploited a controls protocol over the internet. More horror stories in this published paper, “On building automation system security,” by Morales-Gonzalez et al (May 27, 2024).

That wasn’t a one-off. According to a 2025 report from Claroty, 75% of organizations have building management systems with known exploitable vulnerabilities — many tied to active ransomware campaigns. Forescout’s 2024 threat data showed attacks on building automation protocols grew from 1% of OT attacks in 2023 to 9% in 2024. That’s a ninefold increase in a year.

Enter BACnet/SC (Secure Connect).

BACnet/SC is an addendum to the BACnet standard, ratified by ASHRAE in 2019 and now supported by Schneider, Siemens, Automated Logic, Trane, Honeywell, and most of the major BAS manufacturers. It uses TLS encryption — the same encryption your bank’s website uses — to authenticate every device on the network and encrypt every message between them.

In practical terms: if an attacker manages to tap into the BAS network, they can’t read the traffic and they can’t impersonate a device, because every device has to present a valid certificate to participate at all.

BACnet/SC doesn’t replace BACnet/IP. It complements it. Existing BACnet/IP and MS/TP devices can still be used on a BACnet/SC network via BACnet routing, so this isn’t a rip-and-replace proposition. But if you’re specifying new BAS work in 2026 and you’re not asking about BACnet/SC compatibility, you’re already behind.

What This Means If You’re Specifying or Operating a Building

If you’re a specifying engineer: BACnet/SC compatibility should be in your new BAS specs. Topology flexibility (star, daisy chain, or RSTP ring) should be assumed, not optional. If you’re still writing specs that call for MS/TP-only controllers on a new building, you’re designing a system your owner will regret in five years.

If you’re a facility manager or building owner: Ask your controls contractor two questions. First — is our BAS network isolated from the corporate IT network? Second — what’s the plan for BACnet/SC? The answers will tell you a lot about whether your contractor is operating in 2026 or 2016.

The Real Point

The buildings industry moves slowly. Standards that IT has taken for granted for twenty years are just now becoming normal in BAS. That gap is closing — but not fast enough, and not without owners asking hard questions.

Your building automation system isn’t a thermostat. It’s a network with access to your lighting, HVAC, access control, energy metering, and in a lot of cases, your cameras and card readers. Treating it like critical infrastructure — because it is — isn’t paranoid. It’s overdue.

Athena Chiera is Vice President of Business Development at Athena Engineering, Inc. — a Southern California HVAC and building automation firm that self-performs both sides and has been doing it since 1984. She grew up in the family business before coming back to run BD. Reach her at amc@athenaengineering.com.