Why MQTT

MQTT adds security while removing most of the complication related to conventional building automation networking.

What MQTT Is

MQTT (Message Queuing Telemetry Transport) is a lightweight publish/subscribe messaging protocol designed for constrained devices and unreliable networks. Originally developed by IBM for satellite-linked oil pipeline telemetry, it has become a dominant protocol in IoT deployments worldwide.

Publish/Subscribe vs. Request/Response

Traditional BAS protocols use request/response: the head-end polls each device for its current values. This requires the head-end to maintain connections to every device and creates traffic proportional to the number of points being monitored.

MQTT uses publish/subscribe: devices publish their data to named topics on a central broker. Any number of subscribers can receive that data without the device knowing or caring who is listening. Commands flow in the reverse direction — riot publishes changes to device-specific topics, and the device receives them instantly. This bidirectional communication over a single outbound connection is what makes MQTT fundamentally different from traditional BAS protocols.

Outbound Only

MQTT connections are outbound only — the device initiates the connection to the broker over TLS. No inbound firewall ports need to be opened. No VPN tunnels need to be maintained. The building's network attack surface is unchanged by connecting devices to riot.

Bandwidth and Reliability

• Lightweight framing — MQTT's fixed header is 2 bytes, a fraction of the bandwidth consumed by equivalent BACnet or HTTP traffic.
• Quality of Service levels — QoS 0 (fire-and-forget), QoS 1 (at least once delivery), QoS 2 (exactly once delivery); delivery guarantees are handled by the protocol itself.
• Persistent sessions — if a device temporarily loses connectivity, the broker queues messages and delivers them when the connection resumes.
• Keep-alive heartbeat — built-in connection monitoring detects silent failures within seconds.

Works Over Any IP Network

MQTT requires only an outbound TCP connection. Devices can connect via standard building Ethernet/WiFi, cellular modems (4G/5G) for sites without IT infrastructure, satellite links for remote installations, or LoRaWAN gateways bridged to MQTT for wireless sensor networks. No special networking equipment, no dedicated VLANs, no BACnet routers, no Modbus gateways.

Security Model

Defense in Depth

• Transport layer — all MQTT connections encrypted with TLS 1.2/1.3; all browser connections over HTTPS.
• Authentication — per-device MQTT credentials; per-user platform authentication with secure session management.
• Authorization — row-level security in the database, server-side capability checks on every action, and per-site permission scoping.
• Network posture — zero inbound ports required on the building network; devices make outbound connections only.
• Data isolation — multi-tenant architecture with row-level security enforcing strict tenant boundaries at the database level.

Comparison to Traditional Remote Access

Traditional BAS remote access typically requires one of:

• Port forwarding — exposing the head-end directly to the internet, widely regarded as the single largest cybersecurity risk in building automation.
• VPN tunnels — client software on every workstation, IT department management, and ongoing credential administration.
• Third-party remote access tools — another vendor, another attack surface, another set of credentials.

riot requires none of these. The device reaches out to the broker. The user reaches out to the platform. Both connections are outbound, encrypted, and authenticated. The building network remains closed.