BERTBrain Gateway – Secure & Flexible Control

The BERTBrain Gateway is the central hub for managing BERT plug load and hardwired device controls. It supports both cloud-connected and on-premises deployments, providing robust, secure, and scalable infrastructure for your energy management needs.

Gateway_Connection_BERTBrain Integration

Each gateway can handle up to 500 Berts. Gateways can be installed in a centralized location or distributed throughout individual buildings.

Case Studies Brochure

Deployment Options

Cloud-Connected (Recommended)

Automatic software updates and feature enhancements
Seamless scalability and centralized management
Extensive, real-time alerts and notifications
Remote diagnostics and support
Access to advanced integrations, including AI/ML analytics (coming soon)
Automated, off-site backup of schedule and energy usage data
Offline functionality – operates without cloud connection, ensuring reliability

On-Premises

Local-only data storage and processing
No external connectivity requirements

Hardware & Network Requirements

Static IP Address

All BERT devices communicate exclusively with the BERTBrain Gateway’s IP
Network Connection
Wired LAN strongly preferred for reliability and performance
Wi-Fi supported (WPA/WPA2-Enterprise or PSK, MAC authentication optional)

Storage

Minimum 128GB onboard (multi-year data retention)
Expandable via NAS or external USB drive

Feature	Cloud	On-Premises
Automatic Updates	Yes	Manual/Local
Automatic Backup	Yes	Manual/Local
Remote Support	Yes	Optional (VPN required)
Remote Management	Yes	Optional (VPN required)
External Integrations	Yes	No
Data Residency	AWS (encrypted)	Local Storage
Real-time Alerts	Yes	Limited
SSO/OAuth	Yes	Yes
Network Isolation	VLAN/Wi-Fi supported	VLAN/Wi-Fi supported
Security	TLS, VPN, Signed Updates	TLS, Signed Updates

Security Architecture

Gateway Security

No Public Inbound Access

All connections are outbound initiated only

Outbound Communication

HTTPS over TLS 1.2/1.3 (AES-256-GCM encryption, SHA-256 integrity)

Device Authentication

Device-specific API keys (securely provisioned and stored)
Mutual authentication for MQTT (port 8883, TLS)

Operating System Hardening

Read-only root filesystem
Signed OTA updates (RSA-2048 signatures)
Protection against unauthorized modifications

Cloud & Data Security

Cloud Infrastructure

Hosted on AWS, leveraging AWS best practices

Private Connectivity

AWS Site-to-Site VPN (IPsec with AES-256, SHA-256)

Data Encryption

All data encrypted in transit and at rest
HTTPS with AWS-managed certificates (ECDSA P-256 or RSA-2048)
MQTT over TLS with X.509 certificates
AWS Signature Version 4 (HMAC-SHA256) for API integrity
Network Segmentation & Device Isolation

Device Network Isolation

BERT devices can be placed on a dedicated VLAN or isolated subnet
MAC authentication and/or WPA/WPA2-Enterprise for wireless security

Identity & Access Management

Single Sign-On (SSO)

Agnostic to provider – supports third-party OAuth integrations

Role-Based Access

Granular permissions for local and remote management

Maintenance & Support

Automatic Updates

Cloud-connected gateways receive security patches and new features automatically

Remote Support

Secure remote diagnostics and troubleshooting (cloud)

Local Management

Basic functionality available offline for on-premises deployments

Additional Recommendations

IT Security

Place the Gateway and BERT Controls on a dedicated management VLAN (IoT)
Restrict outbound traffic to only required endpoints and ports
Regularly review device authentication credentials and update as needed

Scalability

Consider cloud mode for multi-site or enterprise-wide deployments
Use on-premises mode for air-gapped environments