Pen Test Partners have been reviewing the security of Building Management Systems and the findings are not good, see their article here:
“The controller security has improved some, but we’ve found large numbers installed on the public internet, unprotected, with complete authentication bypass in some cases!
We found them in military bases, schools, government buildings, businesses and large retailers among many. Ripe for compromise of these organisations.
We also found some that had already been compromised to a point by malware. Further compromise would be trivial.”
“It’s about lax installers NOT vendors
Most of these issues have been caused by HVAC & BMS installers, rather than the vendor. The installers have exposed their clients through not following manufacturer security guidelines. The manufacturer could still make improvements though.”