Re: Sadly unsurprising
And apparently, the industry is still architecting systems under the same assumptions.
Whilst somebody owning your BEMS or similar and turning the thermostat down, or the aircon off is potentially embarrassing, I can't see it being a popular pastime for that purpose. A more pressing concern might be that if the BEMS is connected to the corporate IT network, can p0wnership of some crapola BEMS or IoT junk lead to real network penetration, and loss of data and IP?
My guess is yes, but I wonder how many IT departments actually manage the BEMS - probably relatively few, with most of controlled by an IT-illiterate facilities management team.