Re: Sadly unsurprising
It does depend on what's hooked up to a BMS though. We sell kit that only has a one-way connection. So we don't have to worry about security. We just output a few different kinds of fault flag, with a different connection for each. So the BMS can't screw up our kit's controls - which can only be done with physical access.
Except we do have some variable speed stuff that takes information from the air-conditioning on how fast to spin the fans. So you might be able to do some damage by continuously teling it to change motor speeds.
You can do lots of damage with direct control of pumps and valves. If I have control of a pump and a single outlet several floors up in a high rise building, then I can create a vacuum in the sytem, turn the pump back on and create massive water hammer - and spike the pressure up to way more than the pipes will stand. If you've got a pump operating at 10 litres/second at 5-10 bar, then that's an awful lot of water spraying around everywhere. And lots of pipe joints you're going to have to go and fix. You can also knacker electric motors by rapidly switching them on and off - if people have disabled their normal protection when giving control the BMS.
Not to mention the gas system and boilers.
I remember writing something ten years ago, when were looking at using wireless sensors/controls. Saying that it was too scary to do, and that wires were cheaper and less hassle. Giant water tanks and concrete basement plantrooms tend to bugger up your signals anyway - but the security problems are just as bad - particularly given that's an area we have no experience or expertise in. And neither does anyone else in the industry.