Since December 2015 I've had a bit of an unhealthy obsession with building management systems. Having first identified a building that shouldn't have been on the internet (see itnews.com.au/news/the-it-flaw-that-left-an-aussie- natsec-agency-base-open-to-attack-459743) I had enumerated facilities from airports to nuclear reactors in Australia. This is not however all bad news. Over the past 18-24 months Ive had a range of outcomes with stakeholders from legal threats all the way to pragmatic approaches to securing applications and environments and I wanted to share the lessons I've learnt.