When working for Applied Risk I got to contribute to research for hacking Building Mangement Systems. The research was lead by Gjoko Krstic. It started when he came to me with post-auth command injection for a BMS, and I helped with making it pre-auth. We'd found bugs and created exploits for multiple BMS's for owning buildings over the internet.
Gjoko gave a talk at HITB about the research. You can view it here.
The paper is finally published that lists all vulnerabilities and exploits from the research.