"It seems like the integrators aren't patching these devices," Rios said. "The problem is the patch is not getting applied to the device on the Internet, and that is the integrator's responsibility."
Graves said Tridium continues "to work with our system integrators and customers to address the problem through seminars, forums and on-line training about security best practices."
With Google's system, it also appeared the integrator reused login and password credentials for the Web-based control panel. "It very much highlights the poor security practices being used by integrators all over the world," Rios said.
Google's NiagaraAX system was connected via a digital subscriber line that the company may not have even been aware of, Rios said. Many ICSes installed by system integrators are not incorporated directly into a company's networks, which may allow them to escape regular security scans.
Hardware devices running NiagaraAX also may have two network ports -- one that is connected to the DSL line administered by the systems integrator, and the other port which is connected to the company's internal network, McCorkle said.
The meeting of those two connections is gold for a hacker.
"That is one of the classic ways these devices get connected to the corporate network," Rios said. Attackers find the ICS on the Internet, compromise it and then use it "as a lily pad to get on the corporate network," he said.
Send news tips and comments to email@example.com. Follow me on Twitter: @jeremy_kirk