Read enough stories about security vulnerabilities in industrial control systems and the statistics in them start to blur.

Tens of thousands of control systems connected to the internet, dozens of hardcoded passwords that can’t be changed, untold numbers of backdoors embedded in systems by vendors that hackers can use to remotely control them — these are just a sampling of the problems uncovered by researchers in the last three years.

But statistics like these come into sharp focus when a company like Google is in the crosshairs.

Two security researchers recently found that they could easily hack the building management system for the corporate giant’s Wharf 7 headquarters overlooking the water in the Pyrmont section of Sydney, Australia.

Google Australia uses a building management system that’s built on the Tridium Niagara AX platform, a platform that has been shown to have serious security vulnerabilities. Although Tridium has released a patch for the system, Google’s control system was not patched, which allowed the researchers to obtain the administrative password for it (“anyonesguess”) and access control panels.

The panels showed buttons marked “active overrides,” “active alarms,” “alarm console,” “LAN Diagram,” “schedule,” and a button marked “BMS key” for Building Management System key.

There was also a button marked “AfterHours Button” with a hammer on it.