Making a building smart generally means connecting the systems that control heating, lighting and security to the internet and the wider corporate network.

There was a compelling reason for doing this, said Andrew Kelly, principal security consultant at defence company Qinetiq.

....

An attack on US retailer Target, in which millions of customers' credit card information was stolen, was traced back to the heating and ventilation system.

And, at the beginning of the year, a Ukrainian power station was hacked. Although spear-phishing - where an employee is duped into bringing malware into the system by clicking on an email or link - was blamed as the means of entry, the result was physical - nearly 80,000 customers were left without power.

Mr Kelly tells the BBC: "We have seen plenty of ransomware attacks where computers are encrypted by hackers and only decrypted if the company pays money, and it is very easy to see a scenario of such an attack on a building management system, where a factory or hospital is disabled and hackers request payment.

"It is on the horizon, it is just a matter of time,"

Mr Kelly has recently conducted a survey of smart buildings, ranging in size from small businesses with just a handful of employees to those with thousands of staff.

It was the building management systems that jumped out as the most vulnerable.

"In all cases, pretty much without fail, these systems had been procured without thought to how to make them secure. I was absolutely shocked," he tells the BBC.

"We saw systems installed with default passwords where it would be a trivial exercise for someone remotely to gain access."