Good to see the report on Target's penetration through its remote heating and cooling controls. These and a slew of other building automation systems are often run on central computers along with data processing. Data processing may be protected but the other systems often are not, for IT sec tends to focus on the data of businesses housed in a structure but not the systems running or monitoring the structure with its operating systems most often overseen by maintenance and operation staff seldom skilled in cybersec. We have seen quite a few buildings with decent data protection and building physical and electronic security systems, but lacking oversight of the security of building automation systems often remote from the facilities with 24x7 access, and from there who knows where else -- central automation firms may link up to hundreds of other buildings in a batch of countries. Critical infrastructure protection seldom covers the great variety of buildings. Some use the same Internet connection, separated only by software and folders, with folders of the automation system in obscure locations seldom seen by principal IT data admins. Different duties, contracts, staff, budgets. Much interest in data security, hardly any for automation security. This is not the case for experienced designers, constructors and operators of buildings. Although compartmentalization among them continues to erect easy to penetrate "firewalls" and gaps of responsibility. Spies very much like the porosity and attention to data protection.