But if I had, I'd not have been surprised ... in the least.
It's not just a matter of Tridium-Niagara systems ... a heck of a lot of systems of all sorts still have the factory default user and password left in place. Or a name and password that a particular contractor uses as a default on all installations done by said contractor. Or a single super user name and password used by whomever in the customer's organization (fac depart head for instance) that's good for accessing everything in every site customer has. Or some other variation of the above.
Of course, that is only one issue ... tho the most obvious ... and most easily corrected.
As I previously mentioned, in the case of where I work, one of the very first things we do when the Jace comes out of the shipping box is to change the default user names and passwords. We can't control what the customer-owner does or does not do later ... unless they have specified they want us to handle the security aspects for them (which we'll do if they want) ... but we choose to not be able to be blamed for leaving the factory defaults in place.
But whether or not customer site employs more and stronger methods ... is really up to them. We advise em, but we can't make em do a darn thing they don't want to do.
In the case of our own Jace boxes (and other similar devices) we have installed in our own facilities ... our own in house rules require VPN connections for remote access, unique user names and passwords for each of us, etc. Plus our own IT department has other measures in place. i.e. Scan and watch for suspicious activity. Lock out upon failed log-in attempts exceeding a certain number of tries. Only certain, designated, personnel can access certain portions of our in-house network. Likewise only certain personnel can transfer, open, manipulate, or whatever certain file types. And so forth.
But implementing such things takes extra time and effort, also coordination with and assistance from our IT department. Who're very cooperative and used to our needs since the company for whom I work not only does BAS, alarm/security systems, etc but also industrial/process controls systems.
However, a lot of folks and installations ... just don't bother to do much security wise. Or, the steps taken are haphazard at best.
i.e. One group of sites owned by a customer. VPN is required for remote access. However if you're on one of the sites, linking in via wifi and their AP, they have a Guest account that's not at all secure, open for use to anyone. And you can get into their BAS system that way. User name and password isn't the Tridium default ... but its easy as heck to guess ... and will give you unlimited rights and access.
At another set of sites, different customer, non-Tridium system, they've guarded web/browser access well enough ... but telnet is wide open.
Now, our more security conscious customers do a pretty good job of things.
Some more so than others. i.e. With some, if WE want access, to make changes, view and troubleshoot, etc ... it takes a call to their security folks, voice call. You then have to go through an authentication procedure so those folks can reasonably believe you are who you say you are, and then once that's done they issue temporary user name, password, and instructions for a VPN connection which will only work for a specified amount of time.
Still others ... forget it. You gotta go there in person, you'd better have previously submitted all relevant info for background and security check which has to have been completed before your arrival, have your picture and prints in their files, etc. Then you are given a time limited access.
But ... that's overkill for most customers. As previously discussed, actual threat should be reviewed and decision made as to how much is enough as concerns reasonable precautions.
i.e. If all that's gonna likely happen is someone is gonna make some unauthorized changes to set points that are not likely to damage equipment or endanger life ... probably not worth going through a lot of time and effort security wise.
OTOH, with some sites, i.e. I can think of a certain high value target which is all Tridium for everything, and the kink of target the bad guys would dearly love to hit ... not even a little doubt in my mind they would if they could ... yah might want to take more steps and precautions.
Personally, I think they have the primary responsibility. Unless they've hired me to be their security consultant/implementer. Otherwise, I take the basic steps, then ADVISE them as concerns others I think should be taken. Whether or not they take the advice is up to them.
Just my opinion, and not worth 2 cents more than that.