There is an Alerton CVE that was released last week.  There is no patch at the moment and it allows for controller data to be overwritten without password.  We've been pressing our OT vendor and Honeywell for more details about how to best mitigate until a patch is available, but they've been slow to provide information.  The one thing I cannot determine from the articles I've found is if the controllers are being overwritten through a direct connection to the controller either direct or through the internet, or if they're exploiting the web front-end on the server to gain access to the nodes. https://www.securityweek.com/ot-security-firm-warns-safety-risks-posed-alerton-building-system-vulnerabilities