While taking control of HVAC sounds interesting, taking control of alarms would be a goldmine for hackers. HVACking: Remotely Exploiting Bugs in Building Control Systems.
Security researchers have found a zero-day vulnerability in a popular building controller used for managing various systems, including HVAC (heating, ventilation, and air conditioning), alarms, or pressure level in controlled environments.
To be able to turn off alarms from 10 PM until 5 AM on the evening you are going to break in. Physical access to a building lets hackers do so much more than they can do from outside the company. Not to mention that at least some people are going to have written their passwords on a post-it note.