UPDATE 2-U.S. government warns about Siemens security flaw

* Siemens says developing software to fix problem (Adds background, comments from company and researcher)

By Jim Finkle

BOSTON, May 24 (Reuters) - The U.S. government warned Siemens AG (SIEGn.DE) customers that industrial control management systems they purchased from the company have a security flaw that one researcher said could enable hackers to damage critical infrastructure.

Siemens is still recovering from fallout from last year's discovery of the Stuxnet virus, a computer worm specifically designed to attack its industrial control systems. Stuxnet is believed to have knocked out in late 2009 or early 2010 about 1,000 centrifuges used by Iran to enrich uranium.

Attacks on its systems could have wide impact. Siemens technology is used to manage electrical plants, water distribution systems, chemical factories and other critical infrastructure facilities around the world.

The German conglomerate, which had downplayed the significance of the flaws after they were disclosed last week by the boutique security firm NSS Labs, said on Tuesday it is developing software patches to fix the latest security problem affecting its industrial control systems.

The U.S. Department of Homeland Security Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) sent out the advisory to power companies, water districts and other operators of industrial control systems on May 19.

But it has kept the matter quiet since then as its engineers worked with staff at Siemens and NSS Labs to figure out a way to patch those vulnerabilities. It released a statement disclosing the advisory in response to an inquiry from Reuters.

ICS-CERT generally holds off publicizing security vulnerabilities until they are fixed out of concern hackers might try to exploit the unpatched holes.

The government advisory discussed steps that operators of Siemens industrial control systems can take to mitigate security risks, while they wait for a more permanent fix, said Chris Ortman, a spokesman for the Department of Homeland Security.

"ICS-CERT will continue to work with NSS Labs and Siemens to find a solution to this vulnerability and will release further mitigation measures once they have been properly tested and validated," Ortman said.

Siemens issued a statement saying it expected to release software patches to fix the flaws within the next few weeks.

PRESENTATION CANCELED

NSS Labs researcher Dillon Beresford first disclosed last week that he had found several security bugs a hacker could remotely exploit to gain control of a key piece of hardware in Siemens widely used industrial control systems.

He was scheduled to unveil his findings at a security conference in Texas, but canceled the presentation at the last minute to avoid publicizing information he said might be useful to criminals looking to attack Siemens customers.

Beresford called on Siemens on Monday to tell its customers that they are at elevated risk of attacks from hackers who might exploit the flaws he discovered.

"The vulnerabilities are far-reaching and affect every industrialized nation across the globe. This is a very serious issue," Beresford said in a note he posted Monday on a mailing list sent to professionals who monitor security of industrial control systems.

But a spokesman for Siemens denied any fault, saying company officials are in a better position to assess potential security risks than researchers from an outside firm.

Siemens said NSS Labs did not have enough information to determine the severity of the risk.

The company said in a statement on Tuesday that NSS Labs had figured out a way to stop a Siemens Programmable Logic Controller, or PLC, a highly specialized type of computer that is used to control industrial processes.

"In this environment, the PLC would have stopped a manufacturing process in a controlled manner," Siemens said in a statement. "For customers with standard IT security measures in place, there is no risk for workers or the manufacturing process." (Reporting by Jim Finkle; editing by Andre Grenon)