* Researchers say flaws make systems vulnerable to attack byhackers
* Siemens says first fixes will be released in January (Adds comments from Department of Homeland Security)
By Jim Finkle
BOSTON, Dec 22 (Reuters) - Siemens said itis working to fix security flaws in industrial controls productsthat the U.S. government warned could make public utilities,hospitals and other critical parts of the country'sinfrastructure vulnerable to attack by hackers.
The German conglomerate, whose industrial control systemsare widely used around the world, said on Thursday in a postingon its website that it had learned of the vulnerabilities in Mayand December of this year from security researchers TerryMcCorkle and Billy Rios.
The U.S. Department of Homeland Security issued an advisorythat warned of the vulnerability, urging Siemens customers tominimize exposure of industrial control systems to the Internetto make them less vulnerable to attack.
"Successful exploitation of these vulnerabilities couldallow a hacker to log into a vulnerable system as a user oradministrator," the agency's Industrial Control Systems CyberEmergency Response Team said in the advisory.
Rios told Reuters that one of the most serious of thevulnerabilities, known as an "authentication bypass," allows hackers to get around password protections on Web interfaces,which Siemens customers use to access industrial controlsystems.
Siemens industrial controls systems are used to run an assortment of facilities from power generators, chemical plantsand water systems to breweries, pharmaceutical factories andeven uranium enrichment facilities.
"People with low skills will be able to use thisauthentication bypass," said Rios, who described the problems onhis blog, www.xs-sniper.com.
Siemens said it had addressed some of the securityvulnerabilities and that it would release its first securityupdate to fix them next month.
The company does not know of any cases in which hackers had exploited the vulnerabilities to attack its customers, spokesmanAlexander Machowetz said.
Some Siemens software is designed to automatically installservices that make control systems accessible via the Internet,Rios said. They are installed with a default password, "100,"which is published in user manuals that are available on thepublic Siemens website, he added.
"People set up control systems, and they don't realize thatthey are on the Internet, waiting for people to connect tothem," Rios said.
Siemens industrial control systems have been scrutinized bysecurity researchers over the past few years.
The notorious Stuxnet virus, which crippled Iran's nuclearprogram, was first identified by researchers in June 2010. Ittargeted Siemens software used to control gas centrifuges that enriched uranium at a facility in Natanz, Iran.
Last May, the U.S. government warned U.S. water districts,power companies and other Siemens customers of another securityflaw uncovered by researcher Dillon Beresford that made systemsvulnerable to attack.
In August, Beresford disclosed at the Black Hat hackingconference in Las Vegas that he had found furthervulnerabilities in Siemens products, including a "back door thatcould allow hackers to wreak havoc on critical infrastructure." (Reporting By Jim Finkle; Editing by Lisa Von Ahn)