More than three months after the disclosure of the catastrophic Heartbleed vulnerability in the OpenSSL library, critical industrial control systems sold by Siemens remain susceptible to hijacking or crashes that can be triggered by the bug, federal officials have warned.

The products are used to control switches, valves, and other equipment in chemical, manufacturing, energy, and wastewater facilities. Heartbleed is the name given to a bug in the widely used OpenSSL cryptographic library that leaks passwords, usernames, and secret encryption keys. While Siemens has updated some of its industrial control products to patch the Heartbleed vulnerability, others remain susceptible, an advisory published Thursday by the Industrial Control Systems Cyber Emergency Response Team warned.

"The vulnerabilities identified could impact authenticity, integrity, and availability of affected devices," the notice stated. "The man-in-the-middle attack could allow an attacker to hijack a session between an authorized user and the device. The other vulnerabilities reported could impact the availability of the device by causing the web server of the product to crash."

Vulnerable systems include:

APE versions prior to Version 2.0.2 (only affected if SSL/TLS component or Crossbow is used)

CP1543-1: all versions

ROX 1: all versions (only affected if Crossbow is installed)

ROX 2: all versions (only affected if eLAN or Crossbow is installed)

S7-1500: all versions

WinCC OA (PVSS): Version 3.8 – 3.12

Siemens patched a variety of critical supervisory and control data acquisition products in the weeks immediately following the Heartbleed disclosure. Thursday's advisory said mitigations are available for the products that remain unpatched.