I can appreciate Siemens concern for interrupting business operations but time and time again - fear of interrupting business is not a reason for ignoring security threats. It is a consideration - sure - but not a reason for ignoring.
This is a prime example of security fail.
Why can't Siemens advise changing the password but stress the potential business implications? Other mitigating controls might include:
- disabling USB drives,
- application whitelisting,
- operating system hardening,
- segregation of management networks,
- disallowing critical infrastructure direct Internet connectivity.
Anyway, I realise SCADA infrastructure often runs on ancient, unsupported operating systems and patch levels, but other controls can be applied to reduce the attack surface and potential damage such malware can perform.
While this is an excuse that is often thrown around in enterprise environments time and time again, what is interesting now is that it is being thrown around in relation to critical infrastructure, (presumably) arising from industrial espionage.
Some relevant links from Siemens can be found here and here (official release) - and yes,Siemens official release is terrible.
EDIT (23-7-2010): AusCERT have released a bulletin on this. It's a good writeup - I heartily endorse anyone interested in this subject to read it further.