In 2014, organizations were caught off guard by the increase in advanced threats targeting vulnerabilities within business-critical applications running on SAP platforms. Everything from malware being loaded up on RFID devices and being inserted into the manufacturing process, to high risk “Denial of Service” vulnerabilities are challenging organizations to re-think their current approach to protecting critical data. In order to ensure that this information is secured, manufacturing organizations must implement measures that eliminate any and all threats to the business before they evolve. To effectively do so, all businesses must administer preventative measures such as continuous monitoring on their core business data, applications and systems.
Manufacturing operations are run by applications such as Enterprise Resource Planning (ERP) solutions, Manufacturing Integration and Intelligence, as well as SAP’s Enterprise Inventory Optimization Software. This is why SAP systems are considered pivotal for enabling manufacturers to make better decisions, reduce costs and increase their performance. But pervasive applications that reveal what’s going on within a company by providing access to critical business data in one place, must be valued highly and protected accordingly.
While many business processes running on Microsoft, Website software and network infrastructure are top-of-mind for security teams, SAP Applications and Systems are often overlooked. SAP is one of the most critical systems that manufacturers need to protect, but is considered by security professionals to be “covered” by traditional methods. However, these methods leave security teams without visibility into business-critical applications running on SAP. Without proactive measures in place, most security teams are flying blind on critical systems. When SAP systems are left unsecured, the same ERP systems that reduce complexity for business heads and departmental administrators will also open up a consolidated picture of business performance to malicious external threats or internal error.
What is at risk if my business-critical systems are compromised?
Attacks from advanced threats will rapidly extract customer, vendor or employee data as well as financial planning information, balances and profits, sales details, manufacturing recipes and any other critical data. Access by malicious users can also paralyze the operation of any organization by shutting down all ERP functionality. It can halt productivity, disrupt mapping and delete, steal or publish vital information. Financial fraudsters might modify financial information, tamper with longstanding sales and purchase orders, create new vendors and trusted stakeholders, modify supplier bank account information, or worse.
The implications for business productivity and reputation are all too clear, but would likely include data compromise, financial losses and regulatory censure. A lack of visibility may result in incorrect allocation of resources such as budgets and staffing levels. Impaired sales forecasts could lead to an inability to predict workflows or supply chain requirements, learn how much the company must grow, or calculate the quantities of materials to be purchased and products to be produced. Liquidity planning not only affects the understanding of available cash that a company has, but also confidence in that company’s figures by external partners, customers and other stakeholders. Incorrect reporting to authorities such as the Securities and Exchange Commission (SEC) will ultimately lead to fines and market exposure.
Aren’t business-critical ERP systems already secure?
The developers and vendors behind the world’s most popular ERP suites running on SAP work continually to build security functions into their ERP systems. However, no system truly arrives secure out-of-the-box. A green-field deployment will certainly attempt to do everything possible to implement business-critical ERP applications using vendor security best practices. However, ERP deployment is complex and highly individual to each extended enterprise within an already intricate cybersecurity landscape. This means that proprietary protocols and custom technologies are typical, making the “attack surface” very large.
Security managers know that they cannot allow their most sensitive business information and processes to be vulnerable, and so they generally complement vendor security precautions with strict guidelines for user authorizations, roles and profiles. This is generally referred to as Segregation of Duties (SoD) — a long-standing security principle of assigning tasks and privileges for specific business processes among multiple users. SoD controls are undoubtedly important for overall security. But while SoD fulfils an important role, it is limited in its effectiveness against new threats, and should not be used by any enterprise as the sole method for protecting business-critical ERP systems. Threats affecting the ERP application layer are not covered by SoD controls, leaving systems exposed with dramatic potential business impact.
Advanced threats using malware to exploit vulnerabilities to SAP applications are becoming more common than ever before, making it vital to have a preventative plan in place for SAP systems before an attack occurs. The most important concept when developing such plans is to understand the vulnerabilities or misconfigurations that are both exposing systems.
So what can be done to ensure my systems are secure?
One of the main things that can be done to ensure that business-critical systems running on SAP are safe is to understand the potential risks to the business if these systems are compromised. Once security and compliance risks are understood, it is crucial to communicate this, as well as the business impact to senior management. This will open the door for implementing SAP cyber-security policies and technologies that integrate into your existing security strategy.
The next practical steps to take towards securing SAP systems are to evaluate existing systems and the connections between them. This will allow for an understanding of the vulnerabilities and risks that are associated with them.
Additionally, all plans to holistically secure SAP systems should involve, among other things: missing patch detection; configuration analysis and monitoring; user activity monitoring; and solid current knowledge of SAP attacks and vulnerabilities.
Mariano is the CEO and co-founder of Onapsis.
Establish your company as a technology leader. For 50 years, the R&D 100 Awards, widely recognized as the “Oscars of Invention,” have showcased products of technological significance. Learn more.