ERP systems (like SAP® systems) see a growing level of attack and interest in attack for two obvious reasons. First of all, the ERP monolithic era has been long gone, no more mainframe or isolation thinking, many of these systems are now connected to the internet in some way shape or form. So the EXPOSURE of these ERP systems is much bigger then it was ever the case before.
Secondly, ERP security has a lot of components, parameters, settings, deep technical methods, it is incredibly complex and thus hard for any regular administrator to understand it all, oversee it all. Herein hides the danger ....., the things you master are under control, but how do you know if you know it all? There are many known unknowns, we come across such situations every single week. With every technology update and connection added the ATTACK FOOTPRINT is increasing.
The fact that these systems are sometimes so complex, very interconnected, highly customized, extremely crucial in the business process uptime, all of this has an adverse effect on security patching. It is considered risky, lengthy, expensive, complicated and thus often put off. The non-ERP systems are often patched within days, but business operations may wait many months to get patched with ERP systems.
An often heard credo is: IF AIN'T BROKEN DON'T FIX IT. While that is true, you may want to consider this one as well, IF IT IS EXPLOITABLE IT WILL BE BREACHED.
Our conclusion is that these large corporate systems, which manage entire companies operations, are far too easy to be compromised and shut down (or worse) by an attacker.
If someone manages to breach one of those ERP or SAP® applications, they could literally stop operations for these companies.
Security vulnerabilities warnings - nothing new
Cybersecurity evangelists, engineers, trendwatchers have been warning for a long time that there is evidence of a shift going on towards real safety, think about critical infrastructure like power, transport, water, heating. Think about our financial institutions (the oil of the economy), think about large (inter)connected supply chains. These sort of threats originally went way beyond the nasty kid in the basement trying out stuff, but the VAULT7 release on the DARKNET of hundreds of attacking tools available, we are wondering if it takes a nation-state hacking scenario to really cause a mess.
"The great risk in ERP is disruption," said Alan Paller, the founder of SANS Institute, a cybersecurity research and education organization in Bethesda.
If attackers were interested in for example ransomware, there are easier targets, such as unprotected e-commerce websites (we refer to the BA booking hack recently). What hacker organizations may be doing with your ERP systems is preparing (planting a back door), which means having a key to get in later (with a clear purpose). Often the real purpose or attack goes unspotted because during the preparation a plan is developed to erase the digital fingerprints. Nobody then is the wiser.
If you are curious about such a balanced strategy (INSIGHT-PREVENT-DETECT-RESPOND), what that means for you as a CISO, what you should be doing against ERP threats, why you should be closer working together with experts, let us know. Just ask the question(s) on our website.