ERP systems are seeing growing levels of attack for two reasons. First, many of these systems — especially in the U.S. — are now connected to the internet. Second, ERP security is hard. These systems are so complex and customized that patching is expensive, complicated and often put off.
Windows systems are often patched within days, but users may wait years to patch some ERP systems. There are old versions of PeopleSoft and other ERP applications, for instance, that are out-of-date and connected to the internet, according to researchers at two cybersecurity firms, which jointly looked at the risks faced in ERP security.
These large corporate systems, which manage global supply chains and manufacturing operations, could be compromised and shut down by an attacker, said Juan Pablo Perez-Etchegoyen, CTO of Onapsis, a cybersecurity firm based in Boston.
“If someone manages to breach one of those [ERP] applications, they could literally stop operations for some of those big players,” Perez-Etchegoyen said in an interview. His firm, along with Digital Shadows, released a report, “ERP Applications Under Fire: How Cyberattackers Target the Crown Jewels,” which was recently cited as a must-read by the U.S. Computer Emergency Readiness Team within the Department of Homeland Security. This report looked specifically at Oracle and SAP ERP systems.
Warnings of security vulnerabilities are not new
Cybersecurity researchers have been warning for a long time that U.S. critical infrastructure is vulnerable. Much of the focus has been on power plants and other utilities. But ERP systems are managing critical infrastructure, and the report by Onapsis and Digital Shadows is seen backing up a broader worry about infrastructure risks.
“The great risk in ERP is disruption,” said Alan Paller, the founder of SANS Institute, a cybersecurity research and education organization in Bethesda, Md.
If the attackers were just interested in extortion or gaining customer data, there are easier targets, such as hospitals and e-commerce sites, Paller said. What the attackers may be doing with ERP systems is prepositioning, which can mean planting malware in a system for later use.
In other words, attackers “are not sure what they are going to do” once they get inside an ERP system, Paller said. But they would rather get inside the system now, and then try to gain access later, he said.
The report by Onapsis and Digital Shadows found an increase among hackers in ERP-specific vulnerabilities. This interest has been tracked on a variety of sources, including the dark web, which is a part of the internet accessible only through special networks.
Complexity makes ERP security difficult
Juan Pablo Perez-EtchegoyenCTO, Onapsis
The problem facing ERP security, Perez-Etchegoyen said, is “the complexity of ERP applications makes it really hard and really costly to apply patches. That’s why some organizations are lagging behind.”
SAP and Oracle, in emailed responses to the report, both said something similar: Customers need to stay up-to-date on patches.
“Our recommendation to all of our customers is to implement SAP security patches as soon as they are available — typically on the second Tuesday of every month — to protect SAP infrastructure from attacks,” SAP said.
Oracle pointed out that it “issued security updates for the vulnerabilities listed in this report in July and in October of last year. The Critical Patch Update is the primary mechanism for the release of all security bug fixes for Oracle products. Oracle continues to investigate means to make applying security patches as easy as possible for customers.”
One of the problems is knowing the intent of the attackers, and the report cited a full range of motives, including cyberespionage, which is sabotage by a variety of groups, from hacktivists to foreign countries.
Next wave of attacks could be destructive
But one fear is the next wave of major attacks will attempt to destroy or cause real damage to systems and operations.
This concern was something Edward Amoroso, retired senior vice president and CSO of AT&T, warned about.
In a widely cited open letter in November 2017 to then-President-elect Donald Trump, Amoroso said attacks “will shift from the theft of intellectual property to destructive attacks aimed at disrupting our ability to live as free American citizens.” The ERP security report’s findings were consistent with his earlier warning, he said in an email.
Foreign countries know that “companies like SAP, Oracle and the like are natural targets to get info on American business,” Amoroso said. “All ERP companies understand this risk, of course, and tend to have good IT security departments. But going up against military actors is tough.”
Amoroso’s point about the risk of a destructive attack was specifically cited and backed by a subsequent MIT report, “Keeping America Safe: Toward More Secure Networks for Critical Sectors.” The MIT report warned that attackers enjoy “inherent advantages owing to human fallibility, architectural flaws in the internet and the devices connected to it.”