Is SAP afraid of a Stuxnet-style attack?

SAP is stepping up its security stance as attackers diversify their targets to more obscure systems

Enterprise software provider SAP is stepping up its security stance as its once-isolated systems become increasingly connected to the Internet, posing new risks as hackers diversify their targets.

SAP's ERP (enterprise resource planning) and CRM (customer relationship management) software are often the core management tools for large enterprises, used for functions such as managing payroll, creating purchases orders, invoicing, and paying suppliers, among others. A trove of very sensitive data is held within those systems that, if hacked and the information obtained, could be used to cause great harm to a business.

SAP systems have typically been buried within an organization and not been connected to the Internet. The greatest threat still today to SAP is insiders who already have access to the systems and seek to make modifications. SAP security consultants often spend time on "segregation of duties," or ensuring that no one person has access or privileges for a wide range of financially sensitive tasks.

However, that is changing. Companies can set up Web-based customer portals that lead into their SAP software, which would give attackers a new vector for which to get inside the systems.

"You can now have all your business information directly connected to the Internet," said Mariano Nuñez Di Croce, director of research and development for Onapsis, which does SAP security evaluations for companies.

Cyberattackers also appear to be diversifying their targets. The most alarming example is Stuxnet, a piece of malware designed to manipulate Siemens WinCC systems, a type of SCADA (supervisory control and data acquisition) product used for manufacturing.

The latest data shows that Stuxnet was designed to tamper with frequency converter drives, which change electrical output from a power grid to a much higher frequency. The process is used for uranium refinement, which has led to speculation that Stuxnet was developed by a country to interfere with nuclear weapons development.

Nonetheless, Stuxnet showed that computer systems thought to be protected somewhat by their obscurity may be increasingly targeted, whether for sabotage or industrial espionage.

With SAP, "I think we may see something like that in the near future, but mostly now the concern is a direct attack, such as taking a system offline or modifying business information," Nuñez Di Croce said.

Stuxnet "was the shot across the bow of the industry," said Alex Ayers, director of operations for Turnkey Consulting, a U.K.-based company that also specializes in SAP security. "If you've got people who have the ability to do this, why should we assume that any ERP can't be targeted in the same way?"

SAP spokesman Hilmar Schepp said the company is not aware of any Stuxnet-like malware targeting its software. Because "Stuxnet was designed to attack mainly Microsoft and Siemens software, please understand that we don't want to comment further on this," Schepp said.

The core of SAP is its Netweaver platform, which is framework on which other SAP applications sit. If an attacker can get inside Netweaver, any of the other applications on top of it can be compromised, Nuñez Di Croce said.

Vulnerabilities in SAP products numbered around 20 in 2007, but that figure has risen to nearly 300 this year, Nuñez Di Croce said. The reason for the rise, Nuñez Di Croce and Ayers said, is increased attention from security researchers into SAP systems and more scrutiny from the company.

SAP has also been evangelizing the importance of better security practices to its customers. In September it published a white paper, "Secure Configuration SAP Netweaver Application Server ABAP," that consolidated a set of its existing security recommendations into a succinct document. The recommendations cover SAP systems that are used on internal networks and are not Internet facing.

"While some organizations already have made these configurations, we realized that other customers still underestimate the increased level of threat from inside a company," Schepp said.

SAP also said in September that it would release patches on a regular schedule on the second Tuesday of the month, the same day as Microsoft. Adobe Systems also adheres to the same schedule for the convenience of system administrators.

Many companies simply don't patch SAP for fear of disrupting part of its functionality, Nuñez Di Croce said. Ayers said the situation is somewhat similar to how some companies deal with Windows, with some administrators more on the ball than others.

SAP is "really just taking it [security] a lot more seriously," Ayers said. "I think it's industry's time to catch on to that and make sure we don't get into a situation where someone's system has been trashed."

SAP also offers a variety of security tools for customers, including its Security Optimization Service and the EarlyWatch Alert, which alerts administrators on system performance issues.

Nuñez Di Croce's company, Onapsis, has upgraded its X1 ERP vulnerability testing product to test for compliance against all of the recommendations in SAP's white paper. Onapsis is holding a webinar on Dec. 1 to explain how the product is used.

Join the CSO newsletter!

Error: Please check your email address.

Tags Detection / preventionintrusionapplicationssecurityenterprise resource planningSAPsoftwareExploits / vulnerabilities

More about Adobe SystemsAdobe SystemsMicrosoftSAP AustraliaSiemens

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place