Is SAP afraid of a Stuxnet-style attack?

SAP is stepping up its security stance as attackers diversify their targets to more obscure systems

Enterprise software provider SAP is stepping up its security stance as its once-isolated systems become increasingly connected to the Internet, posing new risks as hackers diversify their targets.

SAP's ERP (enterprise resource planning) and CRM (customer relationship management) software are often the core management tools for large enterprises, used for functions such as managing payroll, creating purchases orders, invoicing, and paying suppliers, among others. A trove of very sensitive data is held within those systems that, if hacked and the information obtained, could be used to cause great harm to a business.

SAP systems have typically been buried within an organization and not been connected to the Internet. The greatest threat still today to SAP is insiders who already have access to the systems and seek to make modifications. SAP security consultants often spend time on "segregation of duties," or ensuring that no one person has access or privileges for a wide range of financially sensitive tasks.

However, that is changing. Companies can set up Web-based customer portals that lead into their SAP software, which would give attackers a new vector for which to get inside the systems.

"You can now have all your business information directly connected to the Internet," said Mariano Nuñez Di Croce, director of research and development for Onapsis, which does SAP security evaluations for companies.

Cyberattackers also appear to be diversifying their targets. The most alarming example is Stuxnet, a piece of malware designed to manipulate Siemens WinCC systems, a type of SCADA (supervisory control and data acquisition) product used for manufacturing.

The latest data shows that Stuxnet was designed to tamper with frequency converter drives, which change electrical output from a power grid to a much higher frequency. The process is used for uranium refinement, which has led to speculation that Stuxnet was developed by a country to interfere with nuclear weapons development.

Nonetheless, Stuxnet showed that computer systems thought to be protected somewhat by their obscurity may be increasingly targeted, whether for sabotage or industrial espionage.

With SAP, "I think we may see something like that in the near future, but mostly now the concern is a direct attack, such as taking a system offline or modifying business information," Nuñez Di Croce said.

Stuxnet "was the shot across the bow of the industry," said Alex Ayers, director of operations for Turnkey Consulting, a U.K.-based company that also specializes in SAP security. "If you've got people who have the ability to do this, why should we assume that any ERP can't be targeted in the same way?"

SAP spokesman Hilmar Schepp said the company is not aware of any Stuxnet-like malware targeting its software. Because "Stuxnet was designed to attack mainly Microsoft and Siemens software, please understand that we don't want to comment further on this," Schepp said.

The core of SAP is its Netweaver platform, which is framework on which other SAP applications sit. If an attacker can get inside Netweaver, any of the other applications on top of it can be compromised, Nuñez Di Croce said.

Vulnerabilities in SAP products numbered around 20 in 2007, but that figure has risen to nearly 300 this year, Nuñez Di Croce said. The reason for the rise, Nuñez Di Croce and Ayers said, is increased attention from security researchers into SAP systems and more scrutiny from the company.

SAP has also been evangelizing the importance of better security practices to its customers. In September it published a white paper, "Secure Configuration SAP Netweaver Application Server ABAP," that consolidated a set of its existing security recommendations into a succinct document. The recommendations cover SAP systems that are used on internal networks and are not Internet facing.

"While some organizations already have made these configurations, we realized that other customers still underestimate the increased level of threat from inside a company," Schepp said.

SAP also said in September that it would release patches on a regular schedule on the second Tuesday of the month, the same day as Microsoft. Adobe Systems also adheres to the same schedule for the convenience of system administrators.

Many companies simply don't patch SAP for fear of disrupting part of its functionality, Nuñez Di Croce said. Ayers said the situation is somewhat similar to how some companies deal with Windows, with some administrators more on the ball than others.

SAP is "really just taking it [security] a lot more seriously," Ayers said. "I think it's industry's time to catch on to that and make sure we don't get into a situation where someone's system has been trashed."

SAP also offers a variety of security tools for customers, including its Security Optimization Service and the EarlyWatch Alert, which alerts administrators on system performance issues.

Nuñez Di Croce's company, Onapsis, has upgraded its X1 ERP vulnerability testing product to test for compliance against all of the recommendations in SAP's white paper. Onapsis is holding a webinar on Dec. 1 to explain how the product is used.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags Detection / preventionintrusionapplicationssecurityenterprise resource planningSAPsoftwareExploits / vulnerabilities

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Essentials

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?