Is SAP afraid of a Stuxnet-style attack?

SAP is stepping up its security stance as attackers diversify their targets to more obscure systems

Enterprise software provider SAP is stepping up its security stance as its once-isolated systems become increasingly connected to the Internet, posing new risks as hackers diversify their targets.

SAP's ERP (enterprise resource planning) and CRM (customer relationship management) software are often the core management tools for large enterprises, used for functions such as managing payroll, creating purchases orders, invoicing, and paying suppliers, among others. A trove of very sensitive data is held within those systems that, if hacked and the information obtained, could be used to cause great harm to a business.

SAP systems have typically been buried within an organization and not been connected to the Internet. The greatest threat still today to SAP is insiders who already have access to the systems and seek to make modifications. SAP security consultants often spend time on "segregation of duties," or ensuring that no one person has access or privileges for a wide range of financially sensitive tasks.

However, that is changing. Companies can set up Web-based customer portals that lead into their SAP software, which would give attackers a new vector for which to get inside the systems.

"You can now have all your business information directly connected to the Internet," said Mariano Nuñez Di Croce, director of research and development for Onapsis, which does SAP security evaluations for companies.

Cyberattackers also appear to be diversifying their targets. The most alarming example is Stuxnet, a piece of malware designed to manipulate Siemens WinCC systems, a type of SCADA (supervisory control and data acquisition) product used for manufacturing.

The latest data shows that Stuxnet was designed to tamper with frequency converter drives, which change electrical output from a power grid to a much higher frequency. The process is used for uranium refinement, which has led to speculation that Stuxnet was developed by a country to interfere with nuclear weapons development.

Nonetheless, Stuxnet showed that computer systems thought to be protected somewhat by their obscurity may be increasingly targeted, whether for sabotage or industrial espionage.

With SAP, "I think we may see something like that in the near future, but mostly now the concern is a direct attack, such as taking a system offline or modifying business information," Nuñez Di Croce said.

Stuxnet "was the shot across the bow of the industry," said Alex Ayers, director of operations for Turnkey Consulting, a U.K.-based company that also specializes in SAP security. "If you've got people who have the ability to do this, why should we assume that any ERP can't be targeted in the same way?"

SAP spokesman Hilmar Schepp said the company is not aware of any Stuxnet-like malware targeting its software. Because "Stuxnet was designed to attack mainly Microsoft and Siemens software, please understand that we don't want to comment further on this," Schepp said.

The core of SAP is its Netweaver platform, which is framework on which other SAP applications sit. If an attacker can get inside Netweaver, any of the other applications on top of it can be compromised, Nuñez Di Croce said.

Vulnerabilities in SAP products numbered around 20 in 2007, but that figure has risen to nearly 300 this year, Nuñez Di Croce said. The reason for the rise, Nuñez Di Croce and Ayers said, is increased attention from security researchers into SAP systems and more scrutiny from the company.

SAP has also been evangelizing the importance of better security practices to its customers. In September it published a white paper, "Secure Configuration SAP Netweaver Application Server ABAP," that consolidated a set of its existing security recommendations into a succinct document. The recommendations cover SAP systems that are used on internal networks and are not Internet facing.

"While some organizations already have made these configurations, we realized that other customers still underestimate the increased level of threat from inside a company," Schepp said.

SAP also said in September that it would release patches on a regular schedule on the second Tuesday of the month, the same day as Microsoft. Adobe Systems also adheres to the same schedule for the convenience of system administrators.

Many companies simply don't patch SAP for fear of disrupting part of its functionality, Nuñez Di Croce said. Ayers said the situation is somewhat similar to how some companies deal with Windows, with some administrators more on the ball than others.

SAP is "really just taking it [security] a lot more seriously," Ayers said. "I think it's industry's time to catch on to that and make sure we don't get into a situation where someone's system has been trashed."

SAP also offers a variety of security tools for customers, including its Security Optimization Service and the EarlyWatch Alert, which alerts administrators on system performance issues.

Nuñez Di Croce's company, Onapsis, has upgraded its X1 ERP vulnerability testing product to test for compliance against all of the recommendations in SAP's white paper. Onapsis is holding a webinar on Dec. 1 to explain how the product is used.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags securityenterprise resource planningsoftwareapplicationsSAPintrusionExploits / vulnerabilitiesDetection / prevention

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?