Is SAP afraid of a Stuxnet-style attack?
- — 24 November, 2010 03:55
Enterprise software provider SAP is stepping up its security stance as its once-isolated systems become increasingly connected to the Internet, posing new risks as hackers diversify their targets.
SAP's ERP (enterprise resource planning) and CRM (customer relationship management) software are often the core management tools for large enterprises, used for functions such as managing payroll, creating purchases orders, invoicing, and paying suppliers, among others. A trove of very sensitive data is held within those systems that, if hacked and the information obtained, could be used to cause great harm to a business.
SAP systems have typically been buried within an organization and not been connected to the Internet. The greatest threat still today to SAP is insiders who already have access to the systems and seek to make modifications. SAP security consultants often spend time on "segregation of duties," or ensuring that no one person has access or privileges for a wide range of financially sensitive tasks.
However, that is changing. Companies can set up Web-based customer portals that lead into their SAP software, which would give attackers a new vector for which to get inside the systems.
"You can now have all your business information directly connected to the Internet," said Mariano Nuñez Di Croce, director of research and development for Onapsis, which does SAP security evaluations for companies.
Cyberattackers also appear to be diversifying their targets. The most alarming example is Stuxnet, a piece of malware designed to manipulate Siemens WinCC systems, a type of SCADA (supervisory control and data acquisition) product used for manufacturing.
The latest data shows that Stuxnet was designed to tamper with frequency converter drives, which change electrical output from a power grid to a much higher frequency. The process is used for uranium refinement, which has led to speculation that Stuxnet was developed by a country to interfere with nuclear weapons development.
Nonetheless, Stuxnet showed that computer systems thought to be protected somewhat by their obscurity may be increasingly targeted, whether for sabotage or industrial espionage.
With SAP, "I think we may see something like that in the near future, but mostly now the concern is a direct attack, such as taking a system offline or modifying business information," Nuñez Di Croce said.
Stuxnet "was the shot across the bow of the industry," said Alex Ayers, director of operations for Turnkey Consulting, a U.K.-based company that also specializes in SAP security. "If you've got people who have the ability to do this, why should we assume that any ERP can't be targeted in the same way?"
SAP spokesman Hilmar Schepp said the company is not aware of any Stuxnet-like malware targeting its software. Because "Stuxnet was designed to attack mainly Microsoft and Siemens software, please understand that we don't want to comment further on this," Schepp said.
The core of SAP is its Netweaver platform, which is framework on which other SAP applications sit. If an attacker can get inside Netweaver, any of the other applications on top of it can be compromised, Nuñez Di Croce said.
Vulnerabilities in SAP products numbered around 20 in 2007, but that figure has risen to nearly 300 this year, Nuñez Di Croce said. The reason for the rise, Nuñez Di Croce and Ayers said, is increased attention from security researchers into SAP systems and more scrutiny from the company.
SAP has also been evangelizing the importance of better security practices to its customers. In September it published a white paper, "Secure Configuration SAP Netweaver Application Server ABAP," that consolidated a set of its existing security recommendations into a succinct document. The recommendations cover SAP systems that are used on internal networks and are not Internet facing.
"While some organizations already have made these configurations, we realized that other customers still underestimate the increased level of threat from inside a company," Schepp said.
SAP also said in September that it would release patches on a regular schedule on the second Tuesday of the month, the same day as Microsoft. Adobe Systems also adheres to the same schedule for the convenience of system administrators.
Many companies simply don't patch SAP for fear of disrupting part of its functionality, Nuñez Di Croce said. Ayers said the situation is somewhat similar to how some companies deal with Windows, with some administrators more on the ball than others.
SAP is "really just taking it [security] a lot more seriously," Ayers said. "I think it's industry's time to catch on to that and make sure we don't get into a situation where someone's system has been trashed."
SAP also offers a variety of security tools for customers, including its Security Optimization Service and the EarlyWatch Alert, which alerts administrators on system performance issues.
Nuñez Di Croce's company, Onapsis, has upgraded its X1 ERP vulnerability testing product to test for compliance against all of the recommendations in SAP's white paper. Onapsis is holding a webinar on Dec. 1 to explain how the product is used.