Central protection against cyberattacks

Last spring, the U.S. Department of Homeland Security's Office of Cybersecurity and Digital Infrastructure (CISA) and security firm Onapsis warned of increased risks from attacks on known misconfigurations in SAP applications: "Many SAP systems are at risk."

The reason was the publication of an exploit construction kit called 10KBLAZE, which provides malware and thus makes it very easy for hackers to compromise the relevant systems. Worldwide, nine out of ten SAP installations with a total of over 50,000 customers are said to be affected.

While still a novelty in the SAP world, such attack kits for Oracle vulnerabilities have been available in public forums for some time - and are no less dangerous. For most companies, the market-leading SAP and Oracle systems are at the heart of digitization, cloud migrations and IoT initiatives.

If they become the target of cyberattacks, this can have very serious consequences for a company - whether the attack is intended for espionage, sabotage or fraud. If cyber criminals succeed in accessing entire databases in order to copy, change or delete them, they can cause considerable economic damage.

In addition, the reputation suffers and the trust of customers dwindles. This pressure is increased by ever stricter regulatory requirements such as the EU Data Protection Regulation, which punishes data protection violations with heavy fines.

Security gaps in three areas

In order to effectively ward off such cyber threats to ERP systems, the use of holistic security tools is recommended. In the SAP area, for example, three areas have been identified that are significantly responsible for security vulnerabilities: System settings, customer-generated code and the import of transports.

With comprehensive analysis tools, it is possible to automatically check the SAP system configurations, immediately eliminate possible errors, and avoid renewed configuration errors ("automate audit"). At the same time, the customer's own code lines can be automatically checked for weaknesses in security, compliance and quality and these can be cleaned up.

Finally, by analyzing SAP transport requests ("change assurance"), it is possible to prevent updates and new developments as well as third-party applications from importing harmful content into SAP systems and opening the door to spies or data thieves.

So if you want to effectively protect your ERP environment from attackers, you should definitely rely on an integrated solution to automatically detect, remediate and prevent all identified cybersecurity and compliance risks.

Since most companies operate extremely heterogeneous system landscapes with hundreds, if not thousands of applications, such an ERP security platform should also be able to be used across manufacturers.

There should be a focus on SAP and Oracle applications, as these two vendors, with around 437,000 and 430,000 customers worldwide, are considered market leaders for enterprise software, whether on-premises or - increasingly - cloud-based.

A multi-vendor approach ensures that multiple security tools do not need to be deployed and that the installation and operational effort for ERP security is kept to a minimum.

This also applies to the use of the security platform in digital transformation projects and in migrations of existing ERP systems to the cloud or to new software generations from the same providers, such as the upcoming migration to SAP S/4 Hana for many customers.

Best Practices

Good ERP platforms for security and compliance are also characterized by the fact that they are based on best-practice specifications: including the security guidelines of the individual software manufacturers and user groups, for example the DSAG testing guidelines, as well as the BSI basic protection recommendations.

Equipped with proven security expertise, security platforms offer companies comprehensive protection against cyberattacks. This protection is an absolute must in view of the increasing number of IT attacks and the horrendous damage they cause every year.

According to a study by the industry association Bitkom, industrial companies in Germany incurred a total loss of 43.4 billion euros in 2017 and 2018 alone. Following the acquisition of Virtual Forge, Onapsis can provide customers with a central ERP platform for security and compliance that can be used equally by all target groups - even beyond SAP and Oracle.