The global and independent platform for the SAP community.

Run Hackers Against the Wall

Production lines are indispensable components of complex supply chains. If these are disrupted, this can jeopardize the existence of the companies affected. What can companies do to prevent hackers from "hitting the wall" at OT?
Andreas Nolte, Arvato Systems GmbH
June 7, 2023
This text has been automatically translated from German to English.

When cybercriminals attack SAP systems or operational technology (OT)

As an omnipresent backbone, SAP is necessary for smooth business operations in many places. The same applies to the operating technology. It is therefore in the best interest of companies to protect their SAP and OT system landscape as best as possible. But in practice, gaps usually open up. In May 2021, hackers attacked Colonial Pipelines as critical infrastructure in the USA. As a result of the ransomware attack, gasoline supply was restricted in some states. Around the same time, another attack had been reported in Florida. Attackers used a Remote Desktop Protocol (RDP) vulnerability on a Windows device to penetrate the systems of a wastewater treatment plant in order to manipulate them. Attacks are quickly taking on a new dimension, especially in the utility sector: OT ransomware not only exfiltrates and encrypts data, it can take control of critical systems. Of course, companies are aware of the permanent danger. That's why they deal with cyber security and usually employ the following expert groups for this purpose.

Managers and nerds

Compliance managers ensure that companies comply with security-relevant requirements, such as those of the German Federal Office for Information Security (BSI), and international standards such as the ISO/IEC 27001 standard; security experts are responsible for effectively securing cloud-based IT solutions in times of Big Data and artificial intelligence; and hacker nerds know the latest attack techniques and therefore think one step ahead when it comes to security.

But this three-pronged approach often falls short. It is not enough for groups of experts to deal with the issue of cyber security on a more theoretical level, detached from all other processes and teams in the company. Instead, the focus is on how to effectively secure the company's own business. To achieve this goal, companies must understand SAP and OT security as a business process that involves all relevant groups of people in the company. This is the only way to derive suitable practical measures - such as using the appropriate security technology - from the theoretical (or strategic) perspective. 

SAP and OT Security

If cyber security is understood as a critical business process, then this process must be carefully modeled, controlled with metrics, monitored with tools, and continuously optimized. Likewise, a defined risk management system is needed that focuses on practical relevance. If, for example, the business success of a mechanical engineering company depends to a large extent on its forklifts always being in working order, it will make sure that there is always enough lubricant available, it will meet all maintenance deadlines, and it will provide sufficient replacement vehicles. In the same way, companies should always be prepared for all eventualities when it comes to IT security.

Interdisciplinary Security

To ensure OT and SAP security in the long term, departmental boundaries must be overcome in the sense of a process-oriented mindset and organization. In particular, management, IT and production must find their way to an interdisciplinary exchange. This is because management sometimes lacks a precise idea of how important SAP and OT security are for smooth business operations. The IT department can help to convey this understanding. The perspective of the blue collar workers, the employees in production, is particularly important. They know exactly how a possible shutdown of machine A will affect production line B.

In addition to a strategic understanding of the relevance of OT and SAP security and a cross-functional dialog, powerful security solutions are needed. In recent years, technology has evolved significantly, from network analysis to cross-system detection and platform security.

Some time ago, it was common practice to analyze the network and correlate log files with a security information and event management (SIEM) system to obtain indications of possible threats - a pure detection measure. Although a targeted response can be derived from the correlation results, it cannot be implemented directly. Since most data transmission today is encrypted, network analyses alone are no longer state of the art.

To process sensory data from different sources, two new methods, Endpoint Detection and Response (EDR) and Extended Detection and Response (XDR), have become established. With an EDR tool, events such as a user login, the opening of a file, and established network connections can be recorded on endpoints such as PCs, notebooks, tablets, and smartphones. In addition, XDR allows data to be automatically captured and linked across multiple attack vectors, such as emails, identities, devices, servers, cloud workloads and networks.

When more and more data and systems are located in the cloud, it is only logical to implement effective security measures directly there. The platform solutions of the established hyperscalers have proven themselves here. Microsoft, in particular, offers a comprehensive security product range with a large number of prefabricated components that can be easily commissioned and configured for individual company purposes: from the protection of users (PCs, identities and e-mails) to the protection of various operating scenarios (own servers, on-premises in the data center as well as Azure, Google or AWS cloud) to special use cases such as OT and SAP security. In addition, such platforms are much more efficient to integrate than standalone solutions.

Platform security

Considering how complex some SAP landscapes are and how dependent manufacturing and utility companies are on their operational technology, platform security is a powerful approach. Today, lateral movement is a key tactic used by advanced persistent threats (APTs): Hackers penetrate a critical IT infrastructure via a phishing attack, for example, and use the tapped data to gain increasing privileges by compromising or infecting one system at a time. For example, attackers could gain access to enterprise IT via a modem on the production floor and encrypt hard drives - which would hit companies particularly hard: namely, in their profitable core processes.

Companies therefore have no choice but to link sensor technology across systems and monitor alerts around the clock. Alternatively, they can obtain Managed Detection & Response Services from a specialized Cyber Security Defense Center (CSDC). At its core is Microsoft Threat Monitoring for SAP. Data from complex SAP landscapes can be consolidated via a sensor so that it is available for further processing in the cloud-native SIEM system Microsoft Sentinel. Once connected to various SAP log sources, the sensor captures all data that flows into Sentinel via an API for correlation and analysis. If the tool detects a threat, it generates corresponding alerts. Standardized rules form the basis for (partially) automated SOAR processes (Security Orchestration, Automation and Response): When an alert is received, an AI-based analysis of the captured event data is performed. Depending on the type of attack, predefined response measures are then initiated.

Reliably protect SAP and OT

Cybercrime is a lucrative business for criminals, the consequences of which can go far beyond economic aspects for affected companies. Especially in the area of critical infrastructures, attacks can develop into a serious threat. And companies must be better prepared for this real threat. For one thing, the corporate culture must change: There must be no rifts between departments; interdisciplinary cooperation is needed. On the other hand, CRITIS such as water and electricity utilities in particular are called upon to internalize the practical business relevance of their IT as well as OT and not only derive necessary protection goals, but also implement them. Not least for supply-relevant systems and infrastructures, it is possible to protect them well. But to do so, it is necessary to understand cyber security as a business process and to implement it consistently.

The 3 levels of OT security

Brownfield IT: In a factory with old machines, network analyses are mostly the only
proven means.

Greenfield IT: Companies launching new IT systems can integrate the necessary security functions directly.

Enterprise IT: In the age of the Internet of Things (IoT) with smart devices such as conference screens, elevators and coffee machines, any data, systems and devices must be effectively secured.
Andreas Nolte, Arvato Systems GmbH

Andreas Nolte is Head of Cyber Security at Arvato Systems GmbH

Write a comment

Working on the SAP basis is crucial for successful S/4 conversion. 

This gives the Competence Center strategic importance for existing SAP customers. Regardless of the S/4 Hana operating model, topics such as Automation, Monitoring, Security, Application Lifecycle Management and Data Management the basis for S/4 operations.

For the second time, E3 magazine is organizing a summit for the SAP community in Salzburg to provide comprehensive information on all aspects of S/4 Hana groundwork. All information about the event can be found here:

SAP Competence Center Summit 2024


Event Room, FourSide Hotel Salzburg,
At the exhibition center 2,
A-5020 Salzburg

Event date

June 5 and 6, 2024

Regular ticket:

€ 590 excl. VAT


Event Room, Hotel Hilton Heidelberg,
Kurfürstenanlage 1,
69115 Heidelberg

Event date

28 and 29 February 2024


Regular ticket
EUR 590 excl. VAT
The organizer is the E3 magazine of the publishing house AG. The presentations will be accompanied by an exhibition of selected SAP partners. The ticket price includes the attendance of all lectures of the Steampunk and BTP Summit 2024, the visit of the exhibition area, the participation in the evening event as well as the catering during the official program. The lecture program and the list of exhibitors and sponsors (SAP partners) will be published on this website in due time.