Enterprise Resource Planning (ERP) is a software solution that provides

manufacturers with the information necessary to effectively manage their business

processings. ERP is a fully integrated real-time system giving the information needed
to grow business. ERP connects agility by collecting information from every
department, every process throughout the entire enterprise. This means, up to the
moment, seamless communication and accurate picture of the valuable resources and
tools with better project plans. This is total business intelligence with quote to figure
out management potential and sleek office automation. ERP equips you with ability to
instantaneously track orders and monitor the acquisition of raw materials, parts,
services and labor.

A complete ERP solution integrates a Manufacturing Execution System (MES) and the
Quality Management Module. MES enhances ERP with up to the moment in process
job data. This provides the ability to make critical adjustments immediately. With real-
time quality management integrated, tools are available to secure &
ensure a superior product with higher customer satisfaction, which ultimately will be
leading to increase business.

Governments that use SAP systems need to be aware that cyberattackers are
actively attacking ERP applications to disrupt critical business operations and
penetrate target organizations. In 2018, Digital Shadows Ltd. and Onapsis
Inc. raised the alarm about an increase in attacks targeting ERP systems such
as SAP.Egs :

In June 2019, Bitcoin hackers penetrated the computer systems of the city
government of Riviera Beach, Florida, installing ransomware that cost the city
roughly $600,000 to remediate by paying a ransom. In that same year, the
government offices of Jackson County, Georgia were hacked, as were the
government computer systems of state and federal government departments across
the country.

Hacking into government computer systems is big business.

From city to county to state to the federal level, governments — and their SAP
systems — are at increasing risks of cyberattack. What are some of these threats
and what unique challenges do governments face when it comes to keeping their
SAP systems safe?

Government is a prime target for cyberattack, with ransomware and hacktivism being
the top two threats, according to Infosec. Bitsighttech confirms that local and state
governments in the US have the second highest rate of ransomware attacks, noting
in 2019 that ransomware attacks in this sector have more than tripled over the last
12 months.

Hacktivism is another major threat to government cybersecurity. In early 2017, for

example, hacktivists attacked the state of Michigan’s website to raise public
awareness of the Flint water crisis. In May of that same year, hacktivists defaced
multiple North Carolina government websites to protest the state’s controversial
transgender bathroom law. And in July, another group of politically motivated
hackers compromised the website of the city of Baton Rouge following the fatal
police shooting of Alton Sterling.

Governments that use SAP systems need to be aware that cyberattackers are
actively attacking ERP applications to disrupt critical business operations and
penetrate target organizations. In 2018, Digital Shadows Ltd. and Onapsis
Inc. raised the alarm about an increase in attacks targeting ERP systems such as
SAP.

There are multiple reasons why government and other public service bodies
face unique SAP cybersecurity threats:

They’re High-Profile…With High-Profile Enemies

The malicious actors that federal government departments need to protect

themselves against are often nation states. And the battle is a literal war—
cyberwarfare. Cyberwarfare uses computer viruses, hacking and other cyber exploits
by one country to disrupt the vital computer systems of another, steal intellectual
property, damage economies, influence elections and cause civil unrest. In July
2019, for example, Microsoft revealed that it had detected almost 800 cyberattacks
during the previous 12 months targeting think tanks, NGOs and other political
organizations around the world. The majority of these attacks originated in Iran,
North Korea and Russia. And in October 2019, Iranian state-sponsored hackers
attacked current and former U.S. government officials. It requires no stretch of the
imagination to say that ERP systems will be a significant target of these types of
attacks.

They Hold Sensitive Data

In 2013, cyberattackers broke into USIS, a US federal contractor that conducted
background checks for the US Department of Homeland Security. They did so by
exploiting an unpatched SAP vulnerability. The result? Stolen personal data on more
than 27,000 personnel.

In March, the Government of Canada announced that it had selected SAP for a pilot
to test a potential HR and pay solution, hoping to replace the controversial and much
beleaguered Phoenix Pay System. Should all work out well, Public Services and
Procurement Canada’s SAP system will contain in-depth personal data on the
roughly 287,000 civil servants who work in that country. A successful cyberattack on
that SAP system could expose dates of birth, social insurance numbers, and other
highly sensitive data – potentially resulting in a massive spike in identity theft.

Security Challenges

Today, opportunity in hacking business is at peak. ERP in particular is a paramount.

ERP systems are the focal point of the businesses that use them. Pirated access can
affirm medical records, open the door to larceny at financial institutions and undermine
industrial firms.

Hackers have deviated their focus from individuals to enterprises. An increase in

number of targeted attacks, including ones against ERP systems is expected. There
are a lot of resources on the Internet providing all the required information to attackers
to customize their techniques on the ERP’s architectures. We can say that ERP is
vulnerable.

It is now time for firms to take ERP security on a serious note. Some of the challenges
in ERP security are as follows-

Inadequate Response Planning

The first ERP security threat is lack of planning. Many of the businesses cannot run
properly due to lack of planning. Firms do not have effective methods in place to
detect ERP vulnerabilities and incursion. The worse scenario is that, many don’t have
an adequate incident response plan in place for when there is a suspicious activity.

There is often a paucity in business in a proper incident response that includes the
ERP layer. Logging for forensic purposes is not defined properly.

Ransomware Attacks
There is no such system which is immune to the ransomware epidemic. Experts
believe that the volume of ransom attacks against ERP systems is going to rise from
here onwards.

At present, researchers at ERPs have leaked a proof-of-concept attack against SAP

systems. A remote command execution vulnerability allows the autoloading of any
program from the server onto the workplace in SAP’s standard client application. The
cybercriminal can download malware to the device that can automatically be installed
on every endpoint with SAP graphical user interface when a user runs the application.

Insider Threats

One of the most widespread internal attacks is payroll fraud. Malicious workers or
former employees who still have access to the ERP system are another top security
threat. Even if it is tough to stop, businesses are already concerned about it. Insider
threats top the list of security risks.

An employee can change its wage. A direct modification can be easily detected. Many
of these breaches by employees instead inflate the number of additional working
hours, raising total wages secretly. The fraud therefore is extremely difficult to detect.

Vulnerable Interconnections

ERP systems are commonly interconnected with many other systems. This is a part
of the value of ERP. It also poses a security threat because it is a vulnerability in one
of the systems which opens the door for access to the others.

The ERP systems can be compromised potentially by a vulnerability in a connected

app. And a vulnerability in ERP can spread to other systems. A flaw in ERP may be
the first step in a multi-stage attack resulting in physical damage. Interconnections
should be taken into account by enterprises. They also need to monitor them closely
because there is more room for attack than ever before.

Poor Patch Management

The process of repairing vulnerabilities in an infrastructure of an organization in order

to maintain network security is called as patch management. One of the biggest ERP
threats today is inactive security patches. ERP systems are not often up-to-date. Many
businesses have an inadequate process for monitoring these updates and putting
them into place. IT security teams have their own patch management programs. These
programs usually exclude ERP systems. According to security perspective, poor patch
management can be costly.

Poor ERP Security Delegation

Defining the handling of ERP security is one of the biggest security challenges in the
current year. The consequence is that many preventive measures fall through the
cracks.

SoD and user management are two terms which are mostly focused by security teams
inside ERP-specific departments. IT security teams mainly focus on the OS and
networking layer rather than ERP application itself. Today, the key challenge for ERP
security is the grey area between those teams. Defining the same, it is critical in closing
the gap between them.

The information security teams are not fully aware of the importance of ERP security
in a holistic way. This not only includes a lack of awareness about basic security
practices but also more modern best practices such as scanning for security
vulnerabilities, continuous monitoring, and proper cloud security.

ERP provides with a clear view of opportunities, to serve better to new and existing
customers in an ever challenging market. Modern ERP is flexible but one should look
forward to the security challenges to increase a business. Therefore, refined attacks
are only a small part of the problem when it comes to ERP security. The bigger
challenge is organizational. ERP eventually is perching at the root of a business.
Today, many of the top ERP security challenges actually come from action not taken
by the firms using these systems.

The ERP systems bring together various departments within an organization such as
accounting, warehouse, inventory, HR so that they function as one unified entity. Since
these departments now work together there is seamless flow of data between the
departments which is generally stored within a common database hence making the
impact of the compromise much bigger.

It is by design the ERP systems store very critical data such as personal identifiable
information (PII) data of their employees and customers, financial information,
proprietary formulas etc. making them a lucrative target for cyberattacks.

Given the criticality of data the ERP systems store there must be robust security
measures that should be put in place to safeguard this information. Often these
essential safeguards are not in place making ERP systems vulnerable to attacks and
industry experts are saying that the attacks are the rise. Hence it is imperative that
when companies are planning their future strategy, they do think of cybersecurity as
an investment and not just brush it aside as an expense.

WHY ARE ERP SYSTEMS LEFT UNPROTECTED?

One of the main reasons that why the ERP systems are not as secure as they should
be is the lack of understanding of the risk from the business or stakeholder community.
Part of the problem is the inability of the IT team to effectively communicate the risk to
the business in a method that would make it easy for them to understand. The IT teams
a lot of the times project to the business teams very technical results and seldom
communicate as to how the cyberattack impacts the day to day functionality of the
business. They fail to communicate the impact the downtime of the systems will have,
the loss of confidence the customers will see if the company is attacked and how the
brand value of the company will get diminished. The IT teams are basically not able to
weave this into the business strategy and hence the risk is seldom understood or
addressed by the business leadership. This results in potential areas of vulnerabilities
not getting identified which the attackers exploit to gain unauthorized access to the
system.

Also, a lot of the companies try to address this more as a reaction or after the fact after
theyve been attacked rather than proactively taking actions to secure the system. They
come into action after an attack has occurred and at that time start scrambling to find
out why an attack happened rather than protecting the system before hand against
any form of attacks.

As companies move to the cloud and encourage BYOD (bring your own device) we
see users accessing systems across multiple platforms. Now if any of the platforms
are compromised it is easy for the attacker to gain access unauthorized access to the
ERP system. Another thing that is observed is that smaller companies think they are
not on the radar of the cyber attackers and the cyber attackers are only interested in
targeting bigger companies, whereas it has been found that over 60% of the cyber-
attacks were against smaller companies. Being small, the companies have limited
budget overall and hence they tend to rely on security solutions provided by their ERP
providers.

Type of data leaked when ERP systems are compromised

Lastly it was also observed that there is lack of ownership when it comes to securing
these ERP applications. Generally, there is a dedicated team that does take care of
security within the ERP applications and is responsible for compliance related issues
which are part of the yearly audit. But when it comes to securing configurations,
network, securing the application layer, database layer etc. its the responsibility of
another team. Now the two teams should actually be working closely to determine the
proper security measures to put in place but that seldom happens. Another thing that
is observed is that companies willingly compromise on security to gain efficiency on
performance. Thats a typical behavior that even we in our personal lives do like using
a faster or a lighter antivirus just so that our computer is faster.

HOW TO PROTECT YOUR ERP SYSTEMS?

One of the most important security concepts is defense in depth which means that its
not one solution that is the answer, but multiple solutions put together which solve the
problem. Think of multiple traps set in place to protect a treasure instead of just one
trap. Same applies for ERP security. Its working of all these efforts together that results
in a security ERP and overall a secure organization.

1. Keep your system patched and up to date

Like we do for our computers, like when windows introduce a new software
upgrade or security patch, we rush to upgrade our system to that our system
 is not attacked and our personal data not compromised. In the same way its
critical that our ERP systems are up to date and critical security patches are
applied to them in a timely manner. US CERT which is part of the
Department of Homeland security has issued multiple alerts for SAP over
the past couple of years. US CERT Alert (AA19-122A) highlighted that SAP
systems were susceptible to attacks due to vulnerabilities that have been in
the systems for decades. Now SAP had released patches which would take
care of this vulnerability years ago but there were a lot of companies that
had not put the required patches in place.

SAP has something called Patch Tuesday where they release patches on
the second Tuesday of every month which

help fix vulnerabilities that have been detected in SAP products. Now this
will also make cyber attackers aware that the vulnerabilities exist. Hence the
companies that do not apply the patches quickly, fall victim to these attacks.

In addition to keeping your ERP up to date it is also important to keep the

devices you use to access the systems up to date. As mentioned as more
and more users are using multiple ways to access the system, there is
increased need to protect every avenue. If any of the methods are
compromised, it poses a risk to the entire ERP application.

2. Employee Training

As the number of cyberattacks have been increasing over the years, the
companies are trying to learn from the mistakes and do a root cause analysis
as to what was the main reason that the attack happened. It was seen that
humans were the leading cause of cyber-attacks. Social engineering is one
of the easiest methods used by cybercriminals to manipulate humans and
dupe them into falling their trap. Think of phishing email like the ones we get
which say Youve won a lottery or winning a vacation somewhere exotic or
that your bank account has been compromised and you need to login
immediately. These are common traps which are used to exploit the human
nature and no matter how many security protocols you spend on if the
employees are not educated on how to be wary of these attacks the
protocols will prove to be completely futile.

Frequently having these security trainings and making sure the security
trainings are something the employs understand is key. Even if you make
the trainings mandatory or make them as part of the employees performance
review it does not guarantee that the training is being done sincerely and
that the techniques taught in the trainings are being applied. Additionally,
employees need to be made aware of the importance of using strong
passwords. A lot of times the password of a person is their date of birth,
mothers or fathers name, place of birth etc. which are easily cracked by
hackers. Using strong passwords which are a combination of letters,
numbers and special characters should be used.
 3. Incident Plan & Response

One cannot stress enough the importance of the incident and response plan.
Just like we often say be prepared for the worse, same way it is key to have
a solid incident and response plan. The plan highlights the steps to be
followed in case a cyber-attack happens and identifies the roles and
responsibilities of the individual people in case of an attack. This is very
crucial since it helps to have a clear understanding of who needs to do what
at such a critical time.

4. Use Encryption

As companies are become more and more flexible with their employees and
promoting work life balance, we see a lot of employees working from home.
It is easy to protect and strengthen the network the employee is using when
they are in the office but now as more and more people are connecting from
their homes encryption plays a very big role and will be the key to protecting
the companys ERP system.

5. Private Cloud

Since the advent of cloud technologies theres always been a debate on whether going
public, private or hybrid is the best bet. From the beginning the private cloud has been
the most

expensive but are the most secure. For systems like ERPs which store some of the
most critical data within the system it makes sense to go with private clouds.