What Industrial Control Systems can teach us about ERP Security

A while back, a tweet flashed across my timeline, and it got me thinking about ERP (Enterprise Resource Planning) security. An ERP system, a class of software, dominated by SAP and Oracle’s PeopleSoft, is a tremendously large and complex collection of applications that drives nearly everything modern businesses do. Material management, financial transactions, operational systems, customer service, and human resources are all examples of business processes that are managed by ERPs.

ERPs share a lot in common with Industrial Control Systems (ICS), an environment also known for complexity and criticality. ICS environments have been steadily changing to meet business needs, and with change comes changes to the risk profile. ICS environments have benefited over the past few years, thanks to the focus and investment many organizations have made in their ICS security program to address emerging risks. ERP systems are in a similar situation as they attempt to provide modern solutions riding on legacy deployments.

How vital are ERPs? Consider what would happen if your revenue management system went down for, say, one hour or one day. What would the impact on the business be? What would happen if your call-center could not bring up account information for people calling in to settle an issue with your service? What happens if you’re unable to process payroll? Will your employees work for free?

Given the sensitivity, you think there would be an incredibly high threshold for SAP security. You’d be wrong, and it’s something that warrants discussion. Do we wait for threat actors to come for us before we act?

An Imperfect Analogy

This analogy is by no means perfect. ICS systems drive industrial (physical) processes, and by having to operate in the kinetic world, it’s important to respect that difference. The analogy seeks to take advantage of the mounting collection of fantastic work that has gone into defending our critical infrastructure in hopes that we can shore up the defense in our critical business infrastructure.

Key similarities between ERPs and ICS:

  1. Both systems are mission-critical to businesses.
  2. Both systems are complex in terms of operations, support, and impact from their environment.
  3. Both systems must align with business objectives, more so than traditional enterprise IT systems.
  4. The “air-gap” does not exist. Much like ICS environments, many ERPs get exposed to the internet, and this trend is only increasing as organizations become more distributed and leverage work from home setups.

Business units treat ERPs much the same way that ICS environments get treated. If it’s not broken, then don’t fix it. Then there’s there is the workforce issue. Like ICS, there’s a small percentage of the professional workforce with the knowledge and experience required to manage an ERP, especially from a security perspective. The workforce issue is coming to a head as many of the people responsible for installing their company’s respective ERP systems are retiring now or soon. Lastly, because interruptions of ERP services create business process issues, there is not much of an appetite to overhaul, update, or create integrations unless they are required.

Lessons Learned from ICS Security Work

Defense starts with visibility. Developing an idea of what “normal” looks like, determining the asset inventory, developing the ability to detect changes in the system, or users’ access are necessary first steps.

ERPs are unique and sprawling applications with many roads that can lead to system compromise. An issue facing ERP security is the visibility within the application itself is challenging to come by. An organization may rely on vulnerability scanning tools that work on the OS layer but not within the application layer. Organizations could also scan the front end using tools like Burp Suite, which gives an interesting perspective of vulnerabilities through a web GUI but limited visibility to the system’s inner workings. At this point, we are not securing the ERP, only the systems around it.

Much like ICS security, ERP security is a team sport. If you have an ERP system in your environment, the journey to improve your ERP security deployment begins today. Relationships bear much fruit as you begin to steer a giant ERP system towards a future where you can mitigate risks posed by application vulnerabilities and respond to these events in a timely and effective manner. Specifically, organizations looking to improve their ERP security should focus on the following:

  1. Align leadership in application development, application support, BASIS/infrastructure, and security. A monthly or quarterly meeting to discuss things specific to ERP Security is an excellent way to develop awareness.
  2. Visibility should lead to asking questions, not implementing controls. Buying a fancy tool that shoves changes/controls down the business’s throat gets you nowhere in the long run.
  3. If you invest in a tool, make sure to give other ERP stakeholders access. Transparency breeds inclusion and partners, which are things that make or break your ERP security program efforts.
  4. Practice defense in depth by not relying on a single tool, partner, or implementation. Like all things, there is no silver bullet, or blinking box, coming to save us.

In Practice

In July of 2020, ERP Security company Onapsis disclosed a bug related to SAP, which they dubbed RECON. RECON is a remote code execution vulnerability impacting NetWeaver, a component of SAP. NetWeaver is a web-based runtime environment meaning users are very likely to interact with your ERP system via NetWeaver. Many organizations push a web browser to access SAP over the fat client. Since the vulnerability affects web browsing, the likeliest integration for public-facing SAP implementations, organizations must patch this vulnerability in short order. Unfortunately, with SAP, that is rarely the case.

Patching and rebooting an ERP system is not easy. They have never had to be. So developing the organizational capability and discipline to react to these types of vulnerabilities is a requirement for operating ERPs in today’s environment. A good goal to pursue is to normalize vulnerability management within your ERP, which means that an organization should be able to respond to a vulnerability disclosure through patching or some other mitigation rapidly.

The RECON vulnerability caught many by surprise because they had never considered the security implications of their ERP systems, or they had not developed the organizational discipline to react to these types of problems.

Conclusions

If you’re an organization that has an ERP, then you must develop or continue to mature your ERP security program. Maturing an ERP security program requires an organization to leverage across the ERP’s business and technology stakeholders.

Vulnerabilities like RECON are only going to continue. The goal cannot be to rely on old concepts like an air-gap or a perimeter. Legacy approaches are something ICS security experts threw out a long time ago. The goal now is to integrate your critical systems’ security, be it ERPs or ICS, into a program that is conscious of the business’s needs and flexible enough in the security offerings to move the needle without unnecessary impact.

The fluidity of security operations and complex systems such as ERP systems and Industrial Control Systems forces us to develop innovative approaches if we expect to keep up with our organizational and business demands.

Sharing