The Need for SAP Security in the Utilities Sector

Originally published by Onapsis here.

It’s no secret cyberattacks have become more advanced over the last few years. Industries that are critical to everyday life have seen, firsthand, the debilitating impact cyberattacks can have. Critical infrastructure, such as the informational technology (IT) and operational technology (OT) systems managed by the oil and gas industry, is a primary target for cybercriminals.

As the utilities sector continues to accelerate modernization and digitization projects to streamline processes, their applications and networks inherently become more interconnected. While the benefits of digital transformation are vast, moving systems and applications to the cloud frequently leave organizations vulnerable, especially when cybersecurity is not explicitly considered. With increasing interconnectivity between on-premises and cloud environments—between internal and third-party systems—the potential attack surface and corporate risk profile both increase exponentially.

Cyberattacks in the utilities sector have far-reaching impacts: power outages, damage to critical infrastructure and essential networks, stolen personally identifiable information (PII), and billions of dollars lost to ransom demands and repairs. Downtime for utilities companies could also have a detrimental impact and dramatically disrupt society if compromised. Weather-related shutdowns in Texas showed the human-related effects of massive outages. People lost communication, didn’t have access to clean water, and hundreds died. The Colonial Pipeline ransomware attack shutdown affected oil and fuel supplies in many states, and as a result, the U.S. government declared a state of emergency. This attack highlights the urgent need to address long-standing cybersecurity challenges facing the nation's critical infrastructure.

Despite recent government action like the Biden Administration’s Executive Order and Binding Operational Directive 22-01, many organizations continue to operate without any visibility into the risk associated with their business applications, as demonstrated by the influx of attacks that succeeded in effectively shutting down business for the Colonial Pipeline. Enterprise Resource Planning (ERP) systems like SAP are foundational to the businesses of the majority of companies providing critical infrastructure; in fact, 91% of the top Forbes Global 2000 Utilities run SAP applications. While one of the most critical parts of the business, SAP application security is oftentimes overlooked due to the challenges related to its overall complexity and high levels of customization. However, any attack on or compromise of a component of these newly interconnected systems can cause serious damage to the business. Consequently, the current environment requires a shift in enterprise cybersecurity strategies to more prominently elevate securing business-critical SAP applications as a higher priority to ensure organizations can recover from a potential cyberattack.

Three Best Practices Utility Companies Should Implement to Improve Their SAP Security Posture

Obtain visibility into critical systems

Enterprises should have full visibility into all critical and connected systems to eliminate any system blind spots. By obtaining a comprehensive view of the IT and OT systems, organizations can discover internal and external threats and assess their impact in real-time.

Implement a vulnerability management program that specifically addresses SAP risk

Threat actors can exploit vulnerabilities from system configurations, user settings, custom code, and missing patches to gain access to your critical SAP systems. Finding and remediating these vulnerabilities before they can be exploited is essential to protecting your SAP environment.

Adopt cybersecurity best practices

Adopting cybersecurity best practices is absolutely essential. Below are a few tips to make security a priority at your organization:

• Cover the basics by having secure connectivity, MFA, and SSO: When using a public Wi-Fi network, your computer is more susceptible to attacks. To stay protected, avoid using public Wi-Fi for sensitive transactions or use a secure VPN service. Multi-factor authentication (MFA) offers an extra layer of security, requiring users to provide at least two forms of authentication. In combination with MFA, single sign-on (SSO) can increase password strength and provide a more streamlined experience by allowing users to log in using an already trusted third-party verification.
• Keep systems and applications patched and updated: Regularly updating computer programs, operating systems, and applications helps to protect you from malware. Proactively updating technology has the strongest effect on improving defenses.
• Do not open suspicious email attachments: Email is a primary entry point for ransomware. Make sure the email is trustworthy and double check the email address and sender.
• Integrate existing systems with new processes: As your organization formulates new security processes and adopts new tools, ensure that they are integrated with existing systems to ensure that they’re protected.
• Develop plans for a proactive approach to securing your critical systems: Organizations need an incident response plan that goes beyond the scope of just protecting endpoints, backing up files, and hoping for the best. Organizations should leverage the powerful native security capabilities of modern software technology. Establish the right risk-based patch, code, and vulnerability management processes to stay ahead of threat actor groups.

Further Reading

• Stay up to date on the latest in SAP security with our monthly SAP Patch Day blogs
• On August 18, 2022, CISA added a critical SAP vulnerability–CVE-2022-22536–to its Known Exploited Vulnerabilities Catalog. Has your organization prioritized action?