Solutions Review’s Expert Insights Series is a collection of contributed articles written by industry experts in enterprise software categories. Sadik Al-Abdulla of Onapsis charges into a discussion on ERP security and tackling the new generation of cyber-criminals.
Attacks on utilities have constantly been making headlines, so much so that defending critical infrastructure has become a national imperative. Critical infrastructure attacks pose a unique threat, as they not only have the ability to destroy an organization, but can also cause real-world damage. And unfortunately, there are no signs of this stopping in 2023.
With 88 percent of utility attacks being financially motivated in 2022, it’s evident that cyber-criminals will do whatever it takes to make a profit. This means that we can expect threat actors to increasingly target organizations’ crown jewels— the enterprise resource planning (ERP) applications that store their most sensitive corporate data and financials, and in some cases, drive the actual operations. These business applications consist of a variety of elements, such as processes and workflows, master data, and more— all while sharing data with countless other IT applications, both inside and outside the company. Due to their complexity, security teams often lack the knowledge, tools, and processes to secure these systems.
Whether threat actors are looking to inflict societal damage or make money, many companies still have a long way to go to defend their critical assets and ensure their operations remain uninterrupted. And for utility companies, in particular, downtime is not an option. Let’s discuss how utility security leaders can rethink their cybersecurity strategies to tackle the new sophisticated wave of threat actors more efficiently.
ERP Security and the New Generation of Cyber-Crime
Enhance Traditional Security Processes
Many of us have heard the phrase; you can’t protect what you can’t see. This stands true for the ERP application landscape, yet many organizations continue to operate without knowing and seeing what risks are threatening their critical business systems. For example, suppose an organization fails to see a vulnerability within an internet-facing application before a threat actor does. In that case, they are essentially leaving the door to their most confidential data wide open for the taking. The ironic truth is that the current generation of ERP systems has become so powerful and so valuable due to a significant increase in connectivity and, thus, a substantial increase in attack surface and risk profile. The fundamental nature of these applications, their sophisticated architecture, and the sheer volume of custom application code have always meant they were a rich target, now elevated by the increased attack surface.
Traditional vulnerability management tools generally aren’t scoped to cover ERP applications like those provided by SAP and Oracle. As such, they cannot sufficiently identify the real organizational risk in complex ERP environments, and lack visibility into the most critical and sophisticated layer of these systems: the application itself. Utility organizations must improve their current security processes by incorporating tools and strategies made to protect these mission-critical systems.
Invest in ERP Security Tools
Implementing vulnerability management tools built for business applications is the first step to a robust cybersecurity program, as these can help security teams defend the assets that matter most. Such solutions equip teams with a comprehensive view of the entire application ecosystem, while proactively sending automated alerts when vulnerabilities do exist. Businesses should also consider selecting tools with monitoring and intelligence capabilities that provide detailed descriptions of each vulnerability. These strategic insights enable security teams to prioritize vulnerabilities from most to least critical, thus improving patch cadence and preventing a burdensome patch backlog.
Develop a Robust Incident Response Plan
Even with end-to-end visibility and the most vigorous security tools, a cyber-attack is inevitable. However, shutting down an ERP system in response to a cyber-attack isn’t as simple as taking down a website; it would be the equivalent of shutting down the entire business, or worse, in the case of utility companies. Fortunately, organizations with thoroughly developed and tested incident response plans can dramatically reduce the impact of an attack. The key to a robust incident response strategy is to include the organization’s ERP applications, as an attack on these systems would be far more complex and sensitive than the average distributed denial of service (DDoS) incident. It’s also critical these plans are regularly tested to keep up with the evolving threat landscape and adjust plans as needed. Research shows that teams with regularly tested incident response plans save $2.66 million per breach compared to companies without an incident response team or well-tested plan. This could be the difference between a disastrous cyber event and a minor interruption.
Protect the Nation’s Utilities
As cyber-criminals continue targeting ERP applications, utility companies must rethink their security posture to defend their critical assets. By investing in modern ERP security solutions and leveraging a well-tested incident response plan, companies can significantly improve their cyberhealth and ensure they are truly resilient. After a catastrophic cyber-attack, it is the most well-prepared teams that come out largely unscathed.