Enterprise software provider SAP is stepping up its security stance as its once-isolated systems become increasingly connected to the Internet, posing new risks as hackers diversify their targets.
SAP's ERP (enterprise resource planning) and CRM (customer relationship management) software are often the core management tools for large enterprises, used for functions such as managing payroll, creating purchases orders, invoicing, and paying suppliers, among others. A trove of very sensitive data is held within those systems that, if hacked and the information obtained, could be used to cause great harm to a business.
SAP systems have typically been buried within an organization and not been connected to the Internet. The greatest threat still today to SAP is insiders who already have access to the systems and seek to make modifications. SAP security consultants often spend time on "segregation of duties," or ensuring that no one person has access or privileges for a wide range of financially sensitive tasks.
However, that is changing. Companies can set up Web-based customer portals that lead into their SAP software, which would give attackers a new vector for which to get inside the systems.
"You can now have all your business information directly connected to the Internet," said Mariano Nuñez Di Croce, director of research and development for Onapsis, which does SAP security evaluations for companies.
Cyberattackers also appear to be diversifying their targets. The most alarming example is Stuxnet, a piece of malware designed to manipulate Siemens WinCC systems, a type of SCADA (supervisory control and data acquisition) product used for manufacturing.
The latest data shows that Stuxnet was designed to tamper with frequency converter drives, which change electrical output from a power grid to a much higher frequency. The process is used for uranium refinement, which has led to speculation that Stuxnet was developed by a country to interfere with nuclear weapons development.
Nonetheless, Stuxnet showed that computer systems thought to be protected somewhat by their obscurity may be increasingly targeted, whether for sabotage or industrial espionage.
With SAP, "I think we may see something like that in the near future, but mostly now the concern is a direct attack, such as taking a system offline or modifying business information," Nuñez Di Croce said.
Stuxnet "was the shot across the bow of the industry," said Alex Ayers, director of operations for Turnkey Consulting, a U.K.-based company that also specializes in SAP security. "If you've got people who have the ability to do this, why should we assume that any ERP can't be targeted in the same way?"
SAP spokesman Hilmar Schepp said the company is not aware of any Stuxnet-like malware targeting its software. Because "Stuxnet was designed to attack mainly Microsoft and Siemens software, please understand that we don't want to comment further on this," Schepp said.