ERP Software for Utilities

The Current State and Key Challenges Affecting ERP Software in the Utilities Industry

Electrical, energy, and waste sectors are part of the 16 critical infrastructure sectors the U.S. government labels vital, noting that “their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety.”  This critical infrastructure, such as the informational technology (IT) and operational technology (OT) systems managed by the utilities industry, is a primary target for cybercriminals, with research showing that cyberattacks against energy infrastructure more than doubled from Q2 to Q3 in 2022. As the cybersecurity landscape continues to evolve, organizations must take greater efforts to secure their business-critical systems and reduce risk. 

Attacks on utilities can be significant - power outages, damage to critical infrastructure and essential networks, stolen personally identifiable information (PII), and billions of dollars lost to ransom demands and repairs. Downtime for utilities companies could also have a detrimental impact and dramatically disrupt society if compromised. For example, outages created by cyberattacks can have real human costs on those that rely on water and electricity for survival.

Despite recent government action like the Biden Administration’s Executive Order and Binding Operational Directive 22-01, many organizations continue to operate without any visibility into the risk associated with their business applications, the Enterprise Resource Planning (ERP) applications that are foundational to running the businesses. ERP applications like SAP support essential business functions of the world’s largest organizations, including utility companies. In fact, 91% of the top Forbes Global 2000 Utilities run SAP applications. However, many CIOs and CISOs often lack knowledge of ERP systems and integrations and don’t understand the criticality and business issues impacted by ERP systems.

ERP systems are complex, but securing them doesn’t have to be. Several characteristics of the utilities sector heighten the risk and impact of cyberthreats. The current environment requires a shift in enterprise cybersecurity strategies to more prominently elevate securing SAP applications as a higher priority to ensure organizations can recover from a potential cyberattack. Utilities leaders must navigate these complexities while protecting their organizations from ongoing cyberthreats. Below are a few examples of how technology can impact the utilities industry.

How Technology Affects the Utilities Industry

Threats to ERP Software

The threat landscape for ERP applications has expanded over time. Not only are attacks rising, but threat actors are growing more sophisticated and knowledgeable. Onapsis Research Labs, a dedicated team of security researchers, found evidence of more than 300 successful exploitation attempts against unsecured SAP applications, pointing to cybercriminals’ growing knowledge of ERP applications. Our research team found that there can be as little as 24 hours between the disclosure of a vulnerability and observable scanning by attackers looking for vulnerable systems, and just 72 hours before a functional exploit is available. These advanced threat actors were observed to patch the SAP vulnerabilities they exploited and reconfigure systems so they would go undetected by SAP administrators.

The reason vulnerabilities in ERP applications often go undetected is because organizations tend to rely on a defense-in-depth security model to protect their business-critical applications, in which there are multiple layers of security controls deployed. The concept is that risk can be mitigated prior to reaching the application layer. However, while a defense-in-depth model should absolutely be deployed, it is not enough to protect modern organizations' application layer. 

Threat actors are using common tactics, techniques, and procedures to directly access and attack vulnerable ERP systems. Onapsis Research Labs’ threat research found evidence of hundreds of hands-on-keyboard sessions targeting vulnerable ERP systems, including examples of threat actors living off the land, chaining multiple vulnerabilities together, and even applying patches, post-exploitation, to cover their tracks. This trend points to the need to close the entry points threat actors are using to get in in the first place — because once they’re in, they’re in it for the long haul and their efforts are proving successful. Threat actors know that InfoSec teams have reduced visibility into and control over these complex ERP environments, and, with the increase in digital transformation projects and interconnectivity that was rapidly implemented over the past few years, ERP application security was frequently an afterthought. This is a prime environment in which motivated threat actors can thrive, and there can be massive business impacts.

Attackers with access to an unprotected SAP system can steal personal identifiable information (PII) from employees, customers, and suppliers; access financial records; deploy ransomware; and disrupt critical business processes. For utilities companies that must meet regulatory compliance mandates, such an incident can lead to expensive third-party audits and penalties, including fines and legal action. The need for security specific to the application layer is vital.

Best Practices for Securing ERP Software in the Utilities Industry

Getting Started with ERP Software for Utilities Companies

Fortunately, securing your ERP applications doesn’t have to be complicated. Onapsis has been on the frontlines securing utilities companies for over a decade. With the Onapsis Platform, utilities companies can get end-to-end ERP application security. 

The Onapsis Platform provides unprecedented visibility, robust analytics, reporting and automation capabilities - empowering cross-functional teams to effectively understand, manage and act on issues that pose risk to the security, compliance, and availability of their most critical applications. Backed by threat intelligence from Onapsis Research Labs, our team of cybersecurity experts, providing customers with  advanced notification on critical issues, comprehensive coverage, improved configurations and pre-patch protection ahead of scheduled vendor updates. The Onapsis Platform integrates with existing security tools, so your team can scale and do more with less.

If you are interested in learning more about ERP software for the utility industry, take a look at the following resources or sign up for The Defenders Digest here.

Utilities OG&E: Fireside Chat

Hear from Oklahoma’s largest electric utility, Oklahoma Gas & Electric Company (OGE Energy Corp), on how they have approached their security holistically, taking familiar security best practices and implementing them at both the OT & IT level.

Watch Now

Solution Brief: ERP Security for Utility Companies

For utility companies, the impact of a successful cyber attack on their critical ERP, production and supply chain, or patient portals could be devastating.

Download Now

Solution Brief: ERP Security for Oil & Gas Companies

For oil & gas organizations, the impact of a successful cyber attack on their critical ERP, production and supply chain could be devastating.

Download Now
Request a Demo from Onapsis

Ready to eliminate your SAP cyber security blindspot?

Let us show you how simple it can be to protect your business applications.

Request a demo