©2024 Onapsis | All rights reserved
- Threat Research
Electrical, energy, and waste sectors are part of the 16 critical infrastructure sectors the U.S. government labels vital, noting that “their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety.” This critical infrastructure, such as the informational technology (IT) and operational technology (OT) systems managed by the utilities industry, is a primary target for cybercriminals, with research showing that cyberattacks against energy infrastructure more than doubled from Q2 to Q3 in 2022. As the cybersecurity landscape continues to evolve, organizations must take greater efforts to secure their business-critical systems and reduce risk.
In the last decade, energy and utility companies have rapidly accelerated their digital transformation projects to simplify and modernize their existing processes to drive efficiency and streamline operations. Enterprises undergoing this transformation have migrated ERP applications from their premises to cloud and third-party hosted platforms. This increased interconnectivity between internal and third-party systems, in addition to on-premises and cloud environments, has exponentially expanded organizations’ attack surfaces and business risk profiles, leaving them vulnerable to exploitation. As threat actors evolve their tactics and directly target applications critical to running the business, utilities executives need to understand these greater risks and how to protect their enterprises.
Many utilities organizations are currently either planning or executing a transformation to SAP’s next generation ERP, S/4HANA. Organizations must upgrade to SAP S/4HANA before the 2027 deadline to avoid the risk of their most business-critical operations running on outdated and unpatched software. Moving the business to the cloud can be a long and tedious process, which is why SAP has introduced the SAP RISE Business Transformation Program. This program transforms every element of an organization, eliminating complexity.
Organizations that run their business on SAP systems utilize SAP developers to write code and develop custom applications suited to their needs. To ensure confidence in running the applications in the cloud, organizations need to check their custom code and remediate these issues before taking them into the new environment. Including security at the beginning of a code development process, also known as shifting left, brings in security validation at the moment when code is created instead of at the moment when code is deployed or tested. This means enterprises can identify those risks or prevent those risks from leaving the development environment, so they don’t create issues in the cloud environment.
Along with accelerated digital transformation projects, organizations are migrating from legacy on-premise infrastructure to the cloud to achieve greater resilience and efficiency. Utility workflows commonly included manual methods but today, many of these operations are happening in cloud applications that hold sensitive billing, customer data, and more.
Operating in the cloud allows utilities organizations to easily scale to meet their needs and save cost on the hardware and space needed to maintain on-premises storage. But, organizations are often faced with challenges like ensuring business continuity, getting the project done on time and on budget, and security concerns. By bringing together migration and security teams, organizations can identify and mitigate any issues in the systems prior to and during migration, and be confident while operating in the cloud.
While transformation projects can help utility companies operate more efficiently, organizations in this sector have to grapple with heavy regulations which bring complexity. Every utility company must demonstrate compliance with a large number of rules and regulations designed to ensure that they can deliver safe and reliable utilities. Under the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) standards, utility companies must adhere to a baseline set of security measures. While all organizations are in compliance with NERC, that does not mean they are safe from cyberthreats. With the threat landscape evolving faster than legislation, utilities companies need flexible and resilient cybersecurity tools and processes.
The US Infrastructure Investment and Jobs Act authorizes $1.2 trillion for infrastructure spending, stating that cybersecurity is not optional for the utilities industry. The act calls to improve cybersecurity of power, water, and transportation infrastructures, upgrade systems and software, and provides resources for cyber coordination and response. While the implementation should be enacted by 2026, the energy sector should begin using the resources to secure energy systems and applications.
The EU achieved its three 2020 climate and energy targets of reducing greenhouse gas emissions by 20%, increasing the share of renewable energy use to 20%, and improving energy efficiency by 20%. By 2050, the EU plans to reduce pollution to zero, using digitalization to make the energy sector more efficient, flexible, and resilient. Digitization is critical to the EU’s decarbonized economy, and expect it to accelerate decarbonization. However, digitization can also bring about cybersecurity challenges around the energy infrastructure and reliability of the electricity grid.
The threat landscape for ERP applications has expanded over time. Not only are attacks rising, but threat actors are growing more sophisticated and knowledgeable. Onapsis Research Labs, a dedicated team of security researchers, found evidence of more than 300 successful exploitation attempts against unsecured SAP applications, pointing to cybercriminals’ growing knowledge of ERP applications. Our research team found that there can be as little as 24 hours between the disclosure of a vulnerability and observable scanning by attackers looking for vulnerable systems, and just 72 hours before a functional exploit is available. These advanced threat actors were observed to patch the SAP vulnerabilities they exploited and reconfigure systems so they would go undetected by SAP administrators.
The reason vulnerabilities in ERP applications often go undetected is because organizations tend to rely on a defense-in-depth security model to protect their business-critical applications, in which there are multiple layers of security controls deployed. The concept is that risk can be mitigated prior to reaching the application layer. However, while a defense-in-depth model should absolutely be deployed, it is not enough to protect modern organizations’ application layer.
Threat actors are using common tactics, techniques, and procedures to directly access and attack vulnerable ERP systems. Onapsis Research Labs’ threat research found evidence of hundreds of hands-on-keyboard sessions targeting vulnerable ERP systems, including examples of threat actors living off the land, chaining multiple vulnerabilities together, and even applying patches, post-exploitation, to cover their tracks. This trend points to the need to close the entry points threat actors are using to get in in the first place — because once they’re in, they’re in it for the long haul and their efforts are proving successful. Threat actors know that InfoSec teams have reduced visibility into and control over these complex ERP environments, and, with the increase in digital transformation projects and interconnectivity that was rapidly implemented over the past few years, ERP application security was frequently an afterthought. This is a prime environment in which motivated threat actors can thrive, and there can be massive business impacts.
Attackers with access to an unprotected SAP system can steal personal identifiable information (PII) from employees, customers, and suppliers; access financial records; deploy ransomware; and disrupt critical business processes. For utilities companies that must meet regulatory compliance mandates, such an incident can lead to expensive third-party audits and penalties, including fines and legal action. The need for security specific to the application layer is vital.
Visibility into cloud, on-premise, and hybrid environments allows organizations to begin to properly identify, assess, prioritize, and remediate risk. Enterprises must gain full visibility into all critical and connected systems to eliminate any system blind spots. By obtaining a comprehensive view of the IT and OT systems, organizations can discover internal and external threats and assess their impact in real time.
However, organizations are challenged with preemptively detecting exploitation of known and unknown vulnerabilities as well as preventing and mitigating cyberattacks that target their critical data and systems. Although enterprises have deployed defense-in-depth solutions within their environment, none of these is specifically focused on threats and vulnerabilities for business-critical applications. Security teams need to have tools that give them visibility into potential misuse or abuse of business-critical applications. Continuous monitoring of these applications means vulnerability exploits and anomalous behavior can be detected and prioritized even before a vendor patch is issued to mitigate the issue.
Having visibility into ERP applications is also essential when building applications, ensuring blind spots are eliminated while working with various internal and external teams. Security is often an afterthought in the application development process, or not thought of at all. By implementing DevSecOps, everyone in the software development life cycle is responsible for security. The earlier security is inserted into the development process the earlier issues will be resolved and code will be developed faster and “cleaner” leading to accelerated development cycles and more secure applications.
ERP applications are complex, made up of multiple software components, application servers, databases, and operating systems. Because of their interconnectedness and overall complexity, it’s imperative that organizations take the appropriate time to prepare accordingly. This means including ERP applications like SAP in business continuity and incident response plans. To minimize impact of an attack, the business incident response plan should be fully vetted, with a cross-functional response team and identified key leaders as well as scenario runbooks with clear deliverables. Organizations should stay engaged with government agencies and CERT organizations like Cybersecurity and Infrastructure Security Agency (CISA) in the United States or the German Bundesamt für Sicherheit in der Information- stechnik (BSI) since these entities frequently see the larger scope of ransomware infections. They can offer knowledge, assistance, and lessons learned from other incidents that they have encountered.
Along with government agencies, utilities organizations should consider employing solutions that can provide a holistic view of threats across their business systems. Timely, impactful threat intelligence can provide insightful information about current tactics, techniques, and procedures used by threat actors. They can also provide early alerts about new ransomware campaigns as well as actionable intelligence for security teams responsible for designing and implementing security controls. It’s critical that this strategic intelligence provides awareness but also informs strategic decisions and response plans.
Another critical element for secure ERP applications is to be able to automate tasks to easily manage multiple environments. One time-consuming but essential process is patch management. Patching is an illustration of the phrase “the best defense is a good offense” and is a critical part of mitigating risk for business-critical applications. However, patch management, especially at a large enterprise, is an enormous and frequently manual process. Sadly, this can result in rushed or ineffective efforts where critical patches are ignored or deprioritized. Worse, it may result in long backlogs and lead times until patches are actually implemented and verified.
Yet, patching business-critical applications must be a higher priority. Onapsis Research Labs threat intelligence found that exploitations can happen within 72 hours of an SAP patch release, and that new systems begin to be exploited within just three hours of being put online. Some attacks even chain multiple vulnerabilities together in order to target specific applications and gain access to its operating system.
Utilities organizations need to strengthen their ERP application security posture with a timely patch management process to protect against exploitation of vulnerabilities. An ERP-focused vulnerability management solution focused on the application layer can identify which systems are missing patches, validate that the patches are applied correctly and completely, and enable organizations to prioritize patching based on severity and impact. With the right tools and processes in place, organizations minimize the risk of the exploitation of critical vulnerabilities and protect their most important business assets.
Vulnerability management, and particularly patch management processes should also be top of mind when planning cloud migration and digital transformation projects.(SAP S/4HANA and SAP RISE) projects. Prior to cloud migration, ensuring that systems are protected and patched is critical so that systems can be kept running securely during the migration process. Moving to the cloud can be a complex process, but by enabling security to be built in from the start, these projects can be completed on time and on budget. Doing so, organizations can ensure their code is clean before the migration, ensure they’re following compliance and security standards throughout the migration, and be confident that their applications running in the cloud are just as secure as on-premises environments.
ERP business applications process your organization’s most regulated data – financial, customer, employee, IP, sales, and more. Ensuring the integrity, confidentiality, and availability of this data and the underlying business processes is essential to keep business operations running smoothly and ensuring your compliance requirements are met. The challenge is that identifying issues that put these critical systems at risk isn’t easy, often involving manual efforts across departments and no direct visibility for risk and compliance teams.
Utilities organizations are expected to deliver clean, safe, reliable, and affordable energy, electricity, and water to millions of customers and they must be compliant with all of the rules and regulations that govern the industry. Failing to comply with the laws and regulations can lead to legal and financial penalties. The large amount of laws and regulations the industry needs to follow can make regulatory utility compliance challenging.
North American Electric Reliability Corporation (NERC) is the regulatory agency responsible for the reliability and security of the power grid in the U.S. and Canada. With the NERC CIP standards, electric companies must identify critical assets, perform risk analysis, and define monitoring policies. Non-compliance with any NERC standard could bring about penalties. Similarly, the Federal Energy Regulatory Commission (FERC) regulates the transmission and sale of electricity, natural gas, and oil pipelines.
Utility providers manage large volumes of sensitive customer data. All businesses that store, process or transmit payment cardholder data must be PCI Compliant. Noncompliance can include fines and even shutdowns of card processes operations. Protecting sensitive customer and billing information should be a high priority for utilities companies.
Utilities organizations are also subject to a number of government regulations:
Breaking government regulations like GDPR, SOX, or FCPA can have long-lasting consequences. Negative media coverage of data mishandling often leads to compliance violations and fines can also damage customer confidence.
Providing direct access for compliance teams, reducing manual processes, obtaining more accurate audit results, and avoiding surprises and violations will free up valuable cross-functional resources that can be better allocated to support the business. By aligning everyone involved in the audit process—IT, InfoSec, and audit/compliance, organizations can be more efficient, provide more accurate results and free up resources to focus on business critical matters.
Fortunately, securing your ERP applications doesn’t have to be complicated. Onapsis has been on the frontlines securing utilities companies for over a decade. With the Onapsis Platform, utilities companies can get end-to-end ERP application security.
The Onapsis Platform provides unprecedented visibility, robust analytics, reporting and automation capabilities – empowering cross-functional teams to effectively understand, manage and act on issues that pose risk to the security, compliance, and availability of their most critical applications. Backed by threat intelligence from Onapsis Research Labs, our team of cybersecurity experts, providing customers with advanced notification on critical issues, comprehensive coverage, improved configurations and pre-patch protection ahead of scheduled vendor updates. The Onapsis Platform integrates with existing security tools, so your team can scale and do more with less.
Focused and comprehensive vulnerability management for ERP applications should start with automated assessments that range from securing the baseline to more advanced vulnerability use cases. Onapsis Assess, for example, has prioritization capabilities and step-by-step remediation instructions enable simple and straightforward resolutions. By including context on severity and impact for each missing patch, organizations can prioritize their patching efforts. Descriptions for each issue are valuable as well as severity and potential business impact in order to make informed decisions about risks–those to accept and those that need action.
Vulnerability management solutions can also identify and address vulnerabilities in applications before they move to a cloud environment.
Threat detection & response software for ERP applications continuously monitors critical assets for threats, whether in the cloud, hybrid or on premises environments. Onapsis Defend, for example, leverages threat intelligence-based alerts to perform continuous threat monitoring, detection, and response for business applications. Security teams then can gain visibility and control over unauthorized changes, misuse, or cyberattacks targeting these applications. Ideally threat detection and response software integrates with existing ticketing systems and SIEMs, providing visibility to an organization’s Security Operations Center (SOC).
Post-cloud migration, threat detection and response ERP software should continuously monitor for threats–including changes, critical transactions, and user activity.
DevSecOps secures and mitigates risk–from development to transport–for custom code intended for SAP production applications. Onapsis Control, for example, integrates with popular development environments and change management solutions to deliver automated security testing for ERP applications like SAP. DevSecOps ERP Software can easily analyze internal or third-party custom code and transports throughout the development lifecycle to identify issues in the shortest possible time and before they can negatively impact system security, compliance, performance, or availability.
During SAP S/4HANA migrations, DevSecOps solutions should look at the set of SAP transports to be imported and predict if there will be negative consequences to the target system. This allows utility companies to easily identify and understand how to remediate any potential problems– automatically checking custom code for security, compliance, and performance issues and enabling organizations to automatically block code containing critical issues from being released and set up workflows to review the issues.
Compliance ERP software should automate testing and validation of collected evidence against established standards using custom or out-of-the-box policies like SOX or GDPR. This allows utility customers to understand the compliance impact of discovered issues and prioritize what should be addressed first. Onapsis Comply, for example, also proactively measures risk to stay ahead of the audit cycle and avoid deficiencies or material findings. All of the pieces of an automated compliance solution should have the end goal of making the audit process less costly and labor intensive.
Utility organizations can use ERP software for automated compliance to identify and remediate compliance issues within legacy systems in preparation of cloud migrations like SAP S/4HANA. This allows security and IT teams to check that their legacy, on-prem environment meets their compliance standards. That way when they mirror the settings for the new cloud environment, they are maintaining compliance before and after the migration.