Protecting the Assembly Line: How Heavy and Discrete Manufacturing Can Secure SAP Custom Code in the Era of AI and Accelerating Threats

Share

The heavy and discrete manufacturing sector faces unprecedented cyber threats, underscored by the £1.9 billion Jaguar Land Rover breach. As the industry adopts AI to accelerate SAP custom code development, critical new vulnerabilities emerge. With strict regulations like UN R155, NIS2, and TISAX demanding ‘secure-by-design’ systems, reactive security is obsolete. “Shifting left” with a DevSecOps approach is now a business imperative.

Key Takeaways

  • The £1.9 Billion Wake-Up Call: The recent Jaguar Land Rover breach proves the stakes are higher than ever. Manufacturing remains the top target for global cyber incidents for five consecutive years. A single compromised credential or insecure custom application can halt global production, compromise intellectual property, and severely disrupt connected supply chains.
  • The AI Blindspot: AI coding assistants (like SAP Joule) write code at lightning speed but suffer from “context blindness,” often omitting critical authorization checks that protect sensitive proprietary data.
  • Regulatory Reality: Heavy and discrete manufacturers face stringent new regulations. Mandates like UN R155, NIS2, and TISAX require manufacturers to prove their backend systems and connected supply chains are secure by design.
  • The Defender’s Imperative: “Shifting left” prevents vulnerabilities from ever reaching production, significantly lowering remediation costs. Onapsis Control automates your SAP custom code security to protect your Clean Core, mitigate the cyber talent gap, and accelerate digital transformation safely.

The Assembly Line is Only as Strong as Its Weakest Code

Imagine a just-in-time (JIT) logistics sequence delivering parts to a bustling automotive assembly line. Suddenly, the robotic welding arms stop. The inventory screens go dark, but the culprit isn’t a mechanical failure or a power outage. Instead, an ERP system has been compromised.

Cyber attacks targeting heavy and discrete manufacturing are evolving from broad ransomware campaigns to surgical strikes exploiting vulnerabilities in the SAP application layer and custom code. The financial and operational stakes are staggering. The recent Jaguar Land Rover breach caused an estimated £1.9 billion in financial impact and disrupted over 5,000 supply chain organizations. With the average data breach cost in manufacturing hitting $5.56M, organizations are fighting a two-front war: defending critical systems while accelerating massive digital transformations.

The Double-Edged Sword: AI Development & “Context Blindness”

To meet the demands of sustainability and rapid innovation, the industry is aggressively adopting AI. Developers are increasingly using AI assistants, such as SAP Joule, to accelerate custom code development.

But this speed introduces a dangerous hidden cost. AI-generated code suffers from “context blindness.” Because AI models operate on pattern matching, they do not understand your organization’s unique business logic or security architecture.

For example, an AI assistant might generate perfectly functional code for a supply chain portal but forget to include a mandatory SAP AUTHORITY-CHECK. Suddenly, any user on the network can view highly confidential vendor pricing or manipulate shipping manifests. AI inadvertently expands the attack surface by introducing hidden vulnerabilities, missing authorization checks, and shadow dependencies that a human reviewer might easily overlook in the rush to production.

The Regulatory Reality: Strict Automotive Compliance Mandates

Heavy and discrete manufacturers face stringent new regulations. Organizations must prove that their backend IT systems, software update mechanisms, and connected supply chains are resilient against cyber threats. You cannot simply bolt security onto a finished product anymore. Regulators and industry bodies now require “secure-by-design” architectures. If a manufacturer’s backend IT systems are vulnerable, they risk massive fines, revoked certifications, and losing their license to sell.

·       UN R155: This binding regulation mandates a certified Cybersecurity Management System (CSMS). Automakers must prove that security is baked into the design architecture covering the entire vehicle lifecycle. If a vulnerability in your SAP system allows an attacker to compromise a vehicle software update, you are in direct violation.

·       The EU NIS2 Directive: NIS2 classifies motor vehicle manufacturing as critical infrastructure. It imposes strict incident reporting, mandates comprehensive supply chain risk assessments, and makes cybersecurity a board-level liability. Leaders can be held personally responsible for systemic negligence.

·       TISAX (Trusted Information Security Assessment Exchange): This is the automotive industry’s “ticket to trade.” It focuses heavily on protecting highly sensitive enterprise systems. If your custom code leaves the SAP database exposed (i.e., where next-gen EV prototypes, CAD drawings, and other important data are stored), you cannot achieve the TISAX label required to bid on OEM contracts.

·       GDPR: Modern connected vehicles are data-gathering machines transmitting real-time telemetry. Because a Vehicle Identification Number (VIN) ties directly to a registered owner, backend SAP systems processing this build and customer data are subject to massive GDPR privacy fines if breached.

The Cybersecurity Talent Gap & The Clean Core Challenge

The race to migrate to SAP S/4HANA, SAP Cloud ERP, or RISE with SAP demands a “Clean Core” strategy. However, the pressure to deploy quickly often pushes security to the very end of the development lifecycle. This reactive approach leads to grueling manual code reviews, costly project delays, and the risk of migrating legacy vulnerabilities into new cloud environments.

Compounding this issue is a severe talent cliff: 56% of IT leaders cite a lack of cybersecurity skills as the top cause of breaches. Security teams are stretched thin and simply lack the deep, SAP-specific knowledge required to manually secure complex custom code or validate AI-generated developments.

The Defender’s Imperative: SAP Application Security Testing with Onapsis Control

Fortunately, securing the Clean Core and accelerating innovation doesn’t have to be complicated, even with all the advanced threats and attacks out in the wild. An IBM study identifies a DevSecOps approach to software development as the number one factor in reducing breach costs. As the undisputed experts in SAP cybersecurity and the only application security vendor in the SAP Endorsed Apps program, Onapsis empowers heavy and discrete manufacturers to embed security directly into their development lifecycles.

As a core pillar of the Onapsis Platform, Onapsis Control enables you to establish proactive quality assurance and a frictionless DevSecOps pipeline. It helps you:

  • Automate DevSecOps & Protect the Clean Core: Integrate security checks directly into developer IDEs, Git Repositories, and CI/CD pipelines. By acting as an automated quality gate, Onapsis checks every new code and transport to ensure only clean, secure code reaches production during critical RISE with SAP transformations.
  • Secure AI-Assisted Development: As teams accelerate ABAP and non-ABAP development using AI assistants (like SAP Joule), Onapsis automatically scans both human- and AI-authored code. This eliminates hidden vulnerabilities, missing authorization checks, and shadow dependencies caused by AI “context blindness.”
  • Enforce Strict Compliance: Continuously maintain a safe, audit-ready landscape. Onapsis Control checks code against over 600 specialized test cases, ensuring your custom developments align with stringent internal guidelines and external mandates like TISAX, UN R155, NIS2, and GDPR.
  • Accelerate Release Cycles: Drastically reduce manual code review efforts. By providing developers with prioritized insights, actionable remediation guidance, and a low rate of false positives, teams can fix critical data loss and security issues quickly without bottlenecking project timelines.

By taking a secure-by-design approach, organizations achieve incredible efficiency. For example, leading automotive manufacturer Å koda implemented Onapsis Control, helping 300 developers reduce manual effort during code reviews. They saw 15,000 findings seamlessly resolved, which reduced time consumed and improved security, performance, quality, and stability.

In the new era of manufacturing, protecting the assembly line means protecting your code. Shift left, automate your security, and innovate with confidence.

Frequently Asked Questions

Why is SAP custom code security critical in heavy and discrete manufacturing?

Cyber attacks targeting heavy and discrete manufacturing are evolving, with criminals actively exploiting vulnerabilities in the application layer. Because custom SAP code dictates how your business operates—from tracking inventory to managing suppliers—a vulnerability here can halt global production, compromise intellectual property (like CAD files), and sever connected supply chains.

What is “context blindness” in AI-generated code?

AI coding assistants generate code rapidly based on pattern matching, but they lack a true understanding of an organization’s specific SAP architecture, business logic, or user roles. This “context blindness” frequently leads to the creation of code that is functional but insecure, inadvertently introducing hidden vulnerabilities and omitting crucial authorization checks.

What is a “Clean Core” strategy, and how does custom code threaten it?

A Clean Core strategy involves keeping your standard SAP ERP system as close to out-of-the-box functionality as possible to make cloud migrations (like RISE with SAP) smoother and future upgrades seamless. Poorly written, insecure, or overly complex custom code creates technical debt that “dirties” the core, delaying digital transformation projects and carrying legacy security risks into new environments.

How does Onapsis Control support DevSecOps and a Shift Left strategy? 

“Shifting left” means moving security testing to the earliest possible phase of the software development lifecycle. Onapsis Control integrates directly into developer IDEs, CI/CD pipelines, and Git Repositories, acting as an automated gatekeeper. This ensures that both human- and AI-authored code is scanned and fixed before it ever reaches production, significantly lowering remediation costs and accelerating release cycles.