Due to the increased number of threats and actors targeting utilities, the expansive attack surface, and the unique infrastructure, the utilities sector is particularly susceptible to cyberattacks.

Cyberattacks in the utilities sector can have far-reaching impact: power outages, damage to critical infrastructure and essential networks, stolen personally identifiable information (PII), and billions of dollars lost to ransom demands and repairs. As we saw in 2021 with Colonial Pipeline, they can also disrupt society if compromised.

As the utilities sector embraces digital transformation to streamline processes, applications and networks become more interconnected. With increasing interconnectivity between on-premises and cloud environments — between internal and third-party systems — exposure and risk increase. This industry cannot just rely on compliance regulations and traditional security to remain secure. And while most companies within the utilities space have taken steps to protect their infrastructure, business-critical applications still fall out of the scope of traditional security measures.

Systems, such as enterprise resource planning (ERP), supply chain management, and logistics management, are interconnected and support critical operations that can be severely disrupted if they are compromised by threat actor groups. IDC research shows that 64% of ERP systems have been breached in the last two years and there have been six US-CERT alerts on malicious activity targeting business-critical applications since 2016. There needs to be a shift in the cybersecurity strategies of utility companies to ensure a quick recovery from cyberattacks.

How to address vulnerabilities in SAP business applications

Without stronger security controls, business-critical systems will remain vulnerable to attack. To address the vast geographic, organizational, and technical gaps in networks and visibility, utilities companies need to take an integrated approach to security

Obtain visibility into critical assets
Enterprises should have full visibility over all IT and OT networks and systems. This way organizations can discover internal and external threats and assess their impact in real time.

Implement vulnerability management tools
Vulnerabilities are an easy point of entry into business-critical assets. Organizations should incorporate advanced vulnerability management into their cybersecurity posture that includes automated tools that can scan for system misconfigurations, authorization issues, and missing patches exist, and automatically apply the necessary mitigations.

Adopt cybersecurity best practices
Throughout the entire organization, utility companies must integrate cyber and physical security into their existing safety cultures. Enterprises must ensure their employees are cognizant of all threats they may face in their day-to-day operations, such as highly targeted phishing schemes.

How other Utilities companies are managing risk in SAP business applications 

Utility Company Uses Onapsis to Gain Foundational Visibility Into SAP Landscape 
See how one Onapsis utilities customer was able to accelerate and secure their SAP S/4HANA transformation: “We can see issues —  misconfigurations, missing patches or unusual user activity — what risk they pose and how to fix them.” 

Join us for ASUG Best Practices: SAP for Oil, Gas, and Energy in Houston or virtually, Sept. 12–14. This three-day event will unite leaders to address the biggest industry challenges. You’ll leave with the tools and resources to make the most of your technology investment.

Join Onapsis and SAP at ASUG’s SAP for Utilities event, September 18-20th. Attend virtually or in person for cutting-edge insights and best practices delivered via keynotes, case studies, and networking opportunities. Leave with actionable recommendations from SAP security and compliance experts.  

Fireside Chat Keep The Lights On: Security for Your SAP Applications
The energy sector faces formidable and unique cyber threats.Listen on-demand to how Oklahoma Gas & Electric Company (OG&E) manages cyber risk for its SAP systems.

Further
Reading

Want a more in-depth exploration? Start with these related pieces, then visit our Resources page for more.