Patch early, patch often.
That's the advice from experts to combat SAP security risks, even though companies struggle with patching their SAP ERP Central Component systems. One challenge is a real threat of losing the functionality of some custom code, but SAP security threats are much more detrimental to systems and to companies as a whole, according to experts.
It's no secret that ERP systems are becoming increasingly attractive to hackers. Opening up ERP systems to third parties via APIs creates new openings for malicious actors. And considering the rich, valuable data stored in ERP systems, it's no wonder that hackers want access. The problem is so severe that the U.S. Department of Homeland Security issued a warning for IT administrators that includes recommendations to secure their ERP systems, including SAP systems.
SAP security risks include increased attacks
"We see SAP overall being targeted more as part of campaigns," said Juan Pablo Perez-Etchegoyen, CTO of Onapsis Inc., a Boston-based firm that provides security services for ERP environments, including SAP and Oracle.
Onapsis released a report, "ERP Applications Under Fire: How cyberattackers target the crown jewels," last year in conjunction with digital risk management firm Digital Shadows. The report details some of the security risks facing SAP and other ERP systems.
While there may not have been an uptick in attacks on SAP ERP Central Component (ECC) in particular, SAP applications are definitely getting more attention from cyberattackers, Perez-Etchegoyen said. For example, Onapsis has seen a lot of threat actors using the SAP Portal, which is typically used as a front end for SAP ECC. That component has been exploited as a part of an ECC Java stack.
"We know that nation-states are using it and have seen traces of exploitation in countless cases," Perez-Etchegoyen said.
Waiting to patch could be too risky
SAP releases patches every month to plug vulnerabilities in its software. However, companies that wait to patch could be leaving the door wide open for threat actors.
Juan Pablo Perez-EtchegoyenCTO, Onapsis
In SAP ECC, the majority of the logic and components of patches are at the ABAP level, and hackers can immediately read the updates and derive an exploit from the patch, according to Perez-Etchegoyen. How fast this happens depends on the resources available to the threat actors.
"It's really a race," he said. "The sooner you can patch, the better."
As soon as the patch comes out, an attacker can weaponize the patch, although this is not strictly limited to SAP and applies to any software or operating system, Perez-Etchegoyen said. It's not a matter of whether or not it's possible to use patches for nefarious purposes, but when it will happen. From a risk perspective, organizations need to apply a patch immediately when it's released, as the patch could be weaponized at any moment, he said.
Reducing investment in SAP ECC may lead to vulnerabilities
Applying patches immediately is even more critical if SAP isn't investing in its ECC product as much as it once did, which might be the case as the 2025 sunset date appears closer on the horizon. Rick Fricchione, vice president of the enterprise applications service line at IBM, said that some of his clients are concerned that SAP won't keep up with the potential risks now that SAP ECC's time is limited.
"We don't have quantitative measurements to say [attacks on SAP ECC] have increased, but there's more of a concern from clients on it simply because they sense a drop-off in engineering on a platform that has a clock ticking," he said.
Additionally, although SAP does have a monthly patch day, sometimes the company is not as disciplined with its release practices as it could be, according to Fricchione. Sometimes, its functional changes are packaged in support patching, which complicates the patching process and requires customers to engage in functional regression testing.
"Clients have some legitimate concerns about functional differences occurring after applying support packs and OSS notes," he said.
Falling behind in patching is not uncommon
As a result of the complexity of ERP systems and the heavy customizations many companies implement to get the functionality they need, a lot of companies fall behind on patching or fall outside the time window before a patch is weaponized, according to Perez-Etchegoyen.
Fortunately, most mature organizations have a process to prioritize patching, which is the key to mitigating risk, Perez-Etchegoyen said. Companies need to identify their risk tolerance, what needs to be patched right now, and then resolve that risk with patching.
"The most successful thing we have seen is to put that process in place -- to start governing patch management in ERP applications," he said.