Skip to Content
Author's profile photo Paul Aschmann

How secure is your enterprise data?

A couple of months ago, we had an emergency meeting with our process control engineers concerned by the announcement of the “Stuxnet” virus, which targeted Siemens PLC’s. For those of you who don’t know what a PLC is, it’s essentially a PC used in industrial operations to control machinery on a production line, AC Systems, elevators and even used in amusement park rides, to name a few. Unlike a regular PC with a couple inputs (mouse/keyboard etc.) and outputs (display), generally PLC’s have hundreds of real-time input and output possibilities and often control physical objects like motors, actuators, hydraulics and solenoids. The target of the virus has not been confirmed, but after much speculation it was thought that it was targeting Irans nuclear power program. In a nut shell this virus has the ability to change process parameters and possibly cause major havoc. (Imagine overriding the temperature cut off controls in a reactor?).

Security in general has always been a priority for me, both hardware and software, but sometimes certain aspects are not always in the limelight, in this case a ERP platform. Does this make us ignorant? I hope not. We do user audits, external audits, strict quality control on custom code and a host of other quality and security related tasks to ensure integrity and access to the system is well controlled. SQL exploits are catered for, cameras in server rooms, firewalls and policies are in place. But the question should be … is this enough?

Lets put it into context what the general possible exploits are for a company like ours (Automotive Industry) : code vulnerabilities, data theft, trade secrets, malicious damage, financial manipulation and a host of others which could have a crumbling effect. In our line of business we know who our competitors are, we know what products they produce and since the its a fairly mature product line – have a reasonably good idea of what the margins are. Even in a somewhat “exposed” industry, if you had to take our ERP’s data and give it to our competitors – we would be in serious trouble, simply having our BOM’s siphoned could lead to trade sectrets being exposed, formulation and routings could be used to then copy and reproduce the products to compete directly. Purchasing data could be used for competition between suppliers, and a form of insider trading. All by simply “reading” the system. Lets not get into a malicious attack situation and things could go pear shaped very quickly.

SAP specifically have addressed this potential risk avenue and provided us with products like the SAP VSI Interface, but how many companies actually use it? The VSI is simply an interface and not a product, and allows companies like Symantec to produce products which have the ability to “scan” the system for potential threats and exploits. How does a virus scanner scan custom ABAP code if it has nothing to compare it to? How does the scanner know that this SQL UPDATE statement is not maliciously changing code willy-nilly? How does the scanner know that the non standard open port on the ERP system is for legacy system integration and not to a SQL updating command for changing vendors payment addresses to somewhere in Nigeria? – Far fetched I know ;). Hueristic scanning can potentially pick up unknown or variations of viruses based on statistical analysis, but is also fairly inaccurate when the virus utilizes unknown code. SAP recently started a “Patch Day” similar to Microsoft’s, where new patches are released on the second Tuesday of each month to combat these new threats.

Even if we do use a AV product and patch the system, what about groups such as the stuxnet crowd who can fly under the radar – for close to a year – before being detected are out there watching the “systems” every move. Coming from an architecture background, and being a bit of a rogue spokesperson for “open architecture”, SOA, ES and various other new wave technologies has made me think about the potential negative impact all this openess has created. Not only is all the openness a potential hole, but so are highly customizable systems like SAP in general. Mobile devices, which I am extremely fond of, are another potential gaping security risk. Since the recent Sybase acquisition Smart Phones/Mobile have been the hot topic, and moving forward, will be one of the new end users of the enterprises data. But aside from logical attacks, dont forget to think about the physical risks. Consider a SAP HR app running in multitasking mode on a iPhone 4, forgotten in a canteen. The screens blank but after some easy investigating some pretty sensative data is loose. What about the same situation and they forget a smartphone at the customer, showing our sales margins? Another great example was the early iPhone 4 debut thanks to a irresponsible apple employee.

Getting back to more sinister aspects … past SAP specific viruses have gotten their fair share of exposure. The last one (and only one?) I am aware of was in 2002 and went by the names SAP.VSoft.A, SAP.Willi.A and ABAP/Rivpas. This was simply a proof of concept and not even a major threat. You can read more about it the SAP Note 512595 (Login Required). I am fairly surprised that this is the only well known and well documented virus. Please comment if I am wrong?

So how can we prevent these types of situations? In my opinion, its impossible. Why? We dont have control of foundation level systems which ERP platforms interact with and rely on for functionality. Think about windows 49 patches due to be released on Tuesday – a new record by the way. But what we can do, is ensure that we have the right (QA) experts and systems in place to mitigate as much risk as possible. We have to work as a team to be responsible architects, admins and developers when evolving and expanding our systems to meet expectations. We also need to do strict source code reviews periodically. Lastly, we need to not cave into pressure from internal customers insisting that the data they need is a necessity without putting the right measures in place to ensure its integrity. SAP also making an effort by providing a host of security guides (Login Required) which can be reviewed and utilized to reduce the potential risk.

In wrapping this up, we all spend a considerable amount of time give the right data, to the right people and now in the right place. What about the potential for the wrong people in the wrong place?

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Former Member
      Former Member
      Hi Paul,

      Great summary... About the specific stuxnet issue, also see this forum post: Stuxnet - most sophisticated piece of malware in history? where some similar issues are discussed.

      The point you make is clear and will become more and more clear in future since I believe that not many SAP systems are being attacked YET. However due to openess, more connecting SAP to the internet and more and more exploits being published on sites like millw0rm the number of attacks will definitely rise.

      It's good to see that SAP is seriously adressing this issue due to the large growth in SAP security notes, a new whitepaper and the securityguides. Together with a collegue I have written a white paper on the history and trends of vulnerabilities in SAP systems. When interested you can find it here: 

      The recently released white paper by SAP can be found here:

      And to conclude; Yes, you are absolutely right that although there are many solutions provided by SAP through the Security Guides, my impression is also that not many customers use them due to complexity, time-constraints or perhaps costs. Too bad. I guess in many cases things must go really wrong before people take action...

      Again, a great summary and let's keep up the fight!

      Joris van de Vis

      Author's profile photo Paul Aschmann
      Paul Aschmann
      Blog Post Author
      Hi Joris,

      Thanks for the additional comments, links and references. It is comforting to know companies and people like you are focusing on topics such as this and can guide the community and eco system.


      Author's profile photo Former Member
      Former Member
      I add a link to the stuxnet thread (threadID=1802679).

      As you said the main problem at the moment is, that there is no way to prevent direct aimed attacks on a specific customer. There is no way to patch the siemens controllers against these kind of exploit at the moment. Similar as Abap code is not signed and checksummed for example, this feature is just not implemented.

      The development cost of stuxnet is estimated around 100 million USD. Put that in relation to the Oracle/SAP lawsuit (were SAP stole Software from Oracle) and is forced to pay 1.3 billion: (Whoaa !  Jury slams SAP $1.3 billion in TomorrowNow lawsuit)

      Kind regards, Michael